Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE opens by itself


  • This topic is locked This topic is locked
56 replies to this topic

#1 hippiechld

hippiechld

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 01 March 2010 - 10:26 PM

My IE opens up by itself. Usually 5 or 6 new windows just pop open. Most of them are blank, but once in a while one will have a website like spcgame.com. I have already tried adaware and spyhunter. Both of those programs tell me I am fine; however, that is obviously not the case.
I am posting my HijackThis log as well as the gmer file. I cannot post the dds files because that program did not work for me. It opened the black dos-looking screen that ends with 'Dispose after use.' And that was it. Nothing else happened or appeared. No log files were genereted for me to save.
I hope this is enough information to give ya'll a start...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:30 PM, on 3/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\AOL\1111623246\ee\AOLSoftware.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_server.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Consumer Input\dca-ua.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://portal.wgu.edu/cp/home/displaylogin
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {96b985b7-3cf9-456a-9db6-791710e60f5f} - C:\Program Files\MyPoints Toolbar 2.0\Helper.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Watch for Browser Events - {42A7CE31-CEE7-4CCE-A060-A44A7E52E062} - C:\PROGRA~1\KEYBOA~1\kie.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: FCTBPos00Pos - {614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A} - C:\Program Files\MyPoints Toolbar 2.0\Toolbar.dll
O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Consumer Input\dca-bho.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MyPoints Toolbar 2.0 - {89A2510A-B4B6-4683-BEC9-1B96700BC7F1} - C:\Program Files\MyPoints Toolbar 2.0\Toolbar.dll
O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1111623246\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [mm_server] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_server.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Consumer Input Update] C:\Program Files\Consumer Input\dca-ua.exe
O4 - HKCU\..\Run: [MyWGU Messenger] C:\Program Files\MyWGU Messenger\MyWGU-Messenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/westerngovernor...s/ebraryRdr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games Matchmaking) - http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Slingo Quest\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v47/skillgam/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} (MoneyList Control) - http://www.worldwinner.com/games/v45/moneylist/moneylist.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194540788234
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {A021A215-6CDC-44B4-8C16-90491CED9605} (Clue Control) - http://www.worldwinner.com/games/v68/clue/clue.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
O16 - DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} (Monopoly Control) - http://www.worldwinner.com/games/v46/monopoly/monopoly.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.39.9/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} (MysteryPI Control) - http://www.worldwinner.com/games/v45/mysterypi/mysterypi.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Slingo Quest\Images\armhelper.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v49/famil.../familyfeud.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 13240 bytes


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-01 21:16:10
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\REBECC~1\LOCALS~1\Temp\ufldrpog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF765787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7657BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
AttachedDevice \Driver\Tcpip \Device\RawIp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


If anyone call help me stop these annoying ie windows it would be greatly appreciated!
Thank you!

BC AdBot (Login to Remove)

 


#2 hippiechld

hippiechld
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 03 March 2010 - 02:24 PM

Thank you very much for your help, but I think I fixed it finally!
Just wanted to let ya'll know so somebody isn't wasting time trying to figure it out.
Thanks again!

#3 hippiechld

hippiechld
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 03 March 2010 - 10:11 PM

Apparently I was wrong! I just had 6 new ie windows open up on me sad.gif
So... anyone have any ideas????
Thanks!


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the Malware Response Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 05 March 2010 - 08:05 AM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 06 March 2010 - 07:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#5 hippiechld

hippiechld
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 06 March 2010 - 10:04 PM

m0le,

I downloaded both dds programs, disabled everything, and unplugged my modem and neither of the dds programs provided me with a log. I could tell something was running because I could see that a new process started and then closed, but there was no log at the end. No notepad. Just nothing.

DeFogger did NOT ask me to reboot, so I just did it on my own.

Finally, here is my gmer.log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-06 20:37:46
Windows 5.1.2600 Service Pack 3
Running: pknkjjwx.exe; Driver: C:\DOCUME~1\REBECC~1\LOCALS~1\Temp\ufldrpog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
AttachedDevice \Driver\Tcpip \Device\RawIp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)

---- EOF - GMER 1.0.15 ----

I hope something in here is useful to you!
Thanks!
Rebecca

PS - I apologize for my other posts. I honestly was not trying to "bump" my post. I really never even thought of that. I sincerely thought I had fixed the problem after installing MalwareBytes and Security Essentials. I have read other places that ya'll like to know when a problem is fixed, so... I posted it. Then, when I realized it wasn't actually fixed... I didn't want ya'll to think it was fixed, so I posted again. Anyway, I am very sorry and I just wanted to say that 'bumping' was never my intent!!!!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 07 March 2010 - 04:22 PM

Don't worry about the bump warning. We are just telling you in a friendly way that you could get missed if you bump your topic.

DDS not running is unusual and Gmer shows a clean log.

Please run MBAM, it will find any adware or spyware as a start point.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 hippiechld

hippiechld
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 08 March 2010 - 03:52 PM

m0le,

I downloaded and ran the Malware bytes program. It said everything is okay. Not sure whether you need it or not, but here is the log:

Malwarebytes' Anti-Malware 1.44
Database version: 3838
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/8/2010 2:49:32 PM
mbam-log-2010-03-08 (14-49-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 297675
Time elapsed: 1 hour(s), 42 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Any other ideas??
Thank you!
Rebecca

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 08 March 2010 - 04:45 PM

Let's try an online scan...but it looks like a clean PC.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Posted Image
m0le is a proud member of UNITE

#9 hippiechld

hippiechld
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 10 March 2010 - 08:34 AM

m0le,

Yippee!! Finally found something!
Here is the log from Dr. Web:

aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpkw_setupSTUS\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpkw_setupSTUS\comps\coach;Archive contains infected objects;Moved.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Common Files\aolback\Comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Program Files\Common Files\aolback\Comps\coach;Archive contains infected objects;Moved.;
GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;
GPiShared.dll;C:\Program Files\GoldPocket;Trojan.MulDrop.origin;Incurable.Moved.;
GXContentManager.dll;C:\Program Files\GoldPocket;Trojan.MulDrop.origin;Incurable.Moved.;
A0138272.ocx;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2131;Adware.Coupons;Incurable.Moved.;
A0138436.exe\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2142\A0138436.exe;Adware.Gdown;;
A0138436.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2142;Archive contains infected objects;Moved.;
A0138437.exe\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2142\A0138437.exe;Adware.Gdown;;
A0138437.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2142;Archive contains infected objects;Moved.;
A0138438.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2142;Trojan.MulDrop.origin;Incurable.Moved.;
A0138439.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2142;Trojan.MulDrop.origin;Incurable.Moved.;

I am not sure what was cured and/or moved, but I still have the same problem. I hope something up there makes some sense to you...
Thanks!
Rebecca

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 10 March 2010 - 06:32 PM

Adware mainly. Some of it is sitting in dormant areas and we should kill this off now.

Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main "Select Files to Delete" choose: Select All.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

This could also be Clear Recent History or similar

Then close Firefox and then reopen it.


Then

To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.

I'd like to try Superantispyware for a second run at the PC

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

When you have posted that please let me know if the IE problem is still there. smile.gif
Posted Image
m0le is a proud member of UNITE

#11 hippiechld

hippiechld
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 11 March 2010 - 12:22 AM

m0le,

I'm extremely happy that the Super program actually found something! Unfortunately, I still have the same problem. If it helps any, it seems to be exactly 5 new ie windows about every 30 minutes.
Anyway, here is the scan log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/10/2010 at 09:33 PM

Application Version : 4.34.1000

Core Rules Database Version : 4660
Trace Rules Database Version: 2472

Scan type : Complete Scan
Total Scan Time : 02:31:51

Memory items scanned : 582
Memory threats detected : 0
Registry items scanned : 7136
Registry threats detected : 61
File items scanned : 126571
File threats detected : 2

Adware.HBHelper
HKLM\Software\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32#ThreadingModel
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID
HKCR\URLSearchHook.ToolbarURLSearchHook.1
HKCR\URLSearchHook.ToolbarURLSearchHook.1\CLSID
HKCR\URLSearchHook.ToolbarURLSearchHook
HKCR\URLSearchHook.ToolbarURLSearchHook\CLSID
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR
C:\PROGRAM FILES\FAST BROWSER SEARCH\IE\TBHELPER.DLL

Trojan.NewDotNet
HKU\.DEFAULT\Software\New.net
HKU\S-1-5-18\Software\New.net

Browser Hijacker.Deskbar
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version
HKCR\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}
HKCR\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\ProxyStubClsid
HKCR\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\ProxyStubClsid32
HKCR\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\TypeLib
HKCR\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\TypeLib#Version
HKCR\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}
HKCR\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\ProxyStubClsid
HKCR\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\ProxyStubClsid32
HKCR\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\TypeLib
HKCR\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\TypeLib#Version
HKCR\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}
HKCR\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\ProxyStubClsid
HKCR\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\ProxyStubClsid32
HKCR\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib
HKCR\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib#Version

Malware.VirusProtect
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\aiczfraxpdg
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\InprocServer32
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\InprocServer32#ThreadingModel
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\ipmSdvzjvY
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\JxwnbGPTyuO
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\lonq
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\ProgID
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\Programmable
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\Pucj
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\tlQlSghrzPbbq
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\TypeLib
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\uqnliwayuhs
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\VersionIndependentProgID
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\zYsatxDocEQz

Adware.Tracking Cookie
C:\Documents and Settings\Mallory\Cookies\mallory@atwola[2].txt


Thank you!
Rebecca

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 11 March 2010 - 04:51 PM

This appears to be a new infection, one of my colleagues is also helping someone with the IE window opening.

Please run Combofix to see if anything else is present.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 hippiechld

hippiechld
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 15 March 2010 - 08:34 PM

m0le,

Wow! Short scan and mega-long report. Hope you're ready for this one....

ComboFix 10-03-15.04 - Rebecca Ross 03/15/2010 20:03:40.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.588 [GMT -5:00]
Running from: c:\documents and settings\Rebecca Ross\Desktop\comfix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\basis_br.xml
c:\program files\Fast Browser Search\IE\basis_de.xml
c:\program files\Fast Browser Search\IE\basis_en.xml
c:\program files\Fast Browser Search\IE\basis_es.xml
c:\program files\Fast Browser Search\IE\basis_fr.xml
c:\program files\Fast Browser Search\IE\basis_it.xml
c:\program files\Fast Browser Search\IE\basis_nr.xml
c:\program files\Fast Browser Search\IE\basis_pt.xml
c:\program files\Fast Browser Search\IE\basis_ru.xml
c:\program files\Fast Browser Search\IE\basis_tr.xml
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\FBSPlugin.dll
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe
c:\program files\Fast Browser Search\IE\FBStoolbar.dll
c:\program files\Fast Browser Search\IE\fbstoolbar.jar
c:\program files\Fast Browser Search\IE\fbstoolbar.manifest
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\logobg.bmp
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\search_br.bmp
c:\program files\Fast Browser Search\IE\search_de.bmp
c:\program files\Fast Browser Search\IE\search_es.bmp
c:\program files\Fast Browser Search\IE\search_fr.bmp
c:\program files\Fast Browser Search\IE\search_it.bmp
c:\program files\Fast Browser Search\IE\search_pt.bmp
c:\program files\Fast Browser Search\IE\search_ru.bmp
c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
c:\program files\Fast Browser Search\IE\SGPU.ico
c:\program files\Fast Browser Search\IE\sgpUpdater.exe
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\Fast Browser Search\IE\uninstalSGP.exe
c:\program files\Fast Browser Search\IE\uninstalSGPU.exe
c:\program files\Fast Browser Search\IE\update.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\Search Guard Plus
c:\program files\Search Guard Plus\fbsProtection.xml
c:\program files\Search Guard Plus\fbsSearchProvider.xml
c:\program files\Search Guard Plus\FbsSearchProviderIE8.exe
c:\program files\Search Guard Plus\SearchGuardPlus.exe
c:\program files\Search Guard Plus\SearchGuardPlus.ico
c:\program files\Search Guard Plus\uninstalSGP.exe
c:\program files\Search Guard PlusU
c:\program files\Search Guard PlusU\SGPU.ico
c:\program files\Search Guard PlusU\sgpUpdater.exe
c:\program files\Search Guard PlusU\sgpUpdater.xml
c:\program files\Search Guard PlusU\sgpUpdaters.exe
c:\program files\Search Guard PlusU\uninstalSGPU.exe
c:\program files\SGPSA
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\patch.exe
c:\windows\system32\BSTIeprintctl1.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))))))))))))))))))))))))))
.

2010-03-16 00:12 . 2010-03-16 00:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Feboz
2010-03-15 23:00 . 2010-03-15 23:00 -------- d-----w- c:\documents and settings\Rebecca Ross\Local Settings\Application Data\Conduit
2010-03-15 23:00 . 2010-03-15 23:01 -------- d-----w- c:\documents and settings\Rebecca Ross\Local Settings\Application Data\Feboz
2010-03-15 23:00 . 2010-03-15 23:00 -------- d-----w- c:\program files\Conduit
2010-03-15 23:00 . 2010-03-15 23:00 -------- d-----w- c:\program files\Feboz
2010-03-11 00:56 . 2010-03-11 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-11 00:56 . 2010-03-11 00:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-11 00:56 . 2010-03-11 00:56 -------- d-----w- c:\documents and settings\Rebecca Ross\Application Data\SUPERAntiSpyware.com
2010-03-11 00:55 . 2010-03-11 00:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-11 00:17 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 13:35 . 2010-03-10 13:35 -------- d--h--w- c:\windows\PIF
2010-03-09 17:18 . 2010-03-09 18:25 -------- d-----w- c:\documents and settings\Rebecca Ross\DoctorWeb
2010-03-09 17:12 . 2010-03-09 17:12 -------- d-sh--w- c:\documents and settings\Dave Ross\IETldCache
2010-03-03 16:15 . 2010-03-03 16:15 -------- d-----w- c:\documents and settings\Rebecca Ross\Application Data\Malwarebytes
2010-03-03 16:15 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 16:15 . 2010-03-03 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-03 16:15 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-03 16:15 . 2010-03-08 18:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-03 02:07 . 2010-02-24 15:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-03 02:04 . 2010-03-03 02:04 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-28 13:44 . 2010-02-28 13:44 -------- d-----w- c:\program files\Trend Micro
2010-02-28 03:41 . 2010-02-28 02:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-28 02:55 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-28 02:55 . 2010-02-28 02:55 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-28 02:51 . 2010-02-28 02:51 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-27 05:00 . 2010-02-27 05:00 -------- d-----w- c:\program files\Oberon Media
2010-02-27 05:00 . 2010-02-27 05:00 -------- d-----w- c:\program files\MSN Games
2010-02-26 14:06 . 2010-02-26 14:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Viewpoint
2010-02-25 21:20 . 2010-02-25 21:20 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-02-25 20:48 . 2010-02-25 20:48 -------- d-----w- c:\program files\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-11 00:57 . 2010-03-11 00:57 52224 ----a-w- c:\documents and settings\Rebecca Ross\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-11 00:57 . 2010-03-11 00:57 117760 ----a-w- c:\documents and settings\Rebecca Ross\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-10 01:22 . 2005-09-17 23:11 -------- d-----w- c:\program files\GoldPocket
2010-02-28 02:54 . 2010-02-28 02:54 961984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-02-28 02:54 . 2010-02-28 02:54 835312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-02-28 02:54 . 2010-02-28 02:54 842992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-28 02:54 . 2010-02-28 02:54 1593320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-02-28 02:54 . 2010-02-28 02:54 815184 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-02-28 02:54 . 2010-02-28 02:54 1229232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-28 02:51 . 2004-11-03 18:36 -------- d-----w- c:\program files\Lavasoft
2010-02-28 02:44 . 2007-11-15 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-27 06:09 . 2007-11-13 22:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-27 00:42 . 2005-03-24 00:13 -------- d-----w- c:\program files\America Online 9.0a
2010-02-17 15:18 . 2004-12-16 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-02-06 04:43 . 2004-07-22 00:59 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-04 15:53 . 2010-02-28 02:51 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-01-27 18:18 . 2004-07-15 06:39 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 18:18 . 2010-01-27 18:18 503808 ----a-w- c:\documents and settings\Rebecca Ross\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-14925568-n\msvcp71.dll
2010-01-27 18:18 . 2010-01-27 18:18 499712 ----a-w- c:\documents and settings\Rebecca Ross\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-14925568-n\jmc.dll
2010-01-27 18:18 . 2010-01-27 18:18 348160 ----a-w- c:\documents and settings\Rebecca Ross\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-14925568-n\msvcr71.dll
2010-01-27 18:18 . 2010-01-27 18:18 61440 ----a-w- c:\documents and settings\Rebecca Ross\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-15bbe4bc-n\decora-sse.dll
2010-01-27 18:18 . 2010-01-27 18:18 12800 ----a-w- c:\documents and settings\Rebecca Ross\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-15bbe4bc-n\decora-d3d.dll
2010-01-27 18:18 . 2004-07-15 06:39 -------- d-----w- c:\program files\Java
2010-01-20 13:56 . 2010-01-20 13:56 -------- d-----w- c:\program files\UserTesting.com
2010-01-20 13:56 . 2010-01-20 13:56 -------- d-----w- c:\documents and settings\Rebecca Ross\Application Data\TestingRecorder
2009-12-31 16:50 . 2002-08-29 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-12-07 22:37 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 23:14 . 2008-12-08 13:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-17 06:09 . 2010-02-17 15:18 49241 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\sb_BunkerHill.dll
2009-12-16 18:43 . 2002-08-29 10:00 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-16 13:07 . 2010-02-17 15:18 136528 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4482\Vercopy.exe
2005-08-23 22:11 . 2005-08-23 22:11 1446 ----a-w- c:\program files\uninstal.log
2004-07-20 05:22 . 2004-07-20 05:22 5473872 ----a-w- c:\program files\msjavx86_3805.exe
2004-07-20 00:29 . 2004-07-20 00:29 3045664 ----a-w- c:\program files\keyex3.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{96b985b7-3cf9-456a-9db6-791710e60f5f}"= "c:\program files\MyPoints Toolbar 2.0\Helper.dll" [2009-08-07 201216]
"{f2257711-226b-4529-8e1d-e82e1c55ebd8}"= "c:\program files\Feboz\tbFebo.dll" [2010-03-09 2355224]

[HKEY_CLASSES_ROOT\clsid\{96b985b7-3cf9-456a-9db6-791710e60f5f}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{9FEBEA6D-4801-4D23-97E7-A771B698E442}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_CLASSES_ROOT\clsid\{f2257711-226b-4529-8e1d-e82e1c55ebd8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]
2009-08-07 23:55 1358848 ----a-w- c:\program files\MyPoints Toolbar 2.0\Toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2257711-226b-4529-8e1d-e82e1c55ebd8}]
2010-03-09 16:06 2355224 ----a-w- c:\program files\Feboz\tbFebo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-08-07 1358848]
"{f2257711-226b-4529-8e1d-e82e1c55ebd8}"= "c:\program files\Feboz\tbFebo.dll" [2010-03-09 2355224]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{f2257711-226b-4529-8e1d-e82e1c55ebd8}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-08-07 1358848]
"{F2257711-226B-4529-8E1D-E82E1C55EBD8}"= "c:\program files\Feboz\tbFebo.dll" [2010-03-09 2355224]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{f2257711-226b-4529-8e1d-e82e1c55ebd8}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-08 67128]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]
"Consumer Input Update"="c:\program files\Consumer Input\dca-ua.exe" [2009-03-17 96136]
"MyWGU Messenger"="c:\program files\MyWGU Messenger\MyWGU-Messenger.exe" [2007-11-30 172544]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-10-07 294912]
"HostManager"="c:\program files\Common Files\AOL\1111623246\ee\AOLSoftware.exe" [2008-06-24 41824]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"MegaPanel"="c:\program files\ACNielsen\Homescan Internet Transporter\HSTrans.exe" [2006-02-24 2056192]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2005-04-12 230592]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]
"NielsenOnline"="c:\program files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2008-10-31 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"mm_server"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_server.exe" [2005-03-15 86016]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-7 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-1-13 805392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\MsgPlusLoader.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rebecca Ross^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\Rebecca Ross\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 13:59 126976 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 13:59 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2005-03-15 13:58 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-07-19 23:41 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Black Isle\\Baldur's Gate\\BGMain.exe"=
"c:\\Program Files\\Common Files\\AOL\\1111623246\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\America Online 9.0a\\aol.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\1111623246\\EE\\aolsoftware.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2/27/2010 9:55 PM 64288]
R1 nnrnstdi;nnrnstdi;c:\windows\SYSTEM32\DRIVERS\nnrnstdi.sys [5/15/2009 9:40 AM 15360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R3 km_filter;km_filter;c:\windows\SYSTEM32\DRIVERS\km_filter.sys [5/15/2009 9:40 AM 9088]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys --> c:\windows\system32\DRIVERS\nielprt.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1229232]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 SMALUSB;Digital Camera Driver;c:\windows\SYSTEM32\DRIVERS\smalidt.sys [8/4/2004 9:39 AM 9216]
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:54]

2010-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02]

2010-03-15 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-15 22:26]
.
.
------- Supplementary Scan -------
.
uStart Page = https://portal.wgu.edu/cp/home/displaylogin
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} - hxxp://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{0F40FDCA-4A4B-3726-88B9-A68D42972DDC} - (no file)
MSConfigStartUp-ashMaiSv - c:\progra~1\ALWILS~1\Avast4\ashmaisv.exe
MSConfigStartUp-E6TaskPanel - c:\program files\EarthLink TotalAccess\TaskPanl.exe
MSConfigStartUp-lite itch body pure - c:\documents and settings\All Users\Application Data\StyleOnlineLiteItch\graminfo.exe
MSConfigStartUp-Meet Dart Beep Mfcd - c:\documents and settings\All Users\Application Data\peakoncemeetdart\CompLoud.exe
MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
MSConfigStartUp-WmaFour - c:\docume~1\REBECC~1\APPLIC~1\RDRABO~1\Amen stop.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
AddRemove-Dell Photo Printer 720 - c:\windows\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE
AddRemove-__KITTY_LUV___is1 - c:\program files\Kitty Luv\unins000.exe
AddRemove-GoToMeeting - c:\program files\Citrix\GoToMeeting\127\G2MInstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-15 20:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3676)
c:\windows\system32\WININET.dll
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\wanmpsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\notepad.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2010-03-15 20:27:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-16 01:27

Pre-Run: 4,553,187,328 bytes free
Post-Run: 4,814,176,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - BD1D60C7CAF22B12CF7B59022D845086


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:18 PM

Posted 15 March 2010 - 08:48 PM

That is much better.

Are you still getting IE windows opening?
Posted Image
m0le is a proud member of UNITE

#15 hippiechld

hippiechld
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 15 March 2010 - 09:47 PM

m0le,
Yes. But I think my keyboard might be better smile.gif I was about to go out and buy a new one because it kept missing letters here and there, but it doesn't seem to be doing that any more. It never occurred to me it might be connected to whatever is/was going on. Anyway... yes, I still have ie windows popping up.
Thank you!
Rebecca




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users