Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Post Antispyware removal and general Google Redirect problems


  • This topic is locked This topic is locked
9 replies to this topic

#1 collinstevens

collinstevens

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Orleans. LA
  • Local time:05:02 AM

Posted 26 May 2010 - 12:51 PM

I recently discovered Antispyware Soft on my computer, and after some fiddling around managed to download ( it wasn't blocking my internet access) Malware Bytes and remove the problem...Or so I thought. It didn't remove all parts of Antispyware Soft so I found some instructions for removing parts manually that were not dumped with Spybot Search and Destroy or AVG or Malware Bytes. I dumped them. Since removing the program, which I did after running in safe mode, my volume icon has disappeared from the task bar and I don't have the option of putting it back on through the sound in the control panel, also my computer no longer has XP as an appearance option. In addition to all this my browser (Firefox) has started to redirect me from the google search results page and on occasion from any opened page. If these were the only problems it would be bad enough but it seems like the whole comp is running wonky now. I was able to run a DDS log like instructed, but every time I start to run a scan with GMER it freezes or restarts my computer. I got through a whole scan last night but when I went to save it the whole computer froze. I've also tried running GMER in Safemode if that makes any difference. I hope I've given an adequate description of the troubles I'm having please let me know if I can supply any more info, and thanks in advance for any and all help



DDS (Ver_10-03-17.01) - NTFSx86
Run by Will at 2:44:57.32 on Wed 05/26/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.138 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Will\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
uURLSearchHooks: eMusic Toolbar: {9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\emusic\tbeMu1.dll
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: eMusic Toolbar: {9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\emusic\tbeMu1.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4f

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:02 AM

Posted 26 May 2010 - 03:41 PM

Hello collinstevens,



Thanks for describing your problem. It helps. thumbup2.gif GMER can be quirky, so don't worry about it. If we really need a log, we'll get it to run.

Looks like the DDS log got cut off. Also your AVG is way out of date. You'll need to update to the latest version.

Please disable TeaTimer for the duration of this thread. It will interfere with the changes we need to make and cause general chaos.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to collinstevens.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 collinstevens

collinstevens
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Orleans. LA
  • Local time:05:02 AM

Posted 27 May 2010 - 03:20 AM

I believe I disabled AVG. I didn't update it like you recommended because I wasn't sure if I should wait till this is all said and done or if you wanted me to do it right away. I was also hoping you could give me some insight into a couple of programs I have on my computer and whether or not they should be dumped. I noticed that something, which I couldn't exactly decipher, kept coming up in various scans about E-Music. Is this a vulnerable program? If so can I somehow secure it or should I just dump it? If this is all too much to ask please let me know and we'll just stick with the problem at hand. Thank you again for all your help

Combofix log below

ComboFix 10-05-26.03 - Will 05/27/2010 2:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.497 [GMT -5:00]
Running from: c:\documents and settings\Will\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-27 to 2010-05-27 )))))))))))))))))))))))))))))))
.

2010-05-26 07:00 . 2010-05-26 07:00 -------- d-----w- c:\documents and settings\william\Local Settings\Application Data\IsolatedStorage
2010-05-26 07:00 . 2010-05-26 07:00 -------- d-----w- c:\documents and settings\william\Local Settings\Application Data\HP
2010-05-26 07:00 . 2010-05-26 07:00 69232 ----a-w- c:\documents and settings\william\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 06:59 . 2010-05-26 06:59 130 ----a-w- c:\documents and settings\william\Local Settings\Application Data\fusioncache.dat
2010-05-26 06:59 . 2010-05-26 07:00 -------- d-----w- c:\documents and settings\william\Local Settings\Application Data\ApplicationHistory
2010-05-26 04:48 . 2010-05-26 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-26 04:48 . 2010-05-26 04:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-26 02:09 . 2010-05-26 02:09 -------- d-----w- c:\program files\Trend Micro
2010-05-26 01:50 . 2010-05-26 01:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-26 01:28 . 2009-11-10 15:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-26 01:28 . 2009-11-10 15:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-26 01:28 . 2009-11-10 15:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-26 01:28 . 2009-11-10 15:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-05-26 01:28 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-05-26 01:28 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-05-26 01:27 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-26 01:27 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-26 01:27 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-26 01:26 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-26 01:26 . 2010-05-26 01:54 -------- d-----w- c:\program files\Spyware Doctor
2010-05-26 01:26 . 2010-05-26 01:28 -------- d-----w- c:\program files\Common Files\PC Tools
2010-05-26 01:26 . 2010-05-26 01:26 -------- d-----w- c:\documents and settings\Will\Application Data\PC Tools
2010-05-26 01:26 . 2010-05-26 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-05-26 00:57 . 2010-05-26 00:57 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-05-26 00:48 . 2008-09-24 15:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2010-05-26 00:48 . 2006-10-18 07:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2010-05-26 00:48 . 2006-12-08 20:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2010-05-26 00:45 . 2010-05-26 00:45 -------- d-----w- c:\program files\Realtek AC97
2010-05-26 00:45 . 2006-07-31 16:27 217088 ----a-w- c:\windows\alcrmv.exe
2010-05-26 00:45 . 2006-07-31 16:19 315392 ----a-w- c:\windows\alcupd.exe
2010-05-25 22:30 . 2010-05-25 22:30 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-25 22:29 . 2010-05-25 22:29 -------- d-----w- c:\documents and settings\Will\Local Settings\Application Data\viquyryld
2010-05-25 05:52 . 2010-05-25 05:52 -------- d-----w- c:\documents and settings\Will\Application Data\Malwarebytes
2010-05-25 05:47 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 05:47 . 2010-05-25 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-25 05:47 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-25 05:47 . 2010-05-25 22:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 02:26 . 2010-05-24 02:26 503808 ----a-w- c:\documents and settings\Will\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-799efacf-n\msvcp71.dll
2010-05-24 02:26 . 2010-05-24 02:26 499712 ----a-w- c:\documents and settings\Will\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-799efacf-n\jmc.dll
2010-05-24 02:26 . 2010-05-24 02:26 348160 ----a-w- c:\documents and settings\Will\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-799efacf-n\msvcr71.dll
2010-05-24 02:26 . 2010-05-24 02:26 61440 ----a-w- c:\documents and settings\Will\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5299a9b4-n\decora-sse.dll
2010-05-24 02:26 . 2010-05-24 02:26 12800 ----a-w- c:\documents and settings\Will\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5299a9b4-n\decora-d3d.dll
2010-05-22 06:00 . 2010-05-22 06:00 137216 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\shared\fmod.dll
2010-05-22 06:00 . 2010-05-22 06:00 532480 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\bejeweled\bejeweled.dll
2010-05-22 06:00 . 2010-05-22 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner
2010-05-22 06:00 . 2010-05-22 06:00 -------- d-----w- c:\program files\WorldWinner.com, Inc
2010-05-22 06:00 . 2010-05-22 06:00 -------- d-----w- c:\documents and settings\Will\Application Data\Worldwinner
2010-05-19 08:48 . 2010-05-19 08:48 -------- d-----w- c:\program files\Alarm Clock
2010-05-15 06:39 . 2010-05-25 22:29 -------- d-----w- c:\documents and settings\Will\Application Data\gtk-2.0
2010-05-15 06:39 . 2010-05-15 06:39 -------- d-----w- c:\documents and settings\Will\.thumbnails
2010-05-15 06:38 . 2010-05-24 22:35 -------- d-----w- c:\documents and settings\Will\.gimp-2.6
2010-05-15 06:37 . 2010-05-15 06:37 -------- d-----w- c:\program files\GIMP-2.0
2010-05-01 23:04 . 2010-05-02 00:48 -------- d-----w- c:\program files\AllToAVI
2010-05-01 20:25 . 2010-05-01 20:46 -------- d-----w- c:\program files\SimpleDivX
2010-05-01 03:35 . 2010-05-01 03:35 -------- d-----w- c:\program files\CDisplayEx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-27 08:02 . 2008-11-29 09:48 -------- d-----w- c:\documents and settings\Will\Application Data\DNA
2010-05-27 07:51 . 2008-11-29 09:48 -------- d-----w- c:\program files\DNA
2010-05-26 06:47 . 2009-02-12 06:14 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-05-26 01:55 . 2008-11-28 21:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-26 01:04 . 2009-08-19 05:07 -------- d-----w- c:\documents and settings\Will\Application Data\uTorrent
2010-05-26 00:45 . 2008-11-26 16:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-25 22:29 . 2010-04-24 19:16 -------- d-----w- c:\documents and settings\Will\Application Data\CoreFTP
2010-05-24 22:49 . 2008-11-26 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-19 05:33 . 2009-08-19 05:09 -------- d-----w- c:\program files\uTorrent
2010-05-15 15:42 . 2010-03-29 15:34 439816 ----a-w- c:\documents and settings\Will\Application Data\Real\Update\setup3.10\setup.exe
2010-05-12 08:02 . 2008-11-26 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-10 21:12 . 2009-01-21 22:59 -------- d-----w- c:\program files\Google
2010-04-24 19:15 . 2010-04-24 19:15 -------- d-----w- c:\program files\CoreFTP
2010-04-23 18:39 . 2008-11-26 16:48 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-12 00:59 . 2010-04-12 00:59 56532 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-06 05:00 . 2010-04-06 05:00 -------- d-----w- c:\documents and settings\Will\Application Data\Unity
2010-03-31 08:38 . 2010-03-31 08:38 503808 ----a-w- c:\documents and settings\Will\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6331999d-n\msvcp71.dll
2010-03-31 08:38 . 2010-03-31 08:38 499712 ----a-w- c:\documents and settings\Will\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6331999d-n\jmc.dll
2010-03-31 08:38 . 2010-03-31 08:38 348160 ----a-w- c:\documents and settings\Will\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6331999d-n\msvcr71.dll
2010-03-31 08:38 . 2010-03-31 08:38 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 08:37 . 2010-03-31 08:37 61440 ----a-w- c:\documents and settings\Will\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-243e0296-n\decora-sse.dll
2010-03-31 08:37 . 2010-03-31 08:37 12800 ----a-w- c:\documents and settings\Will\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-243e0296-n\decora-d3d.dll
2010-03-31 08:37 . 2009-08-31 04:58 -------- d-----w- c:\program files\Java
2010-03-31 08:29 . 2010-03-31 08:29 127 ----a-w- c:\documents and settings\Will\Local Settings\Application Data\fusioncache.dat
2010-03-30 08:46 . 2008-11-30 08:12 -------- d-----w- c:\documents and settings\Will\Application Data\BitTorrent
2010-03-30 08:04 . 2010-03-30 08:04 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-03-30 08:00 . 2010-03-30 08:00 -------- d-----w- c:\program files\MSXML 4.0
2010-03-29 21:44 . 2010-03-29 21:29 94285 ----a-w- c:\windows\HPHins03.dat
2010-03-29 21:42 . 2010-03-29 21:42 -------- d-----w- c:\program files\Hewlett-Packard
2010-03-29 21:42 . 2010-03-29 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-03-29 21:42 . 2010-03-29 21:33 -------- d-----w- c:\program files\HP
2010-03-29 21:40 . 2010-03-29 21:40 -------- d-----w- c:\program files\Common Files\HP
2010-03-29 21:39 . 2010-03-29 21:39 45056 ----a-r- c:\documents and settings\Will\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2010-03-19 02:37 . 2010-03-19 02:37 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-12 22:40 . 2010-01-31 07:23 50354 ----a-w- c:\documents and settings\Will\Application Data\Facebook\uninstall.exe
2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 09:28 . 2009-08-31 04:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-26 21:46 . 2010-02-26 21:46 5582848 ----a-w- c:\documents and settings\Will\Application Data\Facebook\npfbplugin_1_0_3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-09 323392]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-03-27 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"nwiz"="nwiz.exe" [2006-10-31 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" [2007-06-15 1826816]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\digital imaging\bin\hpqthb08.exe [2004-5-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 23:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 01:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 19:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 16:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-28 10:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-06 09:32 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-18 19:47 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\eMusic Download Manager\\xulrunner\\xulrunner.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Firefly Studios\\CivCity Rome\\CivCity Rome.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"58485:TCP"= 58485:TCP:Pando Media Booster
"58485:UDP"= 58485:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/26/2008 12:41 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/26/2008 12:41 PM 108552]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [12/19/2001 12:45 PM 8576]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/26/2008 12:41 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/26/2008 12:41 PM 297752]
S2 gupdate1c9f16391928608;Google Update Service (gupdate1c9f16391928608);c:\program files\Google\Update\GoogleUpdate.exe [6/19/2009 11:57 PM 133104]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/31/2010 2:37 AM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 19:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-20 04:56]

2010-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-20 04:56]

2010-05-27 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe [2004-06-07 04:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: {D80EE6F1-31CD-4782-836D-2AD4E0131952} = 205.152.132.23,205.152.144.23
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\banu4y1c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2496572&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm172YYUS&fl=0&ptb=XyZ87bNMiyymU7WsrklCPw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\documents and settings\Will\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Will\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Will\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\documents and settings\Will\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\WorldWinner.com, Inc\WorldWinner Games\npwwload.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\eMusic\tbeMu1.dll
URLSearchHooks-{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)
BHO-{9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\eMusic\tbeMu1.dll
Toolbar-{9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\eMusic\tbeMu1.dll
WebBrowser-{9EE802E8-C931-47AB-B570-AA8F791598CA} - c:\program files\eMusic\tbeMu1.dll
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
HKLM-Run-trioService - c:\progra~1\Freeze.com\Living 3D Dolphins\trioService.exe
AddRemove-BFG-Law & Order Criminal Intent 2 - Dark Obsession - c:\program files\Law & Order Criminal Intent 2 - Dark Obsession\Uninstall.exe
AddRemove-eMusic Toolbar - c:\progra~1\eMusic\UNWISE.EXE
AddRemove-My.Freeze.com Toolbar - c:\program files\My.Freeze.com Toolbar\settings_uninstall_app.exe
AddRemove-{55209711-652B-4560-00AB-53D9DB7D73AF} - c:\program files\EA SPORTS\NFL Head Coach\EAUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-27 03:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-27 03:06:47
ComboFix-quarantined-files.txt 2010-05-27 08:06

Pre-Run: 44,905,398,272 bytes free
Post-Run: 48,217,767,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - B921704FC3651832FB437A7FFDD43C43


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:02 AM

Posted 27 May 2010 - 12:40 PM

Hello smile.gif

I can tell you did a lot of work on this before you got here. Well done. thumbup2.gif Are you still being redirected? From that log, you should not be, but I can't be sure until you tell me.

QUOTE
I noticed that something, which I couldn't exactly decipher, kept coming up in various scans about E-Music.
Well, that's because it's a mixed bag of info. xulrunner.exe is all right in your case, associated with E-Music, but protection programs will most likely pick it up as bad because that file can be malicious in other cases. http://spywarefiles.prevx.com/RRIFGC842591...RUNNER.EXE.html
QUOTE
The file name XULRUNNER.EXE is used by both safe and unsafe programs.


Honestly I'd be more worried about the torrents installed than that file. wink.gif

If you aren't being redirected, then you can update your AVG, I believe. Let me know.

Thanks,
tea

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 collinstevens

collinstevens
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Orleans. LA
  • Local time:05:02 AM

Posted 27 May 2010 - 01:28 PM

Teacup,
No I am no longer being redirected. Everything else seems to be in working order as well. Volume control is back in the task bar and my XP appearance is back up as well, all is as it should be to the naked eye. So does this mean we're good to go or do you need to see a couple more logs, etc?

If I am in the clear I wanted to ask another question or two if it's not too much trouble. I don't really use the torrents that much anymore but I think that might actually be one of the reasons I got in trouble oddly enough. Since I use torrents less often now I find myself going to sites like Ninjavideo of OV Guide occasionally, both sites that host streaming Divx, and I've noticed the odd Java console popping up at times. I don't think either site is a malicious one but I also know that they are the type of sites that competitors and general bad guys love to hack briefly and do nefarious things. I was wondering if there is a good way to avoid having those insidious Java scripts from potentially infecting me without avoiding the sites altogether. I was also wondering if you had any recommendations for a real time spyware/malware/virus protection program out there that also happens to be free. I'm going to update AVG right now but I'll be doing so to the free 9.0 as I tried to get the pro version a year back and it didn't load properly. After having that trouble I called them to ask them to fix it for me and they told me there was nothing they could do to get me back on track and my 60$ was already spent...too bad for me eh? ranting2.gif

So in summation...Java and how do I keep an eye on it/protect it?
A good "free" program or combination of programs that will give me real time and regular scans and fixes?
And as a side note shouldn't I be able to at least minimize my risk to torrents if I use a scan on the before opening anything up or double clicking?

Regards,
Collin

P.S. I don't think I've had trouble with torrents in the past as I primarily used a site that was closed to the public without invite and they seemed to screen pretty well for abnormal files. That being said I know it's impossible to keep all the bad apples out but with their tight knit community they seemed to get it about 90-95% of the time smile.gif


#6 collinstevens

collinstevens
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Orleans. LA
  • Local time:05:02 AM

Posted 27 May 2010 - 01:40 PM

Not sure if it matters but as I was replying to your post I tried to download the new free version of AVG through the application. I am replying to your post in Firefox, my browser of choice, and AVG was popped up with an alert telling me something about (forgive I can't get it to do it again and I didn't get it exactly) the other server or program being busy and I had to "switch" or "retry" whereupon it opened IE to another AVG site and I'm not sure if it's the real deal or not so I'm delaying dl-ling it till I can get an idea from you if it's all good. The site it's sending me to is as follows

http://www.avg.com:80/ww-en/upgrade-options

I briefly checked it out on Google and I can't be sure. What do you think?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:02 AM

Posted 27 May 2010 - 02:20 PM

It's fine. thumbup2.gif
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 collinstevens

collinstevens
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Orleans. LA
  • Local time:05:02 AM

Posted 27 May 2010 - 02:33 PM

Woops! I guess I updated without even realizing it because it's only offering me the pay version. So unless it's not an option for me to update any further I suppose it's all right. Of course I'm still only running 8.5 and not 9 but I guess 9 is a pay only version? As for the rest...am I all set on my computer or do you still have some tasks for me? I'm just curious, not impatient, so I'm not looking for instructions right now if you had any just whether or not you do.

Thanks Again,
Collin

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:02 AM

Posted 27 May 2010 - 02:59 PM

Erm.....no, AVG 9 should be free as well. Try uninstalling, then go here: http://free.avg.com/ww-en/download-avg-anti-virus-free

QUOTE
So in summation...Java and how do I keep an eye on it/protect it?
Have a look at Java NoScript : http://noscript.net/ thumbup2.gif

I know there are several legal streaming video sites out there, like Hulu for example. I'm not a TV person, so I really am not an expert on the best sites. I do know that a lot of sites are riddled with ads....and that some of them are out and out adware, or worse.

Are your other scans coming up clean? Please delete ComboFix and the folder it made, C:\Qoobox . Empty your recycle bin and reboot.

I don't have a super fast computer by today's standards, so I run what suits my system and keeps it safe. I run Avira for the AV, Comodo Firewall, and I scan with MBAM every so often. Keep your Java updated and the old versions uninstalled. Those are exploitable and take up space. Do NOT spend $60 ever again on security. <-----That is part of my advice, as it will save your mind and your wallet. laugh.gif

You aren't bothering me, so if there's anything else you need to know, please feel free and I'll answer as best I can. smile.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:02 AM

Posted 01 June 2010 - 09:21 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users