Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirected/Internet stopped working Please Help!!!


  • This topic is locked This topic is locked
2 replies to this topic

#1 FAZAL

FAZAL

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 01 October 2010 - 11:18 AM

Hello,

I noticed the other day that my browser was being redirected to several sites, one of them being Blinkx.com. I tried to download and run Malwarebytes Anti-Malware but I kept getting the "... is not a valid win32 application" message. I did a scan with Avast and with SuperAntiSpyware; they both found malware and I followed the recommended actions for both programs. After that my internet connection stopped working. Right now I am using a different computer to communicate with you and I will just use a external HD to transfer any programs I need to use and for any logs you need to see.

I have attached the Hijackthis log from the infected computer as well as the SuperAntiSpyware log and both DDS logs. I got an error message trying to run both GMER and DDS, I have attached screenshots of those message as .jpg files. Avast doesnt really produce a log for its scans however the viruses it detected were "Win32.Crpt-HPX [Drp]" and "Win32.MalOb-CB [Cryp]"

Thank you very much



HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:45:47 AM, on 10/1/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Common Files\Dell\apache\bin\httpd.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Users\Fazal\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [rundll32] C:\Users\Fazal\userinit.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3534925567-2425520083-2529549599-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'RA Media Server')
O4 - HKUS\S-1-5-21-3534925567-2425520083-2529549599-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'RA Media Server')
O4 - S-1-5-21-3534925567-2425520083-2529549599-1001 User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'RA Media Server')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0...inAxControl.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Remote Access Media Server (Apache2.2) - Apache Software Foundation - C:\Program Files (x86)\Common Files\Dell\apache\bin\httpd.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: Remote Access DB (dsl-db) - Unknown owner - C:\Program Files (x86)\Common Files\Dell\MySQL\bin\mysqld.exe
O23 - Service: Remote Access File Sync Service (dsl-fs-sync) - SingleClick Systems - C:\Program Files (x86)\Common Files\Dell\Remote Access File Sync Service\dsl_fs_sync.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Advanced Networking Service (hnmsvc) - Dell Inc. - c:\Program Files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
O23 - Service: FF Install Filter Service (InstallFilterService) - Unknown owner - C:\Program Files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: O2FLASH - Unknown owner - C:\Windows\system32\DRIVERS\o2flash.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: Sound Blaster X-Fi MB Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_fd9b60625db011f9\STacSV64.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~2\SPEEDB~1\VideoAcceleratorService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11651 bytes





SuperAntiSpyware Log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/01/2010 at 00:53 AM

Application Version : 4.44.1000

Core Rules Database Version : 5614
Trace Rules Database Version: 3426

Scan type : Complete Scan
Total Scan Time : 01:03:11

Memory items scanned : 724
Memory threats detected : 3
Registry items scanned : 15111
Registry threats detected : 4
File items scanned : 35060
File threats detected : 156

Trojan.Agent/Gen-VerFake
C:\USERS\FAZAL\APPDATA\LOCAL\TEMP\6DFE.TMP
C:\USERS\FAZAL\APPDATA\LOCAL\TEMP\6DFE.TMP
C:\USERS\FAZAL\APPDATA\ROAMING\MICROSOFT\WINDOWS\SHELL.EXE
C:\USERS\FAZAL\APPDATA\ROAMING\MICROSOFT\WINDOWS\SHELL.EXE
C:\USERS\FAZAL\APPDATA\LOCAL\TEMP\DWM.EXE
C:\USERS\FAZAL\APPDATA\LOCAL\TEMP\DWM.EXE
(x86) [Load] C:\USERS\FAZAL\APPDATA\LOCAL\TEMP\DWM.EXE

Trojan.SVCHost/Fake
(x86) [svchost] C:\USERS\FAZAL\APPDATA\ROAMING\MICROSOFT\SVCHOST.EXE
C:\USERS\FAZAL\APPDATA\ROAMING\MICROSOFT\SVCHOST.EXE

Trojan.Agent/Gen
(x86) HKU\S-1-5-21-3534925567-2425520083-2529549599-1000\Software\Microsoft\Windows\CurrentVersion\Run#svchost [ C:\Users\Fazal\AppData\Roaming\Microsoft\svchost.exe ]
C:\USERS\FAZAL\APPDATA\LOCAL\TEMP\CACLFTP.DLL

Malware.Trace
(x86) HKU\S-1-5-21-3534925567-2425520083-2529549599-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Adware.Tracking Cookie
C:\Users\Fazal\AppData\Local\Temp\Low\Cookies\fazal@atdmt[2].txt
cdn4.specificclick.net [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
core.insightexpressai.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
imagec05.247realmedia.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
media.mtvnservices.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
media.scanscout.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
media1.break.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
msnbcmedia.msn.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
secure-us.imrworldwide.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
static.xxxmatch.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
video.redorbit.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
vidii.hardsextube.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
www.alphaporno.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
www.bleeptube.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
www.mofosex.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
www.naiadsystems.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
www.onetwoporn.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
www.pornhub.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
www.soundclick.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
www.ziporn.com [ C:\Users\Fazal\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\CZFX5GNF ]
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ads.pubmatic[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@www.fpctraffic2[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@googleads.g.doubleclick[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ad.yieldmanager[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@tradedoubler[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@collective-media[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@content.yieldmanager[4].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@questionmarket[4].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@content.yieldmanager[5].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@questionmarket[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@specificclick[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@tracking.foxnews[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ad.yieldmanager[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@adecn[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@questionmarket[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ads.watchmygf[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@northjersey.112.2o7[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@casalemedia[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@revsci[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@insightexpressai[4].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@invitemedia[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@collective-media[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@insightexpressai[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ads.pointroll[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@mediaplex[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@serving-sys[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@media6degrees[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@tacoda[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ad.slutload[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ru4[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@s.clickability[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@bizzclick[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@www.burstnet[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@server.cpmstar[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@pro-market[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@247realmedia[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ads.thefrisky[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@bs.serving-sys[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@kontera[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@specificmedia[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@advertising[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@richmedia.yahoo[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@invitemedia[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@revsci[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@interclick[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ad.wsod[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@specificclick[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@adinterax[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@kontera[4].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@apmebf[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@apmebf[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ads.crakmedia[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@adultfriendfinder[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@realmedia[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@a1.interclick[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@adbrite[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@burstnet[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@statcounter[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@at.atwola[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@stolengfporn[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@fastclick[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@kontera[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@dadbleeps[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@zedo[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@adbrite[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@a1.interclick[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@interclick[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@www.pornoxo[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@adultfriendfinder[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ads.crakmedia[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@richmedia.yahoo[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@specificmedia[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@doubleclick[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@imrworldwide[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@www.burstnet[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@atdmt[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@toplist[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@content.yieldmanager[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@pointroll[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@insightexpressai[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@overture[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@kontera[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@serving-sys[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@media6degrees[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@msnbc.112.2o7[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@specificmedia[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@realmedia[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@questionmarket[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@samsung.112.2o7[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@a1.interclick[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@in.getclicky[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@server.cpmstar[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@pro-market[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@content.yieldmanager[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@pornhub[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ero-advertising[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@serving-sys[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@yieldmanager[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@ads.pointroll[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@msnportal.112.2o7[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@mediaplex[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@tribalfusion[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@collective-media[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@pornoxo[2].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@n-traffic[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@tribalfusion[3].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@zedo[1].txt
C:\Users\Fazal\AppData\Roaming\Microsoft\Windows\Cookies\Low\fazal@advertise[2].txt
.dmtracker.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.doubleclick.net [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.interclick.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.interclick.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.a1.interclick.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.a1.interclick.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.a1.interclick.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.a1.interclick.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.a1.interclick.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.interclick.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.imrworldwide.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.imrworldwide.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.revsci.net [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.revsci.net [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.revsci.net [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.revsci.net [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]
.interclick.com [ C:\Users\Fazal\AppData\Roaming\Mozilla\Firefox\Profiles\ll9zbhok.default\cookies.sqlite ]

Trojan.Agent/Gen-Frammr
C:\USERS\FAZAL\APPDATA\LOCAL\TEMP\~TMC7F1.TMP




DDS Log:


DDS (Ver_10-03-17.01) - NTFSX64
Run by Fazal at 11:47:01.09 on Fri 10/01/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4085.2758 [GMT -4:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_fd9b60625db011f9\STacSV64.exe
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Dell\MySQL\bin\mysqld.exe
c:\Program Files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~2\SPEEDB~1\VideoAcceleratorService.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Common Files\Dell\apache\bin\httpd.exe
C:\Program Files (x86)\Common Files\Dell\Remote Access File Sync Service\dsl_fs_sync.exe
C:\Program Files (x86)\Common Files\Dell\apache\bin\httpd.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\PROGRA~2\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\msiexec.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Fazal\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:50370
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [cdloader] "c:\users\fazal\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [rundll32] c:\users\fazal\userinit.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [DellSupportCenter] "c:\program files (x86)\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\users\fazal\appdata\roaming\mozilla\firefox\profiles\ll9zbhok.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\program files (x86)\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHlpa64.sys [2009-11-2 55280]
R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdflt.sys [2009-11-2 18792]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-20 121936]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\saskutil64.sys [2010-2-17 12360]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore64.exe [2010-6-29 128752]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-2 203264]
R2 Apache2.2;Remote Access Media Server;c:\program files (x86)\common files\dell\apache\bin\httpd.exe [2008-12-10 24636]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-20 20048]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-3-20 61008]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-25 40384]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]
R2 dsl-db;Remote Access DB;c:\program files (x86)\common files\dell\mysql\bin\mysqld.exe [2009-6-11 5730304]
R2 dsl-fs-sync;Remote Access File Sync Service;c:\program files (x86)\common files\dell\remote access file sync service\dsl_fs_sync.exe [2009-7-21 189680]
R2 InstallFilterService;FF Install Filter Service;c:\program files (x86)\stmicroelectronics\accelerometer\InstallFilterService.exe [2009-11-2 60928]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~2\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~2\speedb~1\VideoAcceleratorService.exe -start -scm [?]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Acceler.sys [2009-11-2 23912]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-25 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-25 40384]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-11-2 172704]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdgx64.sys [2009-11-2 69152]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-11-2 215040]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\common files\creative labs shared\service\AL6Licensing.exe [2009-11-2 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\common files\creative labs shared\service\CTAELicensing.exe [2009-11-2 79360]
S3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files (x86)\common files\creative labs shared\service\XMBLicensing.exe [2009-11-2 79360]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-8 1255736]

=============== Created Last 30 ================

2010-10-01 14:43:15 0 d-----w- c:\program files (x86)\Trend Micro
2010-10-01 03:46:55 0 d-----w- c:\users\fazal\appdata\roaming\SUPERAntiSpyware.com
2010-10-01 03:46:55 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-10-01 03:46:50 0 d-----w- c:\programdata\!SASCORE
2010-10-01 03:46:48 0 d-----w- c:\program files\SUPERAntiSpyware
2010-10-01 02:18:52 0 d-----w- c:\users\fazal\appdata\roaming\Windows Live Writer
2010-09-29 04:31:15 184832 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2010-09-29 04:31:14 243712 ----a-w- c:\windows\system32\drivers\ks.sys
2010-09-28 22:08:16 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-09-28 22:08:16 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-26 05:41:38 0 d-----w- c:\program files (x86)\Yahoo!
2010-09-26 00:00:06 0 d-----w- c:\programdata\Speedbit
2010-09-25 23:54:55 0 d-----w- c:\program files\DIFX
2010-09-25 23:53:28 0 d-----w- c:\users\fazal\appdata\roaming\GARMIN
2010-09-25 19:29:48 0 d-----w- c:\programdata\WinZip
2010-09-20 22:10:51 20 ----a-w- c:\users\fazal\appdata\roaming\apiqfw.dat
2010-09-20 22:10:48 4 ----a-w- c:\users\fazal\appdata\roaming\avdrn.dat
2010-09-15 03:29:36 2058752 ----a-w- c:\windows\syswow64\iertutil.dll
2010-09-14 23:17:19 558592 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-12 04:14:56 172032 ----a-w- c:\windows\syswow64\AniGIF.ocx
2010-09-12 04:14:56 0 d-----w- c:\program files (x86)\SpeedBit Video Accelerator
2010-09-07 00:22:15 675 ------w- c:\windows\hpomdl43.dat.temp
2010-09-06 19:30:36 0 d-----w- c:\programdata\magicJack
2010-09-06 19:30:06 0 d-----w- c:\users\fazal\appdata\roaming\mjusbsp

==================== Find3M ====================

2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11:54 167592 ----a-w- c:\windows\syswow64\aswBoot.exe
2010-09-07 14:47:33 61008 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-07 00:29:20 195382 ----a-w- c:\windows\hpoins43.dat
2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-07-29 02:27:58 1002 ----a-w- c:\users\fazal\appdata\roaming\wklnhst.dat
2010-07-27 14:03:24 12867584 ----a-w- c:\windows\syswow64\shell32.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-02 07:29:37 75 --sh--r- c:\windows\CT4CET.bin
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-25 03:36:54 245760 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-10 09:05:14 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-01-10 09:05:14 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-01-10 09:05:14 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 11:47:33.60 ===============



Thanks once again.


Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:18 AM

Posted 05 October 2010 - 08:46 AM

Hi,
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Copy-paste following contents into custom scan -area:
    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:18 AM

Posted 11 October 2010 - 08:59 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users