Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Browser Hijack: Unknown source

  • This topic is locked This topic is locked
15 replies to this topic

#1 pdx42


  • Members
  • 8 posts
  • Local time:08:24 AM

Posted 11 December 2010 - 02:30 PM

I have Windows 7 64 bit OS. If I clear all my cookies I can successfully go to the Netflix log in page (https://www.netflix.com/Login). After I enter my log in credentials Netflix tries to redirect me to their site. However, what happens is that I'm redirected to cabotcheese.coop instead. Now when I try to go back to the Netflix log in page (https://www.netflix.com/Login) I'm immediately redirected to cabotcheese.coop. I've been able to duplicate this in Firefox, IE, and Chrome... so, I know it isn't just one browser that has been tampered with. I've tried running avast, spybot, ad-aware, super anti-virus spyware, malwarebytes, windows defender, etc and none of them find a virus, trojan, key logger, malware, etc. I can't attach a GMER log, as I'm running 64 bit windows. Any help would be appreciated!

DDS (Ver_10-12-05.01) - NTFS_AMD64
Run by Adam at 11:14:03.48 on Sat 12/11/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4091.2503 [GMT -8:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Privoxy\privoxy.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp64&d=1108&m=p-7805u&c=BB
uStart Page = hxxp://www.npr.org/
uInternet Settings,ProxyServer = http=;https=
uInternet Settings,ProxyOverride = localhost;fpmtweb.site5.com;fpmt.org;mandalamagazine.org
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - C:\Program Files (x86)\Microsoft Money\System\mnyside.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
uRun: [Google Update] "C:\Users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [Ad-Watch] "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe"
mRun: [eRecoveryService]
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [AmazonGSDownloaderTray] C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Privoxy.lnk - C:\Program Files (x86)\Privoxy\privoxy.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Customize Menu - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - C:\Program Files (x86)\Microsoft Money\System\mnyside.dll
Trusted Zone: fpmt.org\mail
Trusted Zone: intuit.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg64.dll
TB-X64: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
mRun-x64: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en&refresh=1
FF - prefs.js: network.proxy.http -
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.type - 1
FF - component: C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: C:\Program Files (x86)\Google\Google Updater\2.4.2166.3772\npCIDetect14.dll
FF - plugin: C:\Program Files (x86)\Google\Update\\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Adam\AppData\Local\Google\Update\\npGoogleOneClick8.dll
FF - plugin: C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows

Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-

FF - Extension: Firebug: firebug@software.joehewitt.com - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default\extensions

FF - Extension: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default

FF - Extension: ANTHEM: {07b2a769-ed19-4483-87ce-c643914c9626} - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default\extensions

FF - Extension: Full Flat: {6E1A2A2E-AE2A-4A26-A812-46F54288379E} - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default\extensions

FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default\extensions

FF - Extension: MeasureIt: {75CEEE46-9B64-46f8-94BF-54012DE155F0} - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default\extensions

FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default\extensions

FF - Extension: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default\extensions

FF - Extension: QuickProxy: {d5ea4520-61a1-11da-8cd6-0800200c9a66} - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default\extensions

FF - Extension: Server Switcher: {F7D360DC-B8F8-11DA-86BD-3EC8728786A0} - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default\extensions

FF - Extension: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;C:\Windows\System32\drivers\Lbd.sys [2010-6-9 69152]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2009-1-5 121936]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2009-1-5 20048]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2009-1-5 61008]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-8 40384]
R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-11-19 24576]
R2 HsfXAudioService;HsfXAudioService;C:\Windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 27136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-12-3 1389400]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-1-16 1153368]
R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-8 40384]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-8 40384]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2009-12-2 292864]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2010-8-11 17440]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-1-13 7675392]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2009-5-1 81440]
R3 O2MDRDR;O2MDRDR;C:\Windows\System32\drivers\o2mdx64.sys [2009-12-2 63264]
R3 O2SDRDR;O2SDRDR;C:\Windows\System32\drivers\o2sdx64.sys [2009-12-2 49696]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-9-28 395264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-11-18 135664]
S3 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-9-6

S3 androidusb;ADB Interface Driver;C:\Windows\System32\drivers\androidusb.sys [2010-4-29 32768]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-11-16 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\androidusb.sys [2010-4-29 32768]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw5v64.sys [2009-5-14 5435904]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-2-24 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

=============== Created Last 30 ================

2071-07-25 16:13:30 203576 ----a-w- C:\Program Files (x86)\Microsoft Games\Age of Empires III\autopatcher2.exe
2010-12-11 18:17:53 -------- d-----w- C:\Users\Adam\AppData\Roaming\SUPERAntiSpyware.com
2010-12-11 18:17:53 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com
2010-12-11 18:17:49 -------- d-----w- C:\PROGRA~3\!SASCORE
2010-12-11 18:17:47 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-12-11 18:10:40 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-12-11 18:10:36 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-12-10 21:27:31 -------- d-----w- C:\PROGRA~3\Kaspersky Lab
2010-12-10 20:15:44 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{5903C6D9-0F41-47EE-A945-DA573659BF5C}\mpengine.dll
2010-12-09 22:24:00 -------- dc-h--w- C:\PROGRA~3\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-09 22:08:24 -------- d-----w- C:\PROGRA~3\PC Tools
2010-12-09 22:00:49 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-12-08 22:10:26 -------- d-----w- C:\Users\Adam\AppData\Roaming\Malwarebytes
2010-12-08 22:10:22 -------- d-----w- C:\PROGRA~3\Malwarebytes
2010-11-29 14:40:09 -------- d-----w- C:\Program Files (x86)\Motorola
2010-11-29 14:39:50 -------- d-----w- C:\Program Files\Common Files\Motorola Shared
2010-11-25 22:19:51 -------- d-----w- C:\Users\Adam\AppData\Roaming\PeerNetworking
2010-11-24 14:42:37 -------- d-----w- C:\Program Files (x86)\Siber Systems
2010-11-16 14:01:41 -------- d-----w- C:\Windows\en
2010-11-16 14:00:20 48488 ----a-w- C:\Windows\System32\drivers\fssfltr.sys
2010-11-16 13:59:53 69464 ----a-w- C:\Windows\SysWow64\XAPOFX1_3.dll
2010-11-16 13:59:53 523088 ----a-w- C:\Windows\System32\d3dx10_42.dll
2010-11-16 13:59:53 515416 ----a-w- C:\Windows\SysWow64\XAudio2_5.dll
2010-11-16 13:59:53 453456 ----a-w- C:\Windows\SysWow64\d3dx10_42.dll
2010-11-16 13:38:25 469256 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\8ab2df401cb85932d\InstallManager_WLE_WLE.exe
2010-11-16 13:38:11 15712 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\82b3bfd41cb859322\MeshBetaRemover.exe
2010-11-16 13:37:56 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\795917811cb85931a\DSETUP.dll
2010-11-16 13:37:56 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\795917811cb85931a\DXSETUP.exe
2010-11-16 13:37:56 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\795917811cb85931a\dsetup32.dll
2010-11-16 13:37:55 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\78d169111cb859319\DSETUP.dll
2010-11-16 13:37:55 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\78d169111cb859319\DXSETUP.exe
2010-11-16 13:37:55 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\78d169111cb859319\dsetup32.dll
2010-11-16 13:37:18 -------- d-----w- C:\Users\Adam\AppData\Local\Windows Live
2010-11-16 13:36:48 257024 ----a-w- C:\Windows\System32\mfreadwrite.dll
2010-11-16 13:36:48 206848 ----a-w- C:\Windows\System32\mfps.dll
2010-11-16 13:36:48 196608 ----a-w- C:\Windows\SysWow64\mfreadwrite.dll
2010-11-16 13:36:48 1888256 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2010-11-16 13:36:48 1619456 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2010-11-16 13:36:47 4068864 ----a-w- C:\Windows\System32\mf.dll
2010-11-16 13:36:47 3181568 ----a-w- C:\Windows\SysWow64\mf.dll
2010-11-14 14:57:22 191488 ----a-w- C:\Windows\System32\unrar.dll
2010-11-14 14:57:21 136704 ----a-w- C:\Windows\System32\ff_vfw.dll
2010-11-14 14:57:20 -------- d-----w- C:\Program Files\KLCP64

==================== Find3M ====================

2010-12-03 09:05:34 69152 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2010-11-03 20:11:37 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2010-10-19 18:41:44 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-09-23 08:47:28 49016 ----a-w- C:\Windows\SysWow64\sirenacm.dll
2010-09-23 08:32:56 301936 ----a-w- C:\Windows\WLXPGSS.SCR
2010-09-21 22:49:02 252800 ----a-w- C:\Windows\System32\LIVESSP.DLL
2010-09-21 22:03:14 208768 ----a-w- C:\Windows\SysWow64\LIVESSP.DLL
2010-09-15 11:50:37 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

============= FINISH: 11:14:41.81 ===============

Attached Files

Edited by pdx42, 11 December 2010 - 02:32 PM.

BC AdBot (Login to Remove)


#2 Judicandus


    Bleepin' Pasta

  • Malware Response Team
  • 730 posts
  • Gender:Male
  • Location:Around the world
  • Local time:01:24 PM

Posted 19 December 2010 - 07:05 PM

Hello and welcome to Bleeping Computer

I'm judicandus and I'll be helping you out.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent some things from being fixed.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

* Open Spybot Search & Destroy.
* In the Mode menu click "Advanced mode" if not already selected.
* Choose "Yes" at the Warning prompt.
* Expand the "Tools" menu.
* Click "Resident".
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* In the File menu click "Exit" to exit Spybot Search & Destroy.

Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.


  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.

#3 pdx42

  • Topic Starter

  • Members
  • 8 posts
  • Local time:08:24 AM

Posted 20 December 2010 - 11:24 AM

Judicandus, thank you so much for your help! Here is the information you requested...Attached File  Capture.PNG   21.68KB   1 downloads

Malwarebytes' Anti-Malware 1.50

Database version: 5361

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/20/2010 8:12:09 AM
mbam-log-2010-12-20 (08-12-09).txt

Scan type: Quick scan
Objects scanned: 177264
Time elapsed: 2 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The TDSSKiller application didn't find anything, and I couldn't find a log. The screen just says Duration: 10 seconds, Processed: 263 objects, Infection: not found.

#4 Judicandus


    Bleepin' Pasta

  • Malware Response Team
  • 730 posts
  • Gender:Male
  • Location:Around the world
  • Local time:01:24 PM

Posted 20 December 2010 - 12:12 PM

Hi pdx,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

#5 pdx42

  • Topic Starter

  • Members
  • 8 posts
  • Local time:08:24 AM

Posted 20 December 2010 - 12:46 PM

ComboFix 10-12-19.03 - Adam 12/20/2010 9:36.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4091.2699 [GMT -8:00]
Running from: c:\users\Adam\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {DAAC1C79-1A96-9DFE-FC4C-6940214C33E6}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2010-11-20 to 2010-12-20 )))))))))))))))))))))))))))))))

2071-07-25 16:13 . 2006-11-22 03:48 203576 ----a-w- c:\program files (x86)\Microsoft Games\Age of Empires III\autopatcher2.exe
2010-12-20 17:32 . 2010-12-20 17:33 -------- d-----w- C:\32788R22FWJFW
2010-12-19 13:16 . 2010-12-19 13:16 -------- d-----w- c:\windows\Internet Logs
2010-12-17 14:16 . 2010-11-10 05:35 8199504 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6333D7FC-9CB8-459D-87F7-47AFE4A456D6}\mpengine.dll
2010-12-16 02:51 . 2010-12-16 02:51 -------- d-----w- c:\users\Ben\AppData\Roaming\CheckPoint
2010-12-15 22:08 . 2010-12-15 22:08 -------- d-----w- c:\users\Adam\AppData\Roaming\CheckPoint
2010-12-15 21:50 . 2010-12-15 21:50 -------- d-----w- c:\users\Work\AppData\Roaming\CheckPoint
2010-12-15 21:49 . 2010-12-15 21:49 -------- d-----w- c:\program files (x86)\Conduit
2010-12-15 21:49 . 2010-12-15 21:49 -------- d-----w- c:\program files\CheckPoint
2010-12-15 21:49 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2010-12-15 21:48 . 2010-05-16 00:30 458840 ----a-w- c:\windows\system32\drivers\~GLH0023.TMP
2010-12-15 21:48 . 2010-12-15 21:48 -------- d-----w- c:\programdata\CheckPoint
2010-12-11 18:17 . 2010-12-11 18:17 -------- d-----w- c:\users\Adam\AppData\Roaming\SUPERAntiSpyware.com
2010-12-11 18:17 . 2010-12-11 18:17 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-12-11 18:17 . 2010-12-11 18:17 -------- d-----w- c:\programdata\!SASCORE
2010-12-11 18:17 . 2010-12-16 14:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-11 18:10 . 2010-11-30 01:42 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-12-11 18:10 . 2010-12-11 18:10 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-12-10 21:27 . 2010-12-11 04:01 -------- d-----w- c:\programdata\Kaspersky Lab
2010-12-10 01:38 . 2010-12-10 01:38 -------- d-----w- c:\programdata\Google Updater
2010-12-10 01:38 . 2010-12-10 01:38 -------- d-----w- c:\program files\Google
2010-12-09 22:24 . 2010-12-09 22:24 -------- dc-h--w- c:\programdata\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-09 22:08 . 2010-12-11 17:52 -------- d-----w- c:\programdata\PC Tools
2010-12-09 22:00 . 2010-11-30 01:42 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-08 22:10 . 2010-12-08 22:10 -------- d-----w- c:\users\Adam\AppData\Roaming\Malwarebytes
2010-12-08 22:10 . 2010-12-08 22:10 -------- d-----w- c:\programdata\Malwarebytes
2010-11-29 14:40 . 2010-12-09 22:06 -------- d-----w- c:\program files (x86)\Motorola
2010-11-29 14:39 . 2010-12-09 21:39 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-11-28 22:24 . 2010-11-28 22:24 -------- d-----w- c:\users\Ben\AppData\Local\CutePDF Writer
2010-11-25 22:19 . 2010-11-25 22:19 -------- d-----w- c:\users\Adam\AppData\Roaming\PeerNetworking
2010-11-24 14:43 . 2010-11-24 14:43 -------- d-----w- c:\programdata\RoboForm
2010-11-24 14:42 . 2010-11-24 14:42 -------- d-----w- c:\program files (x86)\Siber Systems

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2010-12-03 09:05 . 2010-06-09 20:04 69152 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-03 20:11 . 2009-10-28 20:04 49752 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-19 18:41 . 2009-10-02 19:45 270720 ------w- c:\windows\system32\MpSigStub.exe
2010-10-18 18:00 . 2010-11-14 14:57 136704 ----a-w- c:\windows\system32\ff_vfw.dll
2010-09-23 08:47 . 2010-09-23 08:47 49016 ----a-w- c:\windows\SysWow64\sirenacm.dll
2010-09-23 08:36 . 2010-11-16 14:00 48488 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-09-23 08:32 . 2010-09-23 08:32 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-21 22:49 . 2010-09-21 22:49 252800 ----a-w- c:\windows\system32\LIVESSP.DLL
2010-09-21 22:03 . 2010-09-21 22:03 208768 ----a-w- c:\windows\SysWow64\LIVESSP.DLL

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"Google Update"="c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-12-09 136176]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-16 2988784]
"RoboForm"="c:\program files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-11-24 160328]

"Ad-Watch"="c:\program files (x86)\Lavasoft\Ad-Aware\AAWTray.exe" [2010-12-03 930032]
"AmazonGSDownloaderTray"="c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-08 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Privoxy.lnk - c:\program files (x86)\Privoxy\privoxy.exe [2010-11-14 358912]

"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-11-18 135664]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-12-03 1389400]
R3 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-04-29 32768]
R3 flash;flash;c:\users\Adam\Desktop\P78_BIOS_IMV3532_9C.20.00_x64\flash64.sys [x]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2010-04-29 32768]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-12-02 5435904]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-24 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-12-03 69152]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 61008]
S2 ETService;Empowering Technology Service;c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-06-11 24576]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-02-13 292864]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-01-13 7675392]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2009-05-01 81440]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2mdx64.sys [2009-12-02 63264]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sdx64.sys [2009-12-02 49696]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd25
*Deregistered* - Lavasoft Kernexplorer

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
Hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Contents of the 'Scheduled Tasks' folder

2010-12-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]

2010-12-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-12-10 01:38]

2010-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-11-18 20:30]

2010-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-11-18 20:30]

2010-12-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3083341417-1538135774-707671035-1000Core.job
- c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-09 21:47]

2010-12-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3083341417-1538135774-707671035-1000UA.job
- c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-09 21:47]

--------- x86-64 -----------

"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-28 16334880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
------- Supplementary Scan -------
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.npr.org/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=;https=
uInternet Settings,ProxyOverride = localhost;fpmtweb.site5.com;fpmt.org;mandalamagazine.org
IE: Customize Menu - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: fpmt.org\mail
Trusted Zone: intuit.com
FF - ProfilePath - c:\users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\9l8t7g9f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en&refresh=1
FF - prefs.js: network.proxy.http -
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: ANTHEM: {07b2a769-ed19-4483-87ce-c643914c9626} - %profile%\extensions\{07b2a769-ed19-4483-87ce-c643914c9626}
FF - Ext: Full Flat: {6E1A2A2E-AE2A-4A26-A812-46F54288379E} - %profile%\extensions\{6E1A2A2E-AE2A-4A26-A812-46F54288379E}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: MeasureIt: {75CEEE46-9B64-46f8-94BF-54012DE155F0} - %profile%\extensions\{75CEEE46-9B64-46f8-94BF-54012DE155F0}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: QuickProxy: {d5ea4520-61a1-11da-8cd6-0800200c9a66} - %profile%\extensions\{d5ea4520-61a1-11da-8cd6-0800200c9a66}
FF - Ext: Server Switcher: {F7D360DC-B8F8-11DA-86BD-3EC8728786A0} - %profile%\extensions\{F7D360DC-B8F8-11DA-86BD-3EC8728786A0}
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files (x86)\Siber Systems\AI RoboForm\Firefox
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKLM-Run-eRecoveryService - (no file)
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Mozilla Firefox (3.0.15) - g:\system\Apps\3C9F7B3F-D55C-42cd-8537-B878518B73AF\Exec\firefox\uninstall\helper.exe
AddRemove-Mozilla Firefox (3.5.7) - g:\system\Apps\3C9F7B3F-D55C-42cd-8537-B878518B73AF\Exec\firefox\uninstall\helper.exe

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3083341417-1538135774-707671035-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

[HKEY_USERS\S-1-5-21-3083341417-1538135774-707671035-1000\Software\SecuROM\License information*]

@Denied: (A 2) (Everyone)




@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"




@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"




@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"



@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"




@Denied: (A 2) (Everyone)



@Denied: (A 2) (Everyone)

@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)

@Denied: (Full) (Everyone)
Completion time: 2010-12-20 09:44:20
ComboFix-quarantined-files.txt 2010-12-20 17:44

Pre-Run: 178,128,658,432 bytes free
Post-Run: 178,297,995,264 bytes free

- - End Of File - - 9A523FA3F1360B83E79CB1C2BC71178A

#6 Judicandus


    Bleepin' Pasta

  • Malware Response Team
  • 730 posts
  • Gender:Male
  • Location:Around the world
  • Local time:01:24 PM

Posted 20 December 2010 - 12:55 PM

Hi pdx,

are you still getting redirected?

#7 pdx42

  • Topic Starter

  • Members
  • 8 posts
  • Local time:08:24 AM

Posted 20 December 2010 - 01:09 PM

No, Netflix now correctly log in and goes to the Instant Watch page... Thanks! Any idea what the problem might have been?

#8 Judicandus


    Bleepin' Pasta

  • Malware Response Team
  • 730 posts
  • Gender:Male
  • Location:Around the world
  • Local time:01:24 PM

Posted 20 December 2010 - 01:13 PM

Hi pdx,

Combofix deleted your lmhosts so it was probably infected.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

#9 pdx42

  • Topic Starter

  • Members
  • 8 posts
  • Local time:08:24 AM

Posted 20 December 2010 - 06:42 PM

I've been trying to run Kaspersky Online Scanner, but it keeps crashing on me... the download of the database files took 5 hours and then crashed when it tried to run. Now it crashes every time I try to run it. The download is incredibly slow... I can open a streaming movie at the same time and it has no issues.

This is the error it keeps giving me now...

Updating the anti-virus database. Please wait...

Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: License has expired]

#10 pdx42

  • Topic Starter

  • Members
  • 8 posts
  • Local time:08:24 AM

Posted 20 December 2010 - 06:51 PM

I just took a look at Kasperky's website and it says the Online Scanner is Unavailable...

The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience.

#11 Judicandus


    Bleepin' Pasta

  • Malware Response Team
  • 730 posts
  • Gender:Male
  • Location:Around the world
  • Local time:01:24 PM

Posted 20 December 2010 - 08:59 PM

Hi pdx,

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

#12 pdx42

  • Topic Starter

  • Members
  • 8 posts
  • Local time:08:24 AM

Posted 21 December 2010 - 12:38 PM

Thanks, that worked much better! Here are the results...

ANALYSIS: 2010-12-21 09:34:56
Description Version Active Updated
avast! Antivirus No Yes
Lavasoft Ad-Watch Live! Anti-Virus No Yes
Id Description Type Active Severity Disinfectable Disinfected Location
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\users\ben\appdata\roaming\microsoft\windows\cookies\ben@com[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No c:\users\ben\appdata\roaming\microsoft\windows\cookies\ben@target[1].txt
Sent Location
Id Severity Description

#13 Judicandus


    Bleepin' Pasta

  • Malware Response Team
  • 730 posts
  • Gender:Male
  • Location:Around the world
  • Local time:01:24 PM

Posted 21 December 2010 - 12:47 PM

Looks like you're all clean! :)

Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

    Posted Image
  • The following will implement some very important cleanup procedures as well as reset System Restore points.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please let me know if it all goes smoothly.

#14 pdx42

  • Topic Starter

  • Members
  • 8 posts
  • Local time:08:24 AM

Posted 21 December 2010 - 01:03 PM

Hi Judicandus,

That's great news! :thumbup2:

I followed your instructions, and everything went smoothly...

#15 Judicandus


    Bleepin' Pasta

  • Malware Response Team
  • 730 posts
  • Gender:Male
  • Location:Around the world
  • Local time:01:24 PM

Posted 21 December 2010 - 01:12 PM

Great job on the cleanup pdx!

I am sending you below one of our speeches for clean logs. You don't need to install all the programs, they are only suggestions :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users