Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Browser Is Hijacked


  • This topic is locked This topic is locked
23 replies to this topic

#1 marrober9

marrober9

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 01 December 2006 - 01:33 AM

When I log onto IE it opens my home page fine. Now when I type in a search request Explorer will open up the appropriate web site options. When I click on the sight I am redirected to other web search engines and it is not only one sight that it will take me to. A few examples are Monster Market, Shopica, and Auto Mart, it will open up search helpers that are related to my original search entry. A funny thing is if I go back to the MS search page and open the same web site again it will open another web search assistant. On the third time though on the MS search it will open the correct sight always on the third attempt. I have run every possible cleaner, finder, buster whatever and still it comes back. I tried looking for it in my registry but have not gotten it yet. So i will post my HiJackThis log and see if anyone can help.Thanks


Logfile of HijackThis v1.99.1
Scan saved at 12:28:10 AM, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1134613034\ee\AOLSoftware.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\aol\1134613034\ee\aolssc.exe
C:\Program Files\Sonic Foundry\Sound Forge 6.0\forge60.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Marco Roberts\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134613034\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee Inc. - (no file)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - (no file)

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:58 AM

Posted 01 December 2006 - 04:11 AM

Download and run Silent Runners.vbs from HERE

It generates a log, please post the information back in this thread
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:58 AM

Posted 04 December 2006 - 02:46 AM

Due to inactivity this topic will be closed.

If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#4 marrober9

marrober9
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 04 December 2006 - 05:14 PM

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SMSystemAnalyzer" = ""C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"" ["iolo technologies, LLC"]
"AOL Fast Start" = ""C:\Program Files\America Online 9.0\AOL.EXE" -b" ["America Online, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"HostManager" = "C:\Program Files\Common Files\AOL\1134613034\ee\AOLSoftware.exe" ["America Online, Inc."]
"sscRun" = "C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe" ["America Online"]
"OASClnt" = "C:\Program Files\mcafee.com\antivirus\oasclnt.exe" ["McAfee, Inc."]
"EmailScan" = "C:\Program Files\mcafee.com\antivirus\mcvsescn.exe" ["McAfee, Inc."]
"MPFExe" = "C:\Program Files\mcafee.com\personal firewall\MPfTray.exe" ["McAfee Security"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{E07111B5-44B3-4DD6-B77E-1FA21F1F3A37}" = "iolo Context Defrag"
-> {HKLM...CLSID} = "iolo Context Defrag"
\InProcServer32\(Default) = "C:\PROGRA~1\iolo\Common\Lib\CONTEX~1.DLL" ["iolo technologies, LLC"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "kdrrn.exe" [null data]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"smrgdf C:\Program Files\iolo\System Mechanic Professional 6\" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
SM_ContextDefrag\(Default) = "{E07111B5-44B3-4DD6-B77E-1FA21F1F3A37}"
-> {HKLM...CLSID} = "iolo Context Defrag"
\InProcServer32\(Default) = "C:\PROGRA~1\iolo\Common\Lib\CONTEX~1.DLL" ["iolo technologies, LLC"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
SM_ContextDefrag\(Default) = "{E07111B5-44B3-4DD6-B77E-1FA21F1F3A37}"
-> {HKLM...CLSID} = "iolo Context Defrag"
\InProcServer32\(Default) = "C:\PROGRA~1\iolo\Common\Lib\CONTEX~1.DLL" ["iolo technologies, LLC"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]


Default executables:
--------------------

<<!>> HKLM\Software\Classes\htafile\shell\open\command\(Default) = "NOTEPAD.EXE %1" [MS]

<<!>> HKLM\Software\Classes\scrfile\shell\open\command\(Default) = "NOTEPAD.EXE %1" [MS]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoBandCustomize" = (REG_DWORD) hex:0x00000000
{Disable customizing browser toolbars}

"NoToolbarCustomize" = (REG_DWORD) hex:0x00000000
{Disable customizing browser toolbar buttons}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoBandCustomize" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoToolbarCustomize" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"GeneralTab" = (REG_DWORD) hex:0x00000000
{Disable the General page}

"HomePage" = (REG_DWORD) hex:0x00000000
{Disable changing home page settings}

"Cache" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"History" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Colors" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"links" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Fonts" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Languages" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Accessibility" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"SecurityTab" = (REG_DWORD) hex:0x00000000
{Disable the Security page}

"ContentTab" = (REG_DWORD) hex:0x00000000
{Disable the Content page}

"Ratings" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Certificates" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"FormSuggest" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"FormSuggest Passwords" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Profiles" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ConnectionsTab" = (REG_DWORD) hex:0x00000000
{Disable the Connections page}

"Connection Settings" = (REG_DWORD) hex:0x00000000
{Disable changing connection settings}

"Connwiz Admin Lock" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Proxy" = (REG_DWORD) hex:0x00000000
{Disable changing proxy settings}

"ProgramsTab" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Messaging" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ResetWebSettings" = (REG_DWORD) hex:0x00000000
{Disable the Reset Web Settings feature}

"Check_If_Default" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"AdvancedTab" = (REG_DWORD) hex:0x00000000
{Disable the Advanced page}

"Advanced" = (REG_DWORD) hex:0x00000000
{Disable changing Advanced page settings}

HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"GeneralTab" = (REG_DWORD) hex:0x00000000
{Disable the General page}

"HomePage" = (REG_DWORD) hex:0x00000000
{Disable changing home page settings}

"Cache" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"History" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Colors" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"links" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Fonts" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Languages" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Accessibility" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"SecurityTab" = (REG_DWORD) hex:0x00000000
{Disable the Security page}

"ContentTab" = (REG_DWORD) hex:0x00000000
{Disable the Content page}

"Ratings" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Certificates" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"FormSuggest" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"FormSuggest Passwords" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Profiles" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ConnectionsTab" = (REG_DWORD) hex:0x00000000
{Disable the Connections page}

"Connection Settings" = (REG_DWORD) hex:0x00000000
{Disable changing connection settings}

"Connwiz Admin Lock" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Proxy" = (REG_DWORD) hex:0x00000000
{Disable changing proxy settings}

"ProgramsTab" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Messaging" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ResetWebSettings" = (REG_DWORD) hex:0x00000000
{Disable the Reset Web Settings feature}

"Check_If_Default" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"AdvancedTab" = (REG_DWORD) hex:0x00000000
{Disable the Advanced page}

"Advanced" = (REG_DWORD) hex:0x00000000
{Disable changing Advanced page settings}

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoSplash" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoJITSetup" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoSplash" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoJITSetup" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"NoBrowserSaveAs" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFileNew" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoBrowserClose" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFileOpen" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoTheaterMode" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoViewSource" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFavorites" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoAddingChannels" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoBrowserOptions" = (REG_DWORD) hex:0x00000000
{Tools menu: Disable Internet Options... menu option}

"NoBrowserContextMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoOpeninNewWnd" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"NoBrowserSaveAs" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFileNew" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoBrowserClose" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFileOpen" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoTheaterMode" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoViewSource" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFavorites" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoAddingChannels" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoBrowserOptions" = (REG_DWORD) hex:0x00000000
{Tools menu: Disable Internet Options... menu option}

"NoBrowserContextMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoOpeninNewWnd" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Scheduled Tasks:
------------------------

"FRU Task #Hewlett-Packard#hp psc 2170 series#1134594979" -> launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 2170 series#1134594979"" [empty string]
"XoftSpySE" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe -t" ["ParetoLogic"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = "Real.com"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Antivirus Update Service, aolavupd, ""C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe"" ["America Online"]
AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["America Online"]
McAfee McShield, McShield, "C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe" ["McAfee Inc."]
McAfee Personal Firewall Service, MpfService, ""C:\Program Files\mcafee.com\personal firewall\MPFService.exe"" ["McAfee Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt07\Driver = "hpzlnt07.dll" ["HP"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 140 seconds)

#5 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:58 AM

Posted 04 December 2006 - 05:52 PM

That made you sit up :thumbsup: I actually didn't close it as I intended, so let's carry on.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#6 marrober9

marrober9
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 04 December 2006 - 10:43 PM

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.9

Scan started at 5:07:33 PM 12/4/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...


Logfile of HijackThis v1.99.1
Scan saved at 9:38:55 PM, on 12/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1134613034\ee\AOLSoftware.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\aol\1134613034\ee\aolssc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Marco Roberts\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134613034\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee Inc. - (no file)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - (no file)

#7 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:58 AM

Posted 05 December 2006 - 02:07 AM

hmm.. do one more scan for me. Please download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#8 marrober9

marrober9
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 05 December 2006 - 04:14 PM

SUPERAntiSpyware Scan Log
Generated 12/05/2006 at 02:52 PM

Application Version : 3.3.1020

Core Rules Database Version : 3142
Trace Rules Database Version: 1158

Scan type : Complete Scan
Total Scan Time : 00:26:50

Memory items scanned : 322
Memory threats detected : 0
Registry items scanned : 5839
Registry threats detected : 0
File items scanned : 6452
File threats detected : 13

Adware.Tracking Cookie
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@revsci[2].txt
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@2o7[1].txt
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@ads.pointroll[2].txt
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@questionmarket[2].txt
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@atwola[1].txt
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@kanoodle[1].txt
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@overture[1].txt
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@4.adbrite[1].txt
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@upspiral[1].txt
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@www.upspiral[1].txt
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@divx.112.2o7[1].txt
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@adbrite[2].txt
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@forum.team-mediaportal[2].txt


Logfile of HijackThis v1.99.1
Scan saved at 3:10:29 PM, on 12/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\AOL\1134613034\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
c:\program files\common files\aol\1134613034\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\DOCUME~1\MARCOR~1\LOCALS~1\Temp\SSUPDATE.EXE
c:\program files\common files\aol\1134613034\ee\aolssc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Marco Roberts\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134613034\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee Inc. - (no file)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - (no file)

#9 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:58 AM

Posted 05 December 2006 - 05:50 PM

It all looks OK - are you still having problems?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#10 marrober9

marrober9
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 05 December 2006 - 06:32 PM

yes it still does the same thing it's crazy

#11 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:58 AM

Posted 05 December 2006 - 06:48 PM

OK, let's clear your log and see if that removes it. First off -you are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder.

Click here to download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Full Path of File to Delete' box, copy and paste the following, clicking the red 'Delete File' button (red circle with a white X) after pasting:

C:\Documents and Settings\Marco Roberts\LOCAL Settings\Temp\SSUPDATE.EXE

Click 'Exit' when done.

Go to Start->Run and type Services.msc then hit Ok. Scroll down and find the service called "Windows User Mode Driver Framework ". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R3 - Default URLSearchHook is missing
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Exit HijackThis when done. Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Post the results of the AVG Anti-Spyware report scan together with a new HijackThis log.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#12 marrober9

marrober9
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 05 December 2006 - 09:03 PM

kill box is saying can't delete this file

#13 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:58 AM

Posted 06 December 2006 - 01:34 AM

Carry on with everything else - we will come back to that.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#14 marrober9

marrober9
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 06 December 2006 - 03:13 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:09:20 PM, on 12/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\AOL\1134613034\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\WINDOWS\system32\msiexec.exe
C:\DOCUME~1\MARCOR~1\LOCALS~1\Temp\SSUPDATE.EXE
c:\program files\common files\aol\1134613034\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1134613034\ee\aolssc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Marco Roberts\My Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134613034\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1134613034\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee Inc. - (no file)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:52:31 PM 12/6/2006

+ Scan result:



[1152] VM_00870000 -> Downloader.Zlob.aty : No action taken.
[204] VM_00D70000 -> Downloader.Zlob.aty : No action taken.
[228] VM_00C20000 -> Downloader.Zlob.aty : No action taken.
[816] VM_00B40000 -> Downloader.Zlob.aty : No action taken.
C:\System Volume Information\_restore{608E1125-7C4E-4A53-83A4-11D9449703F0}\RP1\A0000026.exe -> Dropper.Agent.azn : No action taken.
C:\System Volume Information\_restore{608E1125-7C4E-4A53-83A4-11D9449703F0}\RP1\A0000027.exe -> Dropper.Agent.azn : No action taken.
C:\WINDOWS\browser.exe -> Hijacker.Small : No action taken.
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@adbrite[1].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Marco Roberts\Cookies\marco_roberts@image.masterstats[1].txt -> TrackingCookie.Masterstats : No action taken.


::Report end

#15 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:58 AM

Posted 06 December 2006 - 03:29 PM

Please have AVG quarantine what it finds - the report says 'No action taken'. Post a new log when done.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users