Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Searches Being Redirected


  • This topic is locked This topic is locked
13 replies to this topic

#1 boingo2000

boingo2000

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Phoenix, AZ
  • Local time:08:38 PM

Posted 30 June 2007 - 05:08 PM

Lately I've had a seeming infestation on my computer...you name it: popups, Ultimate Defender, and some other things. I've tried several anti-spyware programs, in both standard and safe mode (Ad-Aware, SpyBot, SpyDoctor, and AVG), and I'm still left with one problem. When I do a Google search and click on one of the results, I'm directed to some other seemingly random site. Sometimes it's another search engine, sometimes it's an eBay page. There are no popups assoctiated with this, and everything is fine if I cut/paste or type the URL in directly....somehow this little bug is just messing with the links on my Google searches. Here's my HiJack This log. It's my first, so be gentle. :thumbsup:


Logfile of HijackThis v1.99.1
Scan saved at 2:54:37 PM, on 6/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System\CmFlywav.exe
C:\Program Files\FolderShare\FolderShare.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ads1.revenue.net/l?site_id=11634&pplacement_id=1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ads1.revenue.net/l?site_id=11634&pplacement_id=1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ads1.revenue.net/l?site_id=11634&pplacement_id=1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ads1.revenue.net/l?site_id=11634&pplacement_id=1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F851444-52D9-5636-1F36-03FEE90A8197} - C:\WINDOWS\system32\vJkqpLke.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CmFlywaveName] C:\WINDOWS\System\CmFlywav.exe
O4 - HKLM\..\Run: [Linksys WMB54G Utility] C:\Program Files\Wireless-G Music Bridge\WMB54G.exe -R
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [DHaxi.exe] C:\WINDOWS\system32\DHaxi.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119588498062
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 AM

Posted 01 July 2007 - 01:04 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Scan again with HijackThis and check the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ads1.revenue.net/l?site_id=11634&pplacement_id=1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ads1.revenue.net/l?site_id=11634&pplacement_id=1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ads1.revenue.net/l?site_id=11634&pplacement_id=1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ads1.revenue.net/l?site_id=11634&pplacement_id=1

O2 - BHO: (no name) - {2F851444-52D9-5636-1F36-03FEE90A8197} - C:\WINDOWS\system32\vJkqpLke.dll

O4 - HKCU\..\Run: [DHaxi.exe] C:\WINDOWS\system32\DHaxi.exe

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #3

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Find and delete these files (if they are still there):
C:\WINDOWS\system32\vJkqpLke.dll
C:\WINDOWS\system32\DHaxi.exe



Reboot your computer normally.

Step #5

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#3 boingo2000

boingo2000
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Phoenix, AZ
  • Local time:08:38 PM

Posted 02 July 2007 - 10:14 PM

Hi! Thanks for your help. I ran through all the steps you suggested. Following are the HijackThis log, and then the Panda scan report (most of these look like cookies, but there is an sdexe.exe file that looks suspicious).

Logfile of HijackThis v1.99.1
Scan saved at 8:14:21 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System\CmFlywav.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\FolderShare\FolderShare.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack this\renamed analyze.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CmFlywaveName] C:\WINDOWS\System\CmFlywav.exe
O4 - HKLM\..\Run: [Linksys WMB54G Utility] C:\Program Files\Wireless-G Music Bridge\WMB54G.exe -R
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119588498062
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe





Incident Status Location

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@ads.pointroll[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@bs.serving-sys[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@com[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@findwhat[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@go[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@realmedia[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@serving-sys[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@tribalfusion[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mitch\Cookies\mitch@ads.pointroll[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mitch\Cookies\mitch@com[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Mitch\Cookies\mitch@findwhat[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mitch\Cookies\mitch@questionmarket[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Mitch\Cookies\mitch@target[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mitch\Cookies\mitch@tribalfusion[2].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Mitch\Local Settings\Temp\sdexe.exe
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362860.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362861.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362862.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362863.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362867.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362868.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362869.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362870.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362871.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362874.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362875.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362876.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362877.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362878.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362882.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362883.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362884.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362885.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362886.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362889.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362890.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362891.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362892.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362893.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362896.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362897.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362898.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362899.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362900.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362904.TXT
Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\NPROTECT\00362909.TXT
Spyware:Cookie/RealMedia Not disinfected C:\RECYCLER\NPROTECT\00363165.TXT
Spyware:Cookie/RealMedia Not disinfected C:\RECYCLER\NPROTECT\00363166.TXT
Spyware:Cookie/RealMedia Not disinfected C:\RECYCLER\NPROTECT\00363191.TXT
Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\NPROTECT\00363487.TXT
Spyware:Cookie/PointRoll Not disinfected C:\RECYCLER\NPROTECT\00363510.TXT
Spyware:Cookie/PointRoll Not disinfected C:\RECYCLER\NPROTECT\00363511.TXT
Spyware:Cookie/PointRoll Not disinfected C:\RECYCLER\NPROTECT\00363512.TXT
Spyware:Cookie/PointRoll Not disinfected C:\RECYCLER\NPROTECT\00363514.TXT
Spyware:Cookie/PointRoll Not disinfected C:\RECYCLER\NPROTECT\00363515.TXT

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 AM

Posted 03 July 2007 - 05:20 AM

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Ipwindows / ipwins
Oin
Outerinfo
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
MediaTickets by OIN
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

#5 boingo2000

boingo2000
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Phoenix, AZ
  • Local time:08:38 PM

Posted 03 July 2007 - 09:21 AM

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Ipwindows / ipwins
Oin
Outerinfo
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
MediaTickets by OIN
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.



None of those programs appeared in my Control Panel add/remove selections. When I went to d/l the Outerinfo uninstaller, I got a pop-up "Security Alert" message saying that my security settings don't allow download of that program - this happens even when I right-click on the link to do a "save target as...".

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 AM

Posted 03 July 2007 - 09:25 AM

1. On the Internet Explorer 6 Tools menu, click Internet Options.
2. Click the Security tab, and then click the zone for which you want to change the security level.
3. Drag the slider to set the security level to Low.
4. Click OK and see if you can download it now.

#7 boingo2000

boingo2000
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Phoenix, AZ
  • Local time:08:38 PM

Posted 03 July 2007 - 09:47 PM

1. On the Internet Explorer 6 Tools menu, click Internet Options.
2. Click the Security tab, and then click the zone for which you want to change the security level.
3. Drag the slider to set the security level to Low.
4. Click OK and see if you can download it now.



Hmm. I'm afraid IE won't let me change the security level....I get a pop-up error that says I need to have a level of medium or higher. Is there another setting within IE that's causing this, or is it some other program that won't let me change the settings?

Sorry for the complications. :thumbsup:

#8 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 AM

Posted 04 July 2007 - 09:58 AM

Well, it may be third-pary software interfering.

The easiest way is to turn all your Antivirus software off, and try it again. You can also download it from another PC and transfer the file.

#9 boingo2000

boingo2000
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Phoenix, AZ
  • Local time:08:38 PM

Posted 04 July 2007 - 11:13 AM

OK, I used Firefox to d/l the Outerinfo uninstaller (not sure why I didn't think of trying that before). When I ran it, nothing apparent happened...there was no message or anything, so I assume it just did something in the background? In any case, I followed the rest of your instructions. Following are the contents of the combofix file, and a new HJT log.

"Mitch" - 2007-07-04 8:55:09 - ComboFix 07-07-04.4 - Service Pack 2


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Mitch\APPLIC~1.\sks~1
C:\DOCUME~1\Mitch\Desktop.\internet explorer.lnk
C:\DOCUME~1\Mitch\MYDOCU~1.\mcroso~1.net
C:\DOCUME~1\Mitch\MYDOCU~1.\sks~1
C:\DOCUME~1\Mitch\MYDOCU~1.\sks~2
C:\Program Files\winpop
C:\WINDOWS\system32\scchk32.exe
C:\WINDOWS\system32\scchk32.exe.bak


((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 )))))))))))))))))))))))))))))))


2007-07-04 08:54 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-02 18:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-25 21:17 <DIR> d-------- C:\DOCUME~1\Lisa\APPLIC~1\Walgreens
2007-06-25 21:08 <DIR> d-------- C:\hijack this
2007-06-25 19:41 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-23 18:04 <DIR> d-------- C:\DOCUME~1\Lisa\APPLIC~1\Lavasoft
2007-06-23 08:27 95 --a------ C:\DOCUME~1\Lisa\c.bat
2007-06-22 22:12 95 --a------ C:\DOCUME~1\Mitch\c.bat
2007-06-20 21:41 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-20 19:56 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-20 19:56 1,060,864 --a------ C:\WINDOWS\mfc71.dll
2007-06-20 19:12 <DIR> d-------- C:\DOCUME~1\Mitch\APPLIC~1\Uniblue
2007-06-17 12:34 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-17 12:34 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-17 12:34 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-17 12:34 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-17 12:34 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-17 12:33 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-17 12:33 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-17 12:33 <DIR> d-------- C:\DOCUME~1\Mitch\APPLIC~1\PC Tools
2007-06-16 00:07 <DIR> d-------- C:\WINDOWS\system32\pdrviofc
2007-06-15 23:34 82,708 --a------ C:\pdrviofc3.exe
2007-06-15 18:40 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-06-15 06:45 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-15 06:18 <DIR> d-------- C:\WINDOWS\system32\cogvvvmm


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-04 15:51:53 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-03 02:44:57 -------- d-----w C:\Program Files\Norton SystemWorks
2007-07-03 02:44:12 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-07-03 02:44:10 -------- d-----w C:\Program Files\Messenger
2007-07-03 02:43:26 -------- d-----w C:\Program Files\FolderShare
2007-07-03 02:38:47 -------- d-----w C:\Program Files\Bonjour
2007-06-30 14:38:48 -------- d-----w C:\Program Files\Symantec
2007-06-26 01:13:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-09 20:17:51 -------- d-----w C:\DOCUME~1\Mitch\APPLIC~1\AdobeUM
2007-05-30 02:49:22 -------- d-----w C:\DOCUME~1\Mitch\APPLIC~1\Move Networks
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 14:59:35 -------- d-----w C:\Program Files\ExtractNow
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
2002-11-15 00:09 112248 --a------ C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 16:41]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 16:11]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 16:11]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-06-23 21:38]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-06-25 14:28]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-01-15 10:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-25 18:01]
"Linksys WMB54G Utility"="C:\Program Files\Wireless-G Music Bridge\WMB54G.exe" [2006-02-20 01:47]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ATI Launchpad"="" []
"FolderShare"="C:\Program Files\FolderShare\FolderShare.exe" [2005-06-19 21:48]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 09:52]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]


Contents of the 'Scheduled Tasks' folder
2007-06-30 14:35:27 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-06-30 14:35:42 C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
2007-07-04 16:02:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-04 09:02:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creative Detector = C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R??o?u?r?c?e?\?D?e?t?e?c?t?o?r?\?C?T?D?e?t?e?c?t?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-04 9:03:57
C:\ComboFix-quarantined-files.txt ... 2007-07-04 09:03

--- E O F ---




Logfile of HijackThis v1.99.1
Scan saved at 9:13:39 AM, on 7/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\FolderShare\FolderShare.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijack this\renamed analyze.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Linksys WMB54G Utility] C:\Program Files\Wireless-G Music Bridge\WMB54G.exe -R
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119588498062
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#10 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 AM

Posted 04 July 2007 - 11:45 AM

  • Make sure all hidden files are showing
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
  • Click on the submit button
  • Please post the results in your next reply.
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

File::
C:\DOCUME~1\Lisa\c.bat
C:\DOCUME~1\Mitch\c.bat
C:\pdrviofc3.exe

Folder::
C:\WINDOWS\system32\pdrviofc
C:\WINDOWS\system32\cogvvvmm

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


Posted Image



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please post the log from the ComboFix scan located at C:\ComboFix.txt together with the Jotti results.

#11 boingo2000

boingo2000
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Phoenix, AZ
  • Local time:08:38 PM

Posted 05 July 2007 - 09:51 PM

The Jotti scan indicated no issues.

When I ran ComboFix per your instructions, it started fine and I left the room....but when I came back in a few minutes later, my system was hung up and my desktop icons were all gone, so I had to reboot. When I rebooted, there was a new Combofix.txt file, so I assumed it finished and then just died when it tried to reboot or something. In any case, here's the resulting text:

"Mitch" - 2007-07-05 19:32:27 - ComboFix 07-07-04.4 - Service Pack 2
Command switches used :: C:\Documents and Settings\Mitch\Desktop\cfscript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Lisa\c.bat
C:\DOCUME~1\Mitch\c.bat
C:\pdrviofc3.exe
C:\WINDOWS\system32\cogvvvmm
C:\WINDOWS\system32\cogvvvmm\bg1.gif
C:\WINDOWS\system32\cogvvvmm\bgtop.gif
C:\WINDOWS\system32\cogvvvmm\bottom1.gif
C:\WINDOWS\system32\cogvvvmm\essentials.gif
C:\WINDOWS\system32\cogvvvmm\icon1.ico
C:\WINDOWS\system32\cogvvvmm\install1.gif
C:\WINDOWS\system32\cogvvvmm\left1.gif
C:\WINDOWS\system32\cogvvvmm\li.gif
C:\WINDOWS\system32\cogvvvmm\logo.gif
C:\WINDOWS\system32\cogvvvmm\main.htm
C:\WINDOWS\system32\cogvvvmm\mainframe.htm
C:\WINDOWS\system32\cogvvvmm\reinstall1.gif
C:\WINDOWS\system32\cogvvvmm\right1.gif
C:\WINDOWS\system32\cogvvvmm\s1.htm
C:\WINDOWS\system32\cogvvvmm\s2.htm
C:\WINDOWS\system32\cogvvvmm\s3.htm
C:\WINDOWS\system32\cogvvvmm\SMTop1.gif
C:\WINDOWS\system32\cogvvvmm\SMTop2.gif
C:\WINDOWS\system32\cogvvvmm\SMTop3.gif
C:\WINDOWS\system32\cogvvvmm\SMTop4.gif
C:\WINDOWS\system32\cogvvvmm\soft1_off.gif
C:\WINDOWS\system32\cogvvvmm\soft1_off_ext.gif
C:\WINDOWS\system32\cogvvvmm\soft1_on.gif
C:\WINDOWS\system32\cogvvvmm\soft1_on_ext.gif
C:\WINDOWS\system32\cogvvvmm\soft2_off.gif
C:\WINDOWS\system32\cogvvvmm\soft2_off_ext.gif
C:\WINDOWS\system32\cogvvvmm\soft2_on.gif
C:\WINDOWS\system32\cogvvvmm\soft2_on_ext.gif
C:\WINDOWS\system32\cogvvvmm\soft3_off.gif
C:\WINDOWS\system32\cogvvvmm\soft3_off_ext.gif
C:\WINDOWS\system32\cogvvvmm\soft3_on.gif
C:\WINDOWS\system32\cogvvvmm\soft3_on_ext.gif
C:\WINDOWS\system32\cogvvvmm\softbottom_off.gif
C:\WINDOWS\system32\cogvvvmm\softbottom_on.gif
C:\WINDOWS\system32\cogvvvmm\softleft_off.gif
C:\WINDOWS\system32\cogvvvmm\softleft_on.gif
C:\WINDOWS\system32\cogvvvmm\top1.gif
C:\WINDOWS\system32\cogvvvmm\top2.gif
C:\WINDOWS\system32\cogvvvmm\turnoff1.gif
C:\WINDOWS\system32\cogvvvmm\turnon1.gif
C:\WINDOWS\system32\pdrviofc
C:\WINDOWS\system32\pdrviofc\bg1.gif
C:\WINDOWS\system32\pdrviofc\bgtop.gif
C:\WINDOWS\system32\pdrviofc\bottom1.gif
C:\WINDOWS\system32\pdrviofc\essentials.gif
C:\WINDOWS\system32\pdrviofc\icon1.ico
C:\WINDOWS\system32\pdrviofc\install1.gif
C:\WINDOWS\system32\pdrviofc\left1.gif
C:\WINDOWS\system32\pdrviofc\li.gif
C:\WINDOWS\system32\pdrviofc\logo.gif
C:\WINDOWS\system32\pdrviofc\main.htm
C:\WINDOWS\system32\pdrviofc\mainframe.htm
C:\WINDOWS\system32\pdrviofc\reinstall1.gif
C:\WINDOWS\system32\pdrviofc\right1.gif
C:\WINDOWS\system32\pdrviofc\s1.htm
C:\WINDOWS\system32\pdrviofc\s2.htm
C:\WINDOWS\system32\pdrviofc\s3.htm
C:\WINDOWS\system32\pdrviofc\SMTop1.gif
C:\WINDOWS\system32\pdrviofc\SMTop2.gif
C:\WINDOWS\system32\pdrviofc\SMTop3.gif
C:\WINDOWS\system32\pdrviofc\SMTop4.gif
C:\WINDOWS\system32\pdrviofc\soft1_off.gif
C:\WINDOWS\system32\pdrviofc\soft1_off_ext.gif
C:\WINDOWS\system32\pdrviofc\soft1_on.gif
C:\WINDOWS\system32\pdrviofc\soft1_on_ext.gif
C:\WINDOWS\system32\pdrviofc\soft2_off.gif
C:\WINDOWS\system32\pdrviofc\soft2_off_ext.gif
C:\WINDOWS\system32\pdrviofc\soft2_on.gif
C:\WINDOWS\system32\pdrviofc\soft2_on_ext.gif
C:\WINDOWS\system32\pdrviofc\soft3_off.gif
C:\WINDOWS\system32\pdrviofc\soft3_off_ext.gif
C:\WINDOWS\system32\pdrviofc\soft3_on.gif
C:\WINDOWS\system32\pdrviofc\soft3_on_ext.gif
C:\WINDOWS\system32\pdrviofc\softbottom_off.gif
C:\WINDOWS\system32\pdrviofc\softbottom_on.gif
C:\WINDOWS\system32\pdrviofc\softleft_off.gif
C:\WINDOWS\system32\pdrviofc\softleft_on.gif
C:\WINDOWS\system32\pdrviofc\top1.gif
C:\WINDOWS\system32\pdrviofc\top2.gif
C:\WINDOWS\system32\pdrviofc\turnoff1.gif
C:\WINDOWS\system32\pdrviofc\turnon1.gif


((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


2007-07-04 08:54 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-02 18:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-25 21:17 <DIR> d-------- C:\DOCUME~1\Lisa\APPLIC~1\Walgreens
2007-06-25 21:08 <DIR> d-------- C:\hijack this
2007-06-25 19:41 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-23 18:04 <DIR> d-------- C:\DOCUME~1\Lisa\APPLIC~1\Lavasoft
2007-06-20 21:41 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-20 19:56 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-20 19:56 1,060,864 --a------ C:\WINDOWS\mfc71.dll
2007-06-20 19:12 <DIR> d-------- C:\DOCUME~1\Mitch\APPLIC~1\Uniblue
2007-06-17 12:34 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-17 12:34 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-17 12:34 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-17 12:34 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-17 12:34 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-17 12:33 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-17 12:33 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-17 12:33 <DIR> d-------- C:\DOCUME~1\Mitch\APPLIC~1\PC Tools
2007-06-15 18:40 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-06-15 06:45 <DIR> d-------- C:\Program Files\Enigma Software Group


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-04 18:17:28 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-03 02:44:57 -------- d-----w C:\Program Files\Norton SystemWorks
2007-07-03 02:44:12 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-07-03 02:44:10 -------- d-----w C:\Program Files\Messenger
2007-07-03 02:43:26 -------- d-----w C:\Program Files\FolderShare
2007-07-03 02:38:47 -------- d-----w C:\Program Files\Bonjour
2007-06-30 14:38:48 -------- d-----w C:\Program Files\Symantec
2007-06-26 01:13:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-09 20:17:51 -------- d-----w C:\DOCUME~1\Mitch\APPLIC~1\AdobeUM
2007-05-30 02:49:22 -------- d-----w C:\DOCUME~1\Mitch\APPLIC~1\Move Networks
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 14:59:35 -------- d-----w C:\Program Files\ExtractNow
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
2002-11-15 00:09 112248 --a------ C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 16:41]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 16:11]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 16:11]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-06-23 21:38]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-06-25 14:28]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-01-15 10:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-25 18:01]
"Linksys WMB54G Utility"="C:\Program Files\Wireless-G Music Bridge\WMB54G.exe" [2006-02-20 01:47]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ATI Launchpad"="" []
"FolderShare"="C:\Program Files\FolderShare\FolderShare.exe" [2005-06-19 21:48]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 09:52]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]


Contents of the 'Scheduled Tasks' folder
2007-06-30 14:35:27 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-06-30 14:35:42 C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
2007-07-06 02:37:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-05 19:40:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creative Detector = C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R??o?u?r?c?e?\?D?e?t?e?c?t?o?r?\?C?T?D?e?t?e?c?t?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-05 19:41:20
C:\ComboFix-quarantined-files.txt ... 2007-07-05 19:40

--- E O F ---

#12 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 AM

Posted 06 July 2007 - 11:12 AM

How is your system running now? You still have any problems?

#13 boingo2000

boingo2000
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Phoenix, AZ
  • Local time:08:38 PM

Posted 07 July 2007 - 09:00 AM

Everything seems fine. The Google problem actually seemed to be fixed after the first round of fixes you suggested. I assume everything looks clean then? Thanks very much for your help!

#14 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 AM

Posted 08 July 2007 - 04:21 AM

This log looks clean!
  • Don't forget to re-hide all files and folders. To re-hide all files and folders:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading deselect "Show hidden files and folders".
    • Check the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
    • Turn off System Restore.
      • On the Desktop, right-click My Computer.
      • Click Properties.
      • Click the System Restore tab.
      • Check "Turn off System Restore".
      • Click Apply, and then click OK.
    • Reboot your computer.
    • Turn ON System Restore.
      • On the Desktop, right-click My Computer.
      • Click Properties.
      • Click the System Restore tab.
      • UN-Check "Turn off System Restore".
      • Click Apply, and then click OK.
  • This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

    Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

    Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

    This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. If you are running Windows XP make sure you get updated to SP-2!!

    Please post back if you are still having any problems....

    Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users