-
Browser Search Redirect Issue
Hi,
I am having problems with browser search redirects when using Google or Microsoft search bars. The problem doesn't seem to be restricted to just these two search engine bars.
The symptom is that when browsing to some of the sites in the search results, I get to unexpected locations even when the site link URL's are good.
I am running Norton AV 2009, and have Spybot S&D and Teatimer running.
After I found the symptoms I downloaded and ran Malwarebytes Anti-malware tool, ad-ware and Super AntiSpyware 4.26.1004. Each found some cookies that were suspect, and I removed them. However the problem is still around.
The main browser I found this with is IE8 but I see it in Firefox 3.0.11 too.
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:56:23, on 13/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MRTW.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: BrowserConnector Object - {B24A5F3C-E1D2-4ee6-8A3F-4B19D0DAF1A2} - C:\WINDOWS\system32\battx.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1232286679765
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\DMINTFG.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: System kernel integrity service (Uha10kx2kO) (Ytfsnudfa) - SearchHelp, Inc. - C:\WINDOWS\system32\MRTW.exe
--
End of file - 10394 bytes
Many thanks for any help,
Mark
-
Hello and Welcome to forums!
My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
- I will be working on your Malware issues this may or may not solve other issues you have with your machine.
- The fixes are specific to your problem and should only be used for this issue on this machine.
- I f you don't know or understand something please don't hesitate to ask.
- Please DO NOT run any other tools or scans whilst I am helping you.
- It is important that you reply to this thread. Do not start a new topic.
- Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
- Absence of symptoms does not mean that everything is clear.
No Reply Within 5 Days Will Result In Your Topic Being Closed!!
-
STEP 1
Download DDS
Please download DDS by sUBs from one of the links below and save it to your desktop:
Download DDS and save it to your desktop from:
Link1
Link2
Link3
Please disable any anti-malware program that will block scripts from running before running DDS.
- Double-Click on dds.scr and a command window will appear. This is normal.
- Shortly after two logs will appear:
- A window will open instructing you save & post the logs
- Save the logs to a convenient place such as your desktop
- Copy the contents of both logs & post in your next reply
STEP 2
RootRepeal - Rootkit Detector
Download RootRepeal.zip and unzip it to your Desktop.
- Double click RootRepeal.exe to start the program
- Click on the Report tab at the bottom of the program window
- Clickthe Scan button
- In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
- Click the OK button
- In the next dialog, select all drives showing
- Click OK to start the scan
The scan can take some time. DO NOT run any other programs while the scan is running
- When the scan is complete, the Save Report button will become available
- Click this and save the report to your Desktop as RootRepeal.txt
- Go to File, then Exit to close the program
Next Reply
Please reply with:
- DDS.txt
- Attach.txt
- RootRepeal.txt
-
Browser Search Redirect Issue
Hi and thanks for your support,
DDS.TXT
DDS (Ver_09-05-14.01) - NTFSx86
Run by Mark at 10:20:58.62 on 14/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.383 [GMT 1:00]
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\MRTW.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mark\My Downloads\dds.scr
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: BrowserConnector Object: {b24a5f3c-e1d2-4ee6-8a3f-4b19d0daf1a2} - c:\windows\system32\battx.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [LXBUCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBUtime.dll,_RunDLLEntry@16
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\mark\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232286679765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\DMINTFG.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\o5t3nuj1.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\mozilla firefox\components\battxf.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-12 64160]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-3-23 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-3-23 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-3-23 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090610.006\IDSXpx86.sys [2009-6-12 276344]
R1 IpFilterDrivery;Remote Procedure Call RT4s (PtilinkV);c:\windows\system32\HIMEMR.SYS [2009-5-13 24704]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 Uha10kx2k;System kernel configuration (VSparrow);c:\windows\system32\NTIOLE404.SYS [2009-5-13 38912]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-25 55152]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-3-23 115560]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 Ytfsnudfa;System kernel integrity service (Uha10kx2kO);c:\windows\system32\MRTW.exe [2009-5-13 276992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-3 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090613.003\NAVENG.SYS [2009-6-13 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090613.003\NAVEX15.SYS [2009-6-13 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
=============== Created Last 30 ================
2009-06-13 17:22 <DIR> --d----- C:\fixwareout
2009-06-13 16:10 <DIR> -cd-h--- c:\windows\ie8
2009-06-12 23:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-12 23:09 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-12 23:09 <DIR> --d----- c:\docume~1\mark\applic~1\SUPERAntiSpyware.com
2009-06-12 23:08 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-12 22:52 <DIR> --d----- c:\program files\Trend Micro
2009-06-12 21:52 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-12 21:39 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-12 21:38 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-12 21:38 <DIR> --d----- c:\program files\Lavasoft
2009-06-11 22:40 <DIR> --d----- c:\docume~1\mark\applic~1\Malwarebytes
2009-06-11 22:40 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 22:40 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-11 22:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 22:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-11 14:58 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 14:58 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 13:48 <DIR> --d--r-- c:\program files\Norton Support
2009-06-08 22:37 <DIR> --d----- c:\program files\common files\DivX Shared
2009-06-08 20:43 <DIR> --d----- c:\program files\Free Video Joiner
2009-06-02 11:16 <DIR> --d----- c:\program files\iPod
2009-06-02 11:16 <DIR> --d----- c:\program files\iTunes
2009-05-30 11:31 <DIR> --dsh--- c:\documents and settings\mark\IECompatCache
2009-05-30 11:29 <DIR> --dsh--- c:\documents and settings\mark\PrivacIE
2009-05-29 22:28 <DIR> --dsh--- c:\documents and settings\mark\IETldCache
2009-05-29 22:25 <DIR> --d----- c:\windows\ie8updates
2009-05-29 22:25 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-25 17:48 48,128 a------- C:\pclips.exe
==================== Find3M ====================
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 21:19 9,952 a------- c:\windows\system32\secrd.dat
2009-05-13 21:19 9,952 a------- c:\windows\system32\sbnetkey.sys
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 06:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 06:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-05 18:33 244,224 a------- c:\windows\system32\wiaservca.dll
2009-05-05 18:33 244,224 a------- c:\windows\system32\cdmg.dll
2009-05-05 18:33 211,968 a------- c:\windows\system32\framebufo.dll
2009-05-05 18:33 211,968 a------- c:\windows\system32\elsi.dll
2009-05-05 18:33 244,224 a------- c:\windows\system32\msacmlt32.dll
2009-05-05 18:33 244,224 a------- c:\windows\system32\kernelf32.dll
2009-05-05 18:33 62,976 a------- c:\windows\system32\dsuiextp.dll
2009-05-05 18:33 62,976 a------- c:\windows\system32\CTEMUPIAD.DLL
2009-05-05 18:33 150,528 a------- c:\windows\system32\offfiltr.dll
2009-05-05 18:33 150,528 a------- c:\windows\system32\KPDPMUII.dll
2009-05-05 18:31 181,760 a------- c:\windows\system32\mtxocih.dll
2009-05-01 22:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 22:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 22:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 22:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 22:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-30 22:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 22:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 22:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 22:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 22:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 12:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-04-14 17:50 4,286 a------- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}w.dat
2009-04-14 17:50 4,286 a------- c:\windows\system32\ctdlangi.dat
2009-04-14 17:49 294,912 a------- c:\windows\system32\msacml32.dll
2009-04-14 17:49 294,912 a------- c:\windows\system32\mmcshexth.dll
2009-03-23 18:22 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
============= FINISH: 10:24:01.51 ===============
ATTACH.TXT and RootRepeal.TXT are included as attachments.
Thanks,
-
Use of P2P (Person to Person) file sharing programs
I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
µTorrent
Please read HERE the Safer Networking Forums policy on the use of P2P file sharing programs. Please remove it before we can continue any further. Post back when you have done it so we can continue the cleaning process.
NOTE: Even if you are using a safe P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
-
Browser Search Redirect Issue
OK, I removed uTorrent ...
-
-
Browser Search Redirect Issue
Hi Bio-Hazard,
OK, all done. Below is the HJT log, and attached is the ComboFix log file.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:26:36, on 14/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MRTW.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: BrowserConnector Object - {B24A5F3C-E1D2-4ee6-8A3F-4B19D0DAF1A2} - C:\WINDOWS\system32\battx.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1232286679765
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\WINDOWS\SYSTEM32\DMINTFG.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: System kernel integrity service (Uha10kx2kO) (Ytfsnudfa) - SearchHelp, Inc. - C:\WINDOWS\system32\MRTW.exe
--
End of file - 10514 bytes
ComboFix 09-06-13.09 - Mark 14/06/2009 21:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.692 [GMT 1:00]
Running from: c:\documents and settings\Mark\My Downloads\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\SKYNETydvkbgrn.sys
c:\windows\system32\ippromonr.dll
c:\windows\system32\mtxocih.dll
c:\windows\system32\netapip32.dll
c:\windows\system32\SKYNETejklydtt.dll
c:\windows\system32\SKYNETtqodnyha.dll
c:\windows\system32\SKYNETvcbpvakj.dat
c:\windows\system32\SKYNETvpojjsdt.dat
c:\windows\system32\dnsapim.dll
c:\windows\system32\drivers\SKYNETydvkbgrn.sys
c:\windows\system32\KBDHELAS3.DLL
c:\windows\system32\scarddlgm.dll
c:\windows\system32\SKYNETejklydtt.dll
c:\windows\system32\SKYNETtqodnyha.dll
c:\windows\system32\SKYNETvcbpvakj.dat
c:\windows\system32\SKYNETvpojjsdt.dat
G:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNETvpacmxgu
((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.
2009-06-14 21:04 . 2009-03-12 09:03 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-06-13 19:54 . 2009-06-13 19:54 -------- d-----w- c:\program files\ERUNT
2009-06-13 16:22 . 2009-06-13 16:37 -------- d-----w- C:\fixwareout
2009-06-13 15:10 . 2009-06-13 15:10 -------- dc-h--w- c:\windows\ie8
2009-06-12 22:32 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\Scxpx86.dll
2009-06-12 22:32 . 2009-01-29 21:50 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSXpx86.sys
2009-06-12 22:32 . 2009-01-29 21:50 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSvix86.sys
2009-06-12 22:32 . 2009-01-29 21:50 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSxpx86.dll
2009-06-12 22:32 . 2009-01-29 21:50 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSviA64.sys
2009-06-12 22:09 . 2009-06-14 21:05 117760 ----a-w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-12 22:09 . 2009-06-12 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-12 22:09 . 2009-06-12 22:09 65024 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-06-12 22:09 . 2009-06-12 22:09 18944 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2009-06-12 22:09 . 2009-06-12 22:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-12 22:09 . 2009-06-12 22:09 -------- d-----w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com
2009-06-12 22:08 . 2009-06-12 22:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-12 21:52 . 2009-06-12 21:52 -------- d-----w- c:\program files\Trend Micro
2009-06-12 20:52 . 2009-06-12 20:39 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-12 20:38 . 2009-06-12 20:38 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-12 20:38 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-12 20:38 . 2009-06-12 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-12 20:38 . 2009-06-12 20:38 -------- d-----w- c:\program files\Lavasoft
2009-06-11 21:40 . 2009-06-11 21:40 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes
2009-06-11 21:40 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 21:40 . 2009-06-11 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 21:40 . 2009-06-11 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-11 21:40 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 17:38 . 2009-06-11 17:38 -------- d-----w- c:\documents and settings\Angel\Local Settings\Application Data\Symantec
2009-06-11 14:43 . 2009-06-11 14:43 1915520 ----a-w- c:\documents and settings\Mark\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-11 13:58 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 13:58 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 12:48 . 2009-06-10 12:48 -------- d-----r- c:\program files\Norton Support
2009-06-10 12:47 . 2009-06-10 12:47 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Symantec
2009-06-10 09:57 . 2009-06-10 09:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-10 07:54 . 2009-06-10 07:54 152576 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-08 21:42 . 2009-06-08 21:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-08 21:37 . 2009-06-08 21:38 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-08 20:44 . 2009-06-08 20:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-08 19:43 . 2009-06-13 18:32 -------- d-----w- c:\program files\Free Video Joiner
2009-06-08 19:27 . 2009-06-08 19:27 -------- d-sh--w- c:\documents and settings\Lourdes\IETldCache
2009-06-08 19:03 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\Scxpx86.dll
2009-06-08 19:03 . 2009-01-29 21:50 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSXpx86.sys
2009-06-08 19:03 . 2009-01-29 21:50 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSvix86.sys
2009-06-08 19:03 . 2009-01-29 21:50 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSxpx86.dll
2009-06-08 19:03 . 2009-01-29 21:50 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSviA64.sys
2009-06-05 15:38 . 2009-06-05 15:38 -------- d-sh--w- c:\documents and settings\Angel\PrivacIE
2009-06-02 10:16 . 2009-06-02 10:16 -------- d-----w- c:\program files\iPod
2009-06-02 10:16 . 2009-06-02 10:17 -------- d-----w- c:\program files\iTunes
2009-06-02 10:13 . 2009-06-02 10:14 -------- d-----w- c:\program files\QuickTime
2009-06-02 10:08 . 2009-06-02 10:08 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-30 19:11 . 2009-05-30 19:11 -------- d-sh--w- c:\documents and settings\Angel\IETldCache
2009-05-30 10:31 . 2009-05-30 10:31 -------- d-sh--w- c:\documents and settings\Mark\IECompatCache
2009-05-30 10:29 . 2009-05-30 10:29 -------- d-sh--w- c:\documents and settings\Mark\PrivacIE
2009-05-29 21:28 . 2009-05-29 21:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-05-29 21:28 . 2009-05-29 21:28 -------- d-sh--w- c:\documents and settings\Mark\IETldCache
2009-05-29 21:25 . 2009-06-13 14:46 -------- d-----w- c:\windows\ie8updates
2009-05-29 21:25 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-05-29 21:13 . 2009-05-29 21:13 39552 ----a-w- c:\documents and settings\Lourdes\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-29 21:09 . 2009-05-29 21:09 -------- d-----w- c:\documents and settings\Lourdes\Local Settings\Application Data\BVRP Software
2009-05-25 16:48 . 2009-05-25 16:48 48128 ----a-w- C:\pclips.exe
2009-05-20 22:37 . 2009-05-20 22:37 -------- d-----w- c:\documents and settings\Lourdes\Local Settings\Application Data\Apple Computer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 21:02 . 2005-03-04 11:56 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-06-14 21:02 . 2005-03-04 11:56 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-06-14 21:02 . 2009-05-13 23:30 67 ----a-w- c:\windows\system32\sysdnc.dat
2009-06-14 12:54 . 2009-02-07 23:02 -------- d-----w- c:\documents and settings\Mark\Application Data\uTorrent
2009-06-13 16:24 . 2009-01-24 17:21 -------- d-----w- c:\program files\Lx_cats
2009-06-11 17:42 . 2009-02-14 11:38 1 ----a-w- c:\documents and settings\Angel\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-11 13:01 . 2009-01-18 14:27 -------- d-----w- c:\program files\Binary News Reaper
2009-06-10 11:58 . 2009-02-24 20:44 -------- d-----w- c:\documents and settings\Mark\Application Data\DivX
2009-06-10 07:55 . 2005-03-04 11:54 -------- d-----w- c:\program files\Java
2009-06-09 20:42 . 2009-01-27 21:11 1 ----a-w- c:\documents and settings\Mark\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-08 21:47 . 2009-03-04 19:28 -------- d-----w- c:\program files\Google
2009-06-08 21:42 . 2009-02-17 20:11 -------- d-----w- c:\program files\DivX
2009-06-08 20:36 . 2009-05-04 16:54 -------- d-----w- c:\program files\Join
2009-06-02 10:16 . 2009-01-18 13:51 -------- d-----w- c:\program files\Common Files\Apple
2009-05-21 10:33 . 2009-02-27 20:32 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-13 23:28 . 2009-05-13 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-13 23:25 . 2009-05-13 23:25 -------- d-----w- c:\program files\Bonjour
2009-05-13 20:19 . 2009-04-14 16:49 9952 ----a-w- c:\windows\system32\secrd.dat
2009-05-13 20:19 . 2009-01-18 11:04 9952 ----a-w- c:\windows\system32\sbnetkey.sys
2009-05-13 05:15 . 2004-08-04 05:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 18:54 . 2009-05-12 18:54 -------- d-----w- c:\documents and settings\Lourdes\Application Data\ArcSoft
2009-05-07 16:44 . 2009-02-25 16:04 39552 ----a-w- c:\documents and settings\Angel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-07 15:32 . 2004-08-04 05:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 17:35 . 2005-03-04 11:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-05 17:33 . 2009-05-13 20:17 244224 ----a-w- c:\windows\system32\wiaservca.dll
2009-05-05 17:33 . 2009-05-13 20:17 244224 ----a-w- c:\windows\system32\cdmg.dll
2009-05-05 17:33 . 2009-05-13 20:17 211968 ----a-w- c:\windows\system32\framebufo.dll
2009-05-05 17:33 . 2009-05-13 20:17 211968 ----a-w- c:\windows\system32\elsi.dll
2009-05-05 17:33 . 2009-05-13 20:17 244224 ----a-w- c:\windows\system32\msacmlt32.dll
2009-05-05 17:33 . 2009-05-13 20:17 244224 ----a-w- c:\windows\system32\kernelf32.dll
2009-05-05 17:33 . 2009-05-13 20:17 62976 ----a-w- c:\windows\system32\dsuiextp.dll
2009-05-05 17:33 . 2009-05-13 20:17 62976 ----a-w- c:\windows\system32\CTEMUPIAD.DLL
2009-05-05 17:33 . 2009-05-13 20:17 150528 ----a-w- c:\windows\system32\offfiltr.dll
2009-05-05 17:33 . 2009-05-13 20:17 150528 ----a-w- c:\windows\system32\KPDPMUII.dll
2009-05-05 17:31 . 2009-05-13 20:17 276992 ----a-w- c:\windows\system32\MRTW.exe
2009-05-01 21:02 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-17 12:26 . 2004-08-04 05:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 05:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 16:50 . 2009-05-13 20:17 4286 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}w.dat
2009-04-14 16:50 . 2009-05-13 20:17 4286 ----a-w- c:\windows\system32\ctdlangi.dat
2009-04-14 16:49 . 2009-05-13 20:17 294912 ----a-w- c:\windows\system32\msacml32.dll
2009-04-14 16:49 . 2009-05-13 20:17 294912 ----a-w- c:\windows\system32\mmcshexth.dll
2009-04-12 11:58 . 2009-01-18 00:03 39552 ----a-w- c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 20:18 . 2009-02-27 17:09 1915520 ----a-w- c:\documents and settings\Angel\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-04-01 19:01 . 2009-04-01 19:01 152576 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-23 17:22 . 2009-03-10 23:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-03-23 17:22 . 2009-03-10 23:08 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 15:32 . 2009-01-18 13:56 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-05 17:31 . 2009-05-13 20:22 74752 ----a-w- c:\program files\mozilla firefox\components\battxf.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B24A5F3C-E1D2-4ee6-8A3F-4B19D0DAF1A2}]
2009-05-05 17:32 141312 ----a-w- c:\windows\SYSTEM32\battx.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-26 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"LXBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 69632]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-12 518488]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Angel\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
c:\documents and settings\Mark\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\DMINTFG.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IpFilterDrivery]
@="Base"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uha10kx2k]
@="Base"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ytfsnudfa]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Mark\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [12/06/2009 21:39 64160]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\SymEFA.sys [23/03/2009 18:22 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\BHDrvx86.sys [23/03/2009 18:22 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\cchpx86.sys [23/03/2009 17:55 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSXpx86.sys [12/06/2009 23:32 276344]
R1 IpFilterDrivery;Remote Procedure Call RT4s (PtilinkV);c:\windows\SYSTEM32\HIMEMR.SYS [13/05/2009 21:17 24704]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 72944]
R1 Uha10kx2k;System kernel configuration (VSparrow);c:\windows\SYSTEM32\NTIOLE404.SYS [13/05/2009 21:17 38912]
R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [25/02/2009 17:16 55152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1005904]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [23/03/2009 18:22 115560]
R2 Ytfsnudfa;System kernel integrity service (Uha10kx2kO);c:\windows\SYSTEM32\MRTW.exe [13/05/2009 21:17 276992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [03/05/2009 00:26 101936]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 7408]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:39]
2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-14 22:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
c:\docume~1\Mark\LOCALS~1\Temp\pcf1.tmp 533 bytes
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(984)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(1188)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-14 22:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-14 21:15
Pre-Run: 85,339,299,840 bytes free
Post-Run: 85,777,125,376 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
314 --- E O F --- 2009-06-11 14:21
Thanks,
Mark
Last edited by Bio-Hazard; 2009-06-15 at 00:05.
Reason: Added combofix log for easy reading
-
I'd like you to check (a file/some files) for Viruses.
c:\windows\SYSTEM32\DMINTFG.DLL
C:\pclips.exe
- Copy/Paste the first file on the list into the white Upload a file box.
- Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
- After a while, a window will open, with details of what the scans found.
- Copy and Paste results in your next reply.
- Repeat for all files on the list, and post me the details please
ATF-Cleaner
Please download ATF Cleaner by Atribune.
- Save it to your desktop
- Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
If you use Firefox browser - Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords please click No at the prompt. - Click Exit on the Main menu to close the program.
Kaspersky Online Scan
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
- Please go to Kaspersky website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
- Click on My Computer under Scan.
- Once the scan is complete, it will display the results. Click on View Scan Report.
- You will see a list of infected items there. Click on Save Report As....
- Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
- Please post this log in your next reply along with a fresh HijackThis log.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
- Virustotal or Jotti results
- Kaspersky Log
- A fresh HijackThis Log ( after all the above has been done)
- A description of how your computer is behaving
-
Security Expert
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules