Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: script error, browser redirecting, and random audio on background

  1. #1
    Junior Member
    Join Date
    May 2011
    Posts
    9

    Default script error, browser redirecting, and random audio on background

    I have ran Spynomore, Malwarebyites, and SS&D. SS&D at first did find 1 problem that could not be removed, but when I ran it again, everything was clean and nothing was found. My DDS is below and zip attached. Is there anything else you need?

    Thanks


    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Owner at 17:43:27.43 on Sun 05/15/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1496 [GMT -4:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\SpyNoMore\SNM.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\WINDOWS\system32\ctfmon.exe
    svchost.exe
    C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Justin Moore\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-rel
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Browser protection: {fb9ffb4b-9680-4256-8178-5ecdb2c19b23} - c:\progra~1\spynom~1\SNMIEG~1.DLL
    TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
    mRun: [HelpCenter4.1] "c:\program files\bellsouth\helpcenter40b\bin\sprtcmd.exe" /P HelpCenter4.1
    mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
    mRun: [DMXLauncher] "c:\program files\dell\media experience\DMXLauncher.exe"
    mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"
    mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
    mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Conime] %windir%\system32\conime.exe
    mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    StartupFolder: c:\docume~1\justin~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
    IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://98.188.240.66/CACHE/stc/1/binaries/vpnweb.cab
    DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - hxxp://playgames.comcast.net/online2/mystery_solitaire/SpinTopGamesLauncher.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_6_0_15_Silent.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_9.cab
    DPF: {FC565433-70D3-49FA-B4F8-A5F0DA265A95} - hxxp://208.137.157.32/reports/control/sfbrptview.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\justin~1\applic~1\mozilla\firefox\profiles\r1ytsck8.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://www.startnow.com/s/?src=addrbar&provider=Bing&provider_code=Z064&partner_id=284&product_id=379&affiliate_id=&channel=sonic&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110506&user_guid=2A04F3F04E214B8291C89922CC4CB0BB&machine_id=6537fd3b524b06b1bebfc9e35dff1cce&browser=FF&os=win&os_version=5.1-x86-SP3&q=
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\justin moore\application data\move networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - %profile%\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 163840]
    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-3-9 366000]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 Toolbar Updater Service;Toolbar Updater Service;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-3-24 199904]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-5-5 583360]
    S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"c:\program files\webroot\spy sweeper\spysweeper.exe" --> c:\program files\webroot\spy sweeper\SpySweeper.exe [?]
    S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2010-12-12 816672]
    .
    =============== File Associations ===============
    .
    JSEFile=NOTEPAD.EXE %1
    VBEFile=NOTEPAD.EXE %1
    VBSFile=NOTEPAD.EXE %1
    .
    =============== Created Last 30 ================
    .
    2011-05-13 21:59:49 2 --shatr- c:\windows\winstart.bat
    2011-05-13 21:59:44 -------- d-----w- c:\program files\UnHackMe
    2011-05-10 21:52:12 -------- d-----w- c:\docume~1\justin~1\applic~1\DDMSettings
    2011-05-10 21:39:23 -------- d-----w- c:\program files\DivX
    2011-05-10 21:38:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
    2011-05-06 04:16:46 -------- d-----w- c:\program files\StartNow Toolbar
    2011-05-06 04:15:56 -------- d-----w- c:\program files\Quick Web Player
    2011-05-05 22:51:04 -------- d-----w- c:\docume~1\justin~1\applic~1\Malwarebytes
    2011-05-05 22:49:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-05-05 22:49:21 -------- d-----w- C:\Malware
    2011-05-04 00:32:47 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-05-04 00:32:47 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-16 02:51:17 -------- d-----w- c:\program files\iPod
    .
    ==================== Find3M ====================
    .
    2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-03-03 11:49:02 131072 ----a-w- c:\windows\system32\EKIJCOINST12.dll
    2011-03-03 11:45:06 196608 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\EKIJ5000PPR.dll
    2011-03-03 11:45:02 425984 ----a-w- c:\windows\system32\EKIJ5000MON.dll
    2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-18 20:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
    .
    ============= FINISH: 17:44:36.72 ===============

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi Falchor,

    I have ran Spynomore, Malwarebyites, and SS&D. SS&D at first did find 1 problem that could not be removed, but when I ran it again, everything was clean and nothing was found.
    The redirects and audio playing, gone now or what?
    How Can I Reduce My Risk?

  3. #3
    Junior Member
    Join Date
    May 2011
    Posts
    9

    Default

    No, the random audio is still playing in the background. I actually ran SuperSpyWare remover and installed security essentials. I apologize, I got caught in trying to find something that would work, so that may have affected my original log. If I need to repost, please let me know what you need. I am still getting browser redirects and script errors. My computer and internet seems to be running really slow as well. I am writing from my laptop, which has also been infected with the same conditions (but seems to have faster processing and internet than the desktop), but I was going to address that after my desktop. Is there anything else I should be doing?

    Thanks,

    Falchor

  4. #4
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    You can download and run Combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine. Post the log in your reply:

    Guide to using Combofix
    How Can I Reduce My Risk?

  5. #5
    Junior Member
    Join Date
    May 2011
    Posts
    9

    Default

    Here is the ComboFix log.

    ComboFix 11-05-21.03 - Owner 05/21/2011 20:52:03.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1566 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Justin Moore\Application Data\Logs\scns.log
    c:\documents and settings\Justin Moore\WINDOWS
    c:\program files\INSTALL.LOG
    c:\windows\run.log
    .
    Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-21 11:40 . 2011-05-09 20:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B20EF7E-7E79-40E2-BF6E-A65C6183B34E}\mpengine.dll
    2011-05-19 02:28 . 2011-04-11 04:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-05-18 02:40 . 2011-05-18 02:40 -------- d-----w- c:\documents and settings\Justin Moore\Application Data\SUPERAntiSpyware.com
    2011-05-18 02:40 . 2011-05-18 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-05-18 02:39 . 2011-05-18 02:40 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-05-18 01:02 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-18 00:56 . 2011-05-18 00:56 -------- d-----w- c:\program files\Microsoft Security Client
    2011-05-15 04:51 . 2011-05-15 04:51 -------- d-----w- c:\program files\ERUNT
    2011-05-13 21:59 . 2011-05-13 21:59 2 --shatr- c:\windows\winstart.bat
    2011-05-13 21:59 . 2011-05-15 03:09 -------- d-----w- c:\program files\UnHackMe
    2011-05-10 21:52 . 2011-05-10 21:52 -------- d-----w- c:\documents and settings\Justin Moore\Application Data\DDMSettings
    2011-05-10 21:39 . 2011-05-10 21:44 -------- d-----w- c:\program files\DivX
    2011-05-10 21:38 . 2011-05-10 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
    2011-05-06 04:16 . 2011-05-06 04:16 -------- d-----w- c:\program files\StartNow Toolbar
    2011-05-06 04:15 . 2011-05-06 04:17 -------- d-----w- c:\program files\Quick Web Player
    2011-05-05 22:51 . 2011-05-05 22:51 -------- d-----w- c:\documents and settings\Justin Moore\Application Data\Malwarebytes
    2011-05-05 22:49 . 2011-05-05 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-05 22:49 . 2011-05-05 22:49 -------- d-----w- C:\Malware
    2011-05-04 00:32 . 2011-05-04 00:32 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-07 05:33 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37 . 2005-08-16 10:18 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2005-08-16 10:18 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-03-03 11:49 . 2011-03-03 11:49 131072 ----a-w- c:\windows\system32\EKIJCOINST12.dll
    2011-03-03 11:45 . 2011-03-03 11:45 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
    2011-03-03 11:45 . 2011-03-03 11:45 425984 ----a-w- c:\windows\system32\EKIJ5000MON.dll
    2011-02-22 23:06 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-04 2424192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-23 274608]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
    "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2011-03-03 2510848]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    .
    c:\documents and settings\Justin Moore\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2010-12-13 01:46 1242448 ----a-w- c:\program files\Steam\steam.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-11-23 18:57 274608 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Ati HotKey Poller"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\gte407p\\counter-strike source\\hl2.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Documents and Settings\\Justin Moore\\Local Settings\\Apps\\2.0\\YHQ704XC.YCE\\N4584OOH.5ZM\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:UDP"= 5353:UDP:Bonjour Port 5353
    "9322:TCP"= 9322:TCP:EKDiscovery
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
    R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 3:02 PM 163840]
    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [3/9/2011 1:29 PM 366000]
    R2 Toolbar Updater Service;Toolbar Updater Service;c:\program files\StartNow Toolbar\ToolbarUpdaterService.exe [3/24/2011 5:59 AM 199904]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [5/5/2010 9:59 PM 583360]
    S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [12/12/2010 6:26 PM 816672]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e504fc2d-38a4-11de-9525-00038a000015}]
    \Shell\AutoRun\command - f:\wd_windows_tools\Setup.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
    .
    2011-05-21 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
    .
    2011-05-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-628491586-2588602083-1391599483-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
    .
    2011-05-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-628491586-2588602083-1391599483-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
    IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://98.188.240.66/CACHE/stc/1/binaries/vpnweb.cab
    DPF: {FC565433-70D3-49FA-B4F8-A5F0DA265A95} - hxxp://208.137.157.32/reports/control/sfbrptview.cab
    FF - ProfilePath - c:\documents and settings\Justin Moore\Application Data\Mozilla\Firefox\Profiles\r1ytsck8.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://www.startnow.com/s/?src=addrbar&provider=Bing&provider_code=Z064&partner_id=284&product_id=379&affiliate_id=&channel=sonic&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110506&user_guid=2A04F3F04E214B8291C89922CC4CB0BB&machine_id=6537fd3b524b06b1bebfc9e35dff1cce&browser=FF&os=win&os_version=5.1-x86-SP3&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - %profile%\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
    .
    .
    ------- File Associations -------
    .
    JSEFile=NOTEPAD.EXE %1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-HelpCenter4.1 - c:\program files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
    HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
    MSConfigStartUp-BearFlix - c:\program files\BearFlix\BearFlix.exe
    MSConfigStartUp-ioloDelayModule - c:\program files\iolo\System Mechanic Professional 6\delay.exe
    AddRemove-DivX Plus DirectShow Filters - c:\program files\DivX\DivXDSFiltersUninstall.exe
    AddRemove-Game Console - WildGames - c:\program files\WildGames\Game Console - WildGames\Uninstall.exe
    AddRemove-Sierra Uninstall - c:\sierra\SETUP.EXE
    AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
    AddRemove-WildTangent wildgames Master Uninstall - c:\program files\WildGames\Uninstall.exe
    AddRemove-WT025760 - E:\Uninstall.exe
    AddRemove-WT038028 - c:\program files\WildGames\Run 'N Gun Football\Uninstall.exe
    AddRemove-WT052908 - c:\program files\WildGames\Build in Time\Uninstall.exe
    AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\DivXConverterUninstall.exe
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
    AddRemove-{B13A7C41581B411290FBC0395694E2A9} - c:\program files\DivX\DivXConverterUninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-21 20:56
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(680)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-05-21 20:59:04
    ComboFix-quarantined-files.txt 2011-05-22 00:59
    .
    Pre-Run: 5,960,241,152 bytes free
    Post-Run: 6,663,925,760 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - B449E7596AB466BEFA992454B44C3F80

  6. #6
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    Good.Must be better now?
    How Can I Reduce My Risk?

  7. #7
    Junior Member
    Join Date
    May 2011
    Posts
    9

    Default

    I'm not noticing any random audio and the redirect seems be fixed and haven't gotten any more script errrors. I assume I can go ahead and turn back on my antivirus/spyware? Assuming I don't have anymore issues, thank you very much for the assistance. Is there anything else I should do? I am currently using SS&D and SuperAntiVirus along with the Microsoft Security Essentials. I'm still using windows firewall, but i've heard it's better to have another. Any recommendations? Again thanks for the help.

  8. #8
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi,

    ok good. your welcome. Yes turn your AV back on. A reboot should do it.
    You can remove combofix like this;
    start>run and type in combofix /uninstall
    click ok or enter
    note the space after the x and before the /

    You can make a new restore point, the why and the how:

    One of the features of Windows XP, Vista and Windows 7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

    (winXP)

    1. Turn off System Restore. (deletes old possibly infected restore point)
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.(creates a new restore points on a clean system)
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK, then reboot

    You also have Malwarebytes. note that the free version must be updated manually and its good practise to check for updates for it and your other anitmalware every few days or so even if you dont scan with them at that time.

    If any of these frequently remove malware then its time to examine your computer habits or lack of habits. Theres no reason why you cant stay malware free.

    Windows firewall is fine. Your right it dosnt block outbound traffic. Third party firewalls that do are often complicated with all there technical prompts. Most people may not make the right decision or get in the habit of allowing everything. Malware also no longer requests its own connection but will launch other Window components or use a already existing connection futher complicating the prompts. Rootkit technology can bypass firewalls all together.

    If you want one, get one and try it out there are several free ones you could try one at a time. Some also have anti-malware components and other handy features built-in.

    Here are some tips to help you remain malware free. Knowing how you may get malware will improve your chances of avoiding it;

    10 Tips for Prevention and Avoidance of Malware:

    There is no reason why your computer can not stay malware free.


    No software can think for you. Help yourself. In no special order:


    1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for web based applications, browser plugins and addons like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here.


    2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.


    3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.


    4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Do you trust the source? See also E-mail phishing Tricks.


    5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.


    6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?


    7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.


    8) Install and understand the *limitations* of a software firewall.


    9) A slide show 'how to' for securing Internet Explorer 8.0 for safer surfing. How to harden FireFox for safer surfing.


    10) Warez, cracks etc are very popular for carrying malware payloads.If you download/install files via p2p networks you will encounter malware. A file can be named anything be nothing but malware or have malware bundled in it. Can you really trust the source of the file?

    More info/tips with pictures, links below

    Happy Safe Surfing.
    How Can I Reduce My Risk?

  9. #9
    Junior Member
    Join Date
    May 2011
    Posts
    9

    Default

    I am having the same redirect issues on my laptop. I am not having script errors. Should I start a new thread, post a DDS log, etc?

  10. #10
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    May has well stay in this thread. First get a DDS log and post it. Dont wait for a response from me, but go ahead and download combofix to the laptop, run it and post its log also.
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •