View Full Version : Possible Trojan Adware.MyWebSearch?
metamora
2008-11-06, 01:25
I am running XP Home (Service Pack 3) with 4 user accounts. My computer spontaneously opens IE to spam pages or throws up strange error messages relating to my router or to askBar.dll or other things (note: I never use IE). Also AVG periodically finds Trojan.Agent contamination and removes them. Problems persist on at least 2 user accounts. Any assistance you can provide is greatly appreciated. Here is my HJT log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:08 PM, on 11/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Documents and Settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\SqueezeCenter\SqueezeTray.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\PROGRA~1\SQUEEZ~1\server\squeezecenter.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SqueezeCenter Tray Tool.lnk = C:\Program Files\SqueezeCenter\SqueezeTray.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193592129828
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
--
End of file - 10191 bytes
pskelley
2008-11-06, 15:52
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Not making any promises, but I will work with you to see what we can do. I will need to see HJT logs from each user account before we are finished, but for starters, I will provide some information and instructions. What I need from you is to read and follow the directions carefully and please make sure you are always signed in as administrator until I ask for individual logs later.
Information first:
C:\Documents and Settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
http://www.bleepingcomputer.com/startups/MXOALDR.EXE-10484.html
This item, if needed, should be moved to the correct folder, it will get deleted when we clean the Temp folders.
C:\PROGRA~1\SQUEEZ~1\server\squeezecenter.exe <<< not much information about this, are you positive this is a valid, safe program?
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
See this: http://www.benedelman.org/spyware/ask-toolbars/
Let's start like this, remember to sign in aS ADMINISTRATOR, and to follow the numbered order.
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
3) Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\Program Files\AskBarDis <<< delete that folder and contents if there
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
5) I would like to see and uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Thanks
metamora
2008-11-07, 04:19
Thank you for your detailed reply to my question.
Squeezecenter.exe is a valid program and I believe that it is safe. It is used to operate my SlimServer and I have used it for several years without incident.
I followed all of your steps precisely and in order. Here are the logs that you requested:
Malwarebytes' Anti-Malware 1.30
Database version: 1370
Windows 5.1.2600 Service Pack 3
11/6/2008 9:49:15 PM
mbam-log-2008-11-06 (21-49-15).txt
Scan type: Full Scan (C:\|H:\|)
Objects scanned: 208448
Time elapsed: 2 hour(s), 14 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\36EG4DJf.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:53 PM, on 11/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Documents and Settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\PROGRA~1\SQUEEZ~1\server\squeezecenter.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\36EG4DJf.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SqueezeCenter Tray Tool.lnk = C:\Program Files\SqueezeCenter\SqueezeTray.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193592129828
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
--
End of file - 10084 bytes
uninstall list:
7-Zip 4.57
Acronis*Disk Director Suite
Acronis*True*Image*Home
Active@ Partition Recovery 5.0
Ad-Aware
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
Advanced WindowsCare Personal
AI RoboForm (All Users)
AnyDVD
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Audacity 1.2.6
AVG Free 8.0
Avidemux 2.4
Big Fish Games Client
Brother BRAdmin Professional 2.45
Brother Driver Deployment Wizard
Brother HL-2070N
Brother P-touch Editor 4.2
Brother P-touch Quick Editor 2.0
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
CutePDF Writer 2.7
DVD Shrink 3.2
EasyCalendarMaker Evaluation
Enchanting Glory Wallpaper
EPSON TWAIN 5
Express Burn
Fish Tycoon
FreeUndelete
Glary Utilities 2.8.0.366
Golden Records
Hanes® T-ShirtMaker® Lite 3.0.0
HD Tune 2.55
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
hp photosmart printer series (Remove only)
Image Resizer Powertoy for Windows XP
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
ISO Recorder
iTunes
Jahplayer
Jahshaka
Java(TM) 6 Update 3
Linksys Wireless-G PCI Network Adapter with SpeedBooster
Malwarebytes' Anti-Malware
Maxtor OneTouch
Media Library Management Wizard
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Visual C++ 2005 Redistributable
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (3.0.3)
Mozilla Thunderbird (2.0.0.6)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
msxml4
Nero Media Player
Nero OEM
NeroVision Express 2
Network Stumbler 0.4.0 (remove only)
OpenLibraries
Paint.NET v3.36
PaperPort
Personal License Update Wizard for Windows Media Player
Picasa 2
Plus! MP3 Audio Converter LE
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Smart Defrag 1.02
SoundMAX
SpeedFan (remove only)
Spybot - Search & Destroy
SpywareBlaster 4.1
SqueezeCenter 7.2.1
Stamp Uninstall
Switch
Tweak UI
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
USB Storage Adapter FX (MXO)
Viewpoint Media Player
WavePad Uninstall
Windows Communication Foundation
Windows Imaging Component
Windows Media Bonus Pack for Windows XP
Windows Media Player 9 Series Power Toy - Ratings Migration
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Service Pack 3
WinZip
The computer has not yet had a reccurrence of the problems mentioned earlier however it has only been about 1 hour.
Thank you for your assistance.
pskelley
2008-11-07, 13:16
Thanks for returning your information and the feedback, you said:
The computer has not yet had a reccurrence of the problems mentioned earlier however it has only been about 1 hour.
Since you mentioned "Trojan Adware.MyWebSearch" it is possible MBAM removed the threat since it killed one trojan and one Adware.MyWebSearch item in the registry.
Let's hope that is the end of that issue, keep an eye out for symptoms as we proceed.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more, here is a small free tool that lets you know when something needs an update if you are interested: https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Reader 7.0.9 <<< out of date and being exploited, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
Java(TM) 6 Update 3 See this >>>
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Viewpoint Media Player
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
There is no way I can know all programs and when updates are needed, you can bet there are others out of date and dangerous. Since organized crime moved online, we can no longer run our computers with outdated security.
Let's clean the System Restore files to be sure:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I am not seeing any issues in the HJT log, and suggest you update and scan the computer with AVG. If all is still well at that point, let me know and I will close this topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
metamora
2008-11-07, 13:24
Several hours later and the system still appears to be infected. I have had 2 IE sessions start spontaneously loading sites trying to sell me stuff.
pskelley
2008-11-07, 13:33
Thanks for that feedback, let's first use the tools we have to see what they find. As in the above instructions:
update and scan the computer with AVG.
1) Right click the icon for AVG in System Tray and choose Open AVG User Interface.
2) Click on Update now, allow AVG to download and install any new updates.
3) Click on Computer Scanner then choose "Scan whole computer", this takes a round one hour on the computer I am using now.
4) Near the bottom above the words "The scan is complete" choose "Export overview to file"
5) Choose Desktop and give it a name you will recognize like AVG Scan Results, then choose SAVE.
6) Close results and close the Interface.
7) Copy and paste the contents of that file if I request it or you have something you think I should see.
Post the results unless they should be clean, then just tell me.
I have had 2 IE sessions start spontaneously loading sites trying to sell me stuff.
Please also mention exactly where you are being directed and/or what the product is to help me identify the source. Please tell me if these are popups occur when you are surfing or if they are occuring when you are offline.
We have had a rush of router infections, are you using a router?
Thanks
metamora
2008-11-07, 15:22
Thank you for your reply. Prior to receiving it I had run Malwarebyte and removed one found infection which I removed. Here is the log:
Malwarebytes' Anti-Malware 1.30
Database version: 1361
Windows 5.1.2600 Service Pack 3
11/4/2008 10:12:33 PM
mbam-log-2008-11-04 (22-12-33).txt
Scan type: Full Scan (C:\|H:\|)
Objects scanned: 28082
Time elapsed: 7 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I then proceeded with your instructions to remove Viewpoint Media Player and update all programs as recommended by PSI. I also cleaned out the System Restore and turned it back on. I have also rebooted several times during the reinstall process of the various programs. Just now while typing this message AVG found (and I removed) a threat called Trojan Horse Clicker.SXT located in a file called C:\DOCUME~1\David\LOCALS~1\Temp\Ml101T6l.exe. I have not recorded the specific sites that I am directed to. Here's what happens. While the computer is idle but turned on an IE process opens to a specific site and simply stays open on the screen. I never use IE so this is strange. It is not my default browser. I close it and eventually AVG finds one of these Trojan Horse.Clicker threats as mentioned above. I remove the threat and the process repeats. The sites are varied. One was a Comcast advertisement. Once was a singles site. I will make a note the next time it happens.
Yes, I am using a router. A linksys WRT54G with Tomato firmware V1.21. I am running a full AVG scan with updated signatures now and will post the results when it is finished. Thanks again for you assistance.
pskelley
2008-11-07, 15:29
Thanks for the feedback, I am interested in the results of the AVG scan. Since you use a router, have a look at this information.
Malware Silently Alters Wireless Router Settings
http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html
Another helper posted at BleepingComputer about this, and the symptoms are similiar.
This post here is similiar, have look:
http://forums.spybot.info/showthread.php?p=250305#post250305
Thanks
metamora
2008-11-07, 16:41
Here is the result of the whole PC AVG scan:
"Scan ""Scan whole computer"" was finished."
"Infections found:";"0"
"Infected objects removed or healed:";"0"
"Not removed or healed:";"0"
"Spyware found:";"0"
"Spyware removed:";"0"
"Not removed:";"0"
"Warnings count:";"46"
"Information count:";"0"
"Scan started:";"Friday, November 07, 2008, 9:24:25 AM"
"Scan finished:";"Friday, November 07, 2008, 10:36:21 AM (1 hour(s) 11 minute(s) 56 second(s))"
"Total object scanned:";"856292"
"User who launched the scan:";"David"
"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\revsci.net.6215368c";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\tacoda.net.cd7ce44f";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\tacoda.net.e9f57f8";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\tacoda.net.ed9c50d1";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Lisa.BEAR\Application Data\Mozilla\Firefox\Profiles\w4mnl0i6.default\cookies.txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@2o7[2].txt";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@2o7[2].txt:\2o7.net.8d863dfe";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt:\ad.yieldmanager.com.e762f029";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt:\ad.yieldmanager.com.eec26c3e";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt:\trafficmp.com.37644bdb";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt:\trafficmp.com.a00e30b4";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt:\trafficmp.com.ae53b8b";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt:\trafficmp.com.e2e71e33";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt:\trafficmp.com.f3e5803e";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"H:\Documents and Settings\David\Cookies\david@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"H:\Documents and Settings\David\Cookies\david@atdmt[1].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"H:\Documents and Settings\David\Cookies\david@msnportal.112.2o7[1].txt";"Found Tracking cookie.2o7";"Potentially dangerous object"
"H:\Documents and Settings\David\Cookies\david@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Potentially dangerous object"
No new problems since my last reply.
pskelley
2008-11-07, 16:56
Let's hope you removed all of that junk AVG found. AVG will place the junk in the Virus Vault where you can delete it from the computer later when you are sure no mistakes were made. Here are some informational links for AVG: http://www.avg.com/faq
AVG Free Forum
http://freeforum.avg.com/
Here is information for Internet Explorer to control all of the junk cookies getting to your computer.
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
available for Firefox if needed.
Thanks
metamora
2008-11-07, 16:57
I reviewed the links concerning the router infection. I don't think this applies here. I altered the login and pw information on the router when it was installed and it is unlikely to have been hacked. Also, there are 4 computers on the router and only one is experiencing this problem. If the router was indeed hacked I think I would be having problems on all computers, yes?
metamora
2008-11-07, 16:59
I also wanted to report that I have experienced no more problems for a few hours. I want to leave it running to see how it behaves. Perhaps we got it (with your help!).
metamora
2008-11-07, 19:40
The unwanted browser redirects continue. Here are 3 examples of sites that have come up in both IE and Firefox:
www.iracars.com
www.egoob.com
www.cheapoair.com
I ran Malawarebytes again and here is the log.
Malwarebytes' Anti-Malware 1.30
Database version: 1370
Windows 5.1.2600 Service Pack 3
11/7/2008 1:38:00 PM
mbam-log-2008-11-07 (13-38-00).txt
Scan type: Quick Scan
Objects scanned: 63358
Time elapsed: 6 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\zisopola.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jaritisi.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d04adada (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desajewitu (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\jaritisi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\jaritisi.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\zisopola.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aloposiz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\jaritisi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\36EG4DJf.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\miwefoda.dll (Trojan.Agent) -> Delete on reboot.
pskelley
2008-11-07, 19:49
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Thanks
metamora
2008-11-07, 19:51
As you can see from the log there were 2 files that could not be removed until I rebooted. Upon reboot I got the message that the file could not be located and hence were not removed.
Here are the files that were not found:
C:\windows\system32\jaritisi.dll
C:\windows\system32\miwefoda.dll
What's going on here? Any ideas? On the surface this does not seem particularly malicious - just a pain to deal with. The sites that I am getting directed to are fairly benign.
pskelley
2008-11-07, 20:05
I have been fighting this infection (Vundo/Virtumonde) for several years and the hackers continue to change how they infect folks and where they hide the junk. Might have something to do with the fact they have unlimited funds (illicit) to work with. Here is just a bit of information, with this infection if you miss any it can morph and recreate which makes it hard to remove. This is a version I have not seen before.
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
More information to consider, how easy it is to get infected.
http://news.cnet.com/8301-1009_3-9992897-83.html
http://en.wikipedia.org/wiki/Russian_Business_Network
http://rbnexploit.blogspot.com/
http://en.wikipedia.org/wiki/Vundo_trojan
http://www.google.com/search?hl=en&q=infected+websites&btnG=Google+Search
http://news.cnet.com/8301-1009_3-10004970-83.html?tag=nl.e703
I would appreciate it if you would review all we have been through, to be sure you missed nothing. Then post
C:\ComboFix.txt in your next reply along with a New Hijackthis log.
We will go from there.
Thanks
I should say that reformatting the computer is an option:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm
metamora
2008-11-07, 20:12
Having trouble getting ComboFix to fire up after disabling AVG. It shows a status bar and then nothing. What am I missing?
pskelley
2008-11-07, 20:43
I am not sure, here is a tutorial they might help:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Once you get it to the Desktop, you can try booting to safe mode and running it there. The malware may be blocking it, you can also try renaming the .exe like this:
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
Thanks
metamora
2008-11-07, 21:13
I have tried renaming and booting into Safe mode. ComboFix initiates the installation process but will not run. I get a status bar which completes, then my screen blinks and nothing happens. I have reviewed the tutorials but there is no discussion concerning this. There should not be anything blocking the installation in Safe mode should there?
pskelley
2008-11-07, 21:19
No, there should not be. This may be the most used tool in malware removal with downloads perhaps at a million a month. I have run in on my computers without a problem but the computers were not infected at the time. It may be you got a bad download, try deleting everything and downloading it again.
There may be other tools we can try, but I believe this is the best one for this infection at this point.
Thanks
metamora
2008-11-07, 21:53
OK, got it. I found a reference to someone that tried using SuperAntiSpyware Free Edition prior to running ComboFix and that did the trick. Apparently the virus was not allowing ComboFix to run. I removed a bunch more infections (19) and it ran. Here is the HJT log followed by the ComboFix log. Let me know what is next. I really appreciate your help on this. I am in uncharted waters here...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:20 PM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Secunia\PSI (RC4)\psi.exe
C:\PROGRA~1\SQUEEZ~1\server\squeezecenter.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [desajewitu] Rundll32.exe "C:\WINDOWS\system32\miwefoda.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [desajewitu] Rundll32.exe "C:\WINDOWS\system32\miwefoda.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Secunia PSI (RC4).lnk = C:\Program Files\Secunia\PSI (RC4)\psi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SqueezeCenter Tray Tool.lnk = C:\Program Files\SqueezeCenter\SqueezeTray.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193592129828
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
--
End of file - 10089 bytes
ComboFix 08-11-07.01 - David 2008-11-07 15:37:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2294 [GMT -5:00]
Running from: c:\documents and settings\David\Desktop\Combo--Fix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\bold.log
.
((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.
2008-11-07 15:27 . 2008-11-07 15:27 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-07 15:27 . 2008-11-07 15:27 <DIR> d-------- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com
2008-11-07 15:27 . 2008-11-07 15:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-07 08:36 . 2008-11-07 08:37 <DIR> d-------- c:\program files\iTunes
2008-11-07 08:36 . 2008-11-07 08:36 <DIR> d-------- c:\program files\iPod
2008-11-07 08:36 . 2008-11-07 08:36 <DIR> d-------- c:\program files\Bonjour
2008-11-07 08:36 . 2008-11-07 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-07 08:23 . 2008-11-07 08:23 <DIR> d-------- c:\documents and settings\David\Application Data\acccore
2008-11-07 08:22 . 2008-11-07 08:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-07 08:22 . 2008-11-07 08:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-07 08:22 . 2008-11-07 08:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2008-11-07 08:22 . 2008-11-07 08:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-07 08:21 . 2008-11-07 08:21 <DIR> d-------- c:\program files\Common Files\AOL
2008-11-07 08:18 . 2008-11-07 08:18 <DIR> d-------- c:\program files\Apple Software Update
2008-11-07 08:11 . 2008-11-07 08:11 <DIR> d-------- c:\program files\ACW
2008-11-07 07:33 . 2008-11-07 07:33 <DIR> d-------- c:\program files\Secunia
2008-11-07 01:36 . 2008-11-07 01:36 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-11-05 21:24 . 2008-11-05 21:26 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-05 19:00 . 2008-11-05 19:00 <DIR> d-------- c:\documents and settings\Diane.BEAR\Application Data\Malwarebytes
2008-11-05 18:47 . 2008-11-05 18:47 <DIR> d-------- c:\program files\Trend Micro
2008-11-04 18:44 . 2008-11-06 07:00 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-04 18:44 . 2008-11-04 18:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-03 22:37 . 2008-11-03 22:37 <DIR> d-------- c:\program files\Lavasoft
2008-11-03 22:37 . 2008-11-03 22:37 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-03 22:37 . 2008-11-03 22:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-03 22:01 . 2008-11-03 22:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-03 22:01 . 2008-11-03 22:01 <DIR> d-------- c:\documents and settings\David\Application Data\Malwarebytes
2008-11-03 22:01 . 2008-11-03 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-03 22:01 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-03 22:01 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-27 03:04 . 2008-10-27 03:04 7,808 --a------ c:\windows\system32\drivers\psi_mf.sys
2008-10-24 06:57 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 08:20 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 08:20 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-15 08:20 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 08:19 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 08:19 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 08:19 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 14:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-07 14:02 --------- d-----w c:\program files\NCH Swift Sound
2008-11-07 14:01 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 13:59 --------- d-----w c:\program files\calendarmakereval
2008-11-07 13:31 --------- d-----w c:\program files\Java
2008-11-07 13:28 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-07 13:22 --------- d-----w c:\program files\AIM6
2008-11-07 13:19 --------- d-----w c:\program files\QuickTime
2008-11-07 13:18 --------- d-----w c:\program files\Common Files\Apple
2008-11-07 12:58 --------- d-----w c:\program files\Common Files\Adobe
2008-11-05 15:30 --------- d-----w c:\program files\Glary Utilities
2008-11-02 12:51 --------- d-----w c:\program files\SpeedFan
2008-10-31 17:24 --------- d-----w c:\program files\SqueezeCenter
2008-10-17 11:52 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-10-04 15:15 --------- d-----w c:\documents and settings\David\Application Data\GlarySoft
2008-09-29 11:12 --------- d-----w c:\program files\Paint.NET
2008-09-23 00:51 95,960 ----a-w c:\documents and settings\Rebecca.BEAR\Application Data\GDIPFONTCACHEV1.DAT
2008-09-20 10:44 99,648 ----a-w c:\windows\system32\drivers\AnyDVD.sys
2008-09-19 20:46 --------- d-----w c:\program files\IObit
2008-09-19 00:32 --------- d-----w c:\program files\Avidemux 2.4
2008-09-14 03:00 95,960 ----a-w c:\documents and settings\Diane.BEAR\Application Data\GDIPFONTCACHEV1.DAT
2008-09-08 10:41 333,824 ------w c:\windows\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-09-20 2177984]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-28 160592]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 1941784]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 87584]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-26 2209224]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-10-23 1968880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-28 160592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]
c:\documents and settings\David\Start Menu\Programs\Startup\
Secunia PSI (RC4).lnk - c:\program files\Secunia\PSI (RC4)\psi.exe [2008-10-29 695656]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
SqueezeCenter Tray Tool.lnk - c:\program files\SqueezeCenter\SqueezeTray.exe [2008-06-28 1728601]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Linksys Wireless-G Wireless Network Monitor\\WMP54GS.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe [2008-10-21 4149248]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2006-01-13 18864]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-10-27 7808]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;c:\windows\system32\NSNDIS5.SYS [2004-03-23 17280]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a853402-2383-11dd-9258-000ea63f77b8}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-11-07 c:\windows\Tasks\At1.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At10.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At11.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At12.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At13.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At14.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At15.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-04 c:\windows\Tasks\At16.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-05 c:\windows\Tasks\At17.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-04 c:\windows\Tasks\At18.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-04 c:\windows\Tasks\At19.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At2.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At20.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At21.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At22.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At23.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At24.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At25.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At26.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At27.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At28.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At29.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At3.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At30.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At31.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At32.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At33.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At34.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At35.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At36.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At37.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At38.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At39.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At4.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-04 c:\windows\Tasks\At40.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-05 c:\windows\Tasks\At41.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-04 c:\windows\Tasks\At42.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-04 c:\windows\Tasks\At43.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At44.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At45.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At46.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At47.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At48.job
- c:\windows\system32\lR2dfi7G.exe []
2008-11-07 c:\windows\Tasks\At49.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At5.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At50.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At51.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At52.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At53.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At54.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At55.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At56.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At57.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At58.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At59.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At6.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At60.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At61.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At62.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At63.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-04 c:\windows\Tasks\At64.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-05 c:\windows\Tasks\At65.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-04 c:\windows\Tasks\At66.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-04 c:\windows\Tasks\At67.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At68.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At69.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At7.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At70.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At71.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At72.job
- c:\windows\system32\36EG4DJf.exe []
2008-11-07 c:\windows\Tasks\At8.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\At9.job
- c:\windows\system32\88Aoc21U.exe []
2008-11-07 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-MXOBG - c:\documents and settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
HKLM-Run-CPMd379e946 - c:\windows\system32\piseraho.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\lqqjx91w.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://nytimes.com/
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 15:41:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\hphipm09.exe
c:\progra~1\SQUEEZ~1\server\squeezecenter.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-07 15:45:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-07 20:45:37
Pre-Run: 250,804,277,248 bytes free
Post-Run: 250,828,390,400 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
348 --- E O F --- 2008-10-25 04:27:02
pskelley
2008-11-07, 22:34
Let's hope the infections SAS removed were what was causing the problem, combofix is not showing much. It may have removed what SAS did, but we will never know. Do you have the log from SAS? If so, I would like to see it.
Let's start here: Contents of the 'Scheduled Tasks' folder
The first one is 2008-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] <<< which is likely something you set.
But look at the others, I believe they were set by the infection. If you do not know what they are, then let's remove them. You can look here:
Go to the Scheduled Tasks applet in Control Panel, right-click the task you want to delete, and select Delete from the displayed context menu. Click Yes to confirm the deletion. Be aware that you can't delete tasks you've created with the Task Scheduler Wizard from the command line using the AT command. http://support.microsoft.com/kb/308671
This is running in the HJT log:
O4 - HKUS\S-1-5-19\..\Run: [desajewitu] Rundll32.exe "C:\WINDOWS\system32\miwefoda.dll",s (User 'LOCAL SERVICE')
Do you know what this is? If not remove it with CFScript, here is the Google:
http://www.google.com/search?hl=en&q=miwefoda.dll&btnG=Search
Have a look down that HJT log for anything you do not know, the above item is the only one I can not idenify. If you wish to scan it before removing it, show all files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
and scan with one or more of these free online scans:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
C:\WINDOWS\system32\miwefoda.dll <<< scan this file
Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\miwefoda.dll
c:\windows\system32\88Aoc21U.exe
c:\windows\system32\lR2dfi7G.exe
c:\windows\system32\36EG4DJf.exe
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Let me know how things are running now and post the SAS log if you have it so I can see what it removed.
Thanks
metamora
2008-11-07, 23:21
Sorry but I cannot find the SAS logfile. It found about 15 infections that were very similar to the infections found by Malawarebyte - they were all Trojans with different extensions.
Here is the ComboFix Log:
ComboFix 08-11-07.01 - David 2008-11-07 17:08:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2129 [GMT -5:00]
Running from: c:\documents and settings\David\Desktop\Combo--Fix.exe
Command switches used :: c:\documents and settings\David\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\36EG4DJf.exe
c:\windows\system32\88Aoc21U.exe
c:\windows\system32\lR2dfi7G.exe
c:\windows\system32\miwefoda.dll
.
((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.
2008-11-07 16:58 . 2008-11-07 15:25 13,646 --a------ c:\windows\system32\wpa.dbl BACKUP
2008-11-07 16:28 . 2008-11-07 16:28 <DIR> d-------- c:\documents and settings\David\Application Data\TrueCrypt
2008-11-07 15:34 . 2008-11-07 17:08 <DIR> d-------- C:\ComboFix
2008-11-07 15:27 . 2008-11-07 15:27 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-07 15:27 . 2008-11-07 15:27 <DIR> d-------- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com
2008-11-07 15:27 . 2008-11-07 15:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-07 08:36 . 2008-11-07 08:37 <DIR> d-------- c:\program files\iTunes
2008-11-07 08:36 . 2008-11-07 08:36 <DIR> d-------- c:\program files\iPod
2008-11-07 08:36 . 2008-11-07 08:36 <DIR> d-------- c:\program files\Bonjour
2008-11-07 08:36 . 2008-11-07 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-07 08:23 . 2008-11-07 08:23 <DIR> d-------- c:\documents and settings\David\Application Data\acccore
2008-11-07 08:22 . 2008-11-07 08:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-07 08:22 . 2008-11-07 08:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-07 08:22 . 2008-11-07 08:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2008-11-07 08:22 . 2008-11-07 08:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-07 08:21 . 2008-11-07 08:21 <DIR> d-------- c:\program files\Common Files\AOL
2008-11-07 08:18 . 2008-11-07 08:18 <DIR> d-------- c:\program files\Apple Software Update
2008-11-07 08:11 . 2008-11-07 08:11 <DIR> d-------- c:\program files\ACW
2008-11-07 07:33 . 2008-11-07 07:33 <DIR> d-------- c:\program files\Secunia
2008-11-07 01:36 . 2008-11-07 01:36 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-11-05 21:24 . 2008-11-05 21:26 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-05 19:00 . 2008-11-05 19:00 <DIR> d-------- c:\documents and settings\Diane.BEAR\Application Data\Malwarebytes
2008-11-05 18:47 . 2008-11-05 18:47 <DIR> d-------- c:\program files\Trend Micro
2008-11-04 18:44 . 2008-11-06 07:00 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-04 18:44 . 2008-11-04 18:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-03 22:37 . 2008-11-03 22:37 <DIR> d-------- c:\program files\Lavasoft
2008-11-03 22:37 . 2008-11-03 22:37 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-03 22:37 . 2008-11-03 22:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-03 22:01 . 2008-11-03 22:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-03 22:01 . 2008-11-03 22:01 <DIR> d-------- c:\documents and settings\David\Application Data\Malwarebytes
2008-11-03 22:01 . 2008-11-03 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-03 22:01 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-03 22:01 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-27 03:04 . 2008-10-27 03:04 7,808 --a------ c:\windows\system32\drivers\psi_mf.sys
2008-10-24 06:57 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 08:20 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 08:20 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-15 08:20 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 08:19 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 08:19 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 08:19 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 21:24 --------- d-----w c:\program files\SpeedFan
2008-11-07 14:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-07 14:02 --------- d-----w c:\program files\NCH Swift Sound
2008-11-07 14:01 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 13:59 --------- d-----w c:\program files\calendarmakereval
2008-11-07 13:31 --------- d-----w c:\program files\Java
2008-11-07 13:28 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-07 13:22 --------- d-----w c:\program files\AIM6
2008-11-07 13:19 --------- d-----w c:\program files\QuickTime
2008-11-07 13:18 --------- d-----w c:\program files\Common Files\Apple
2008-11-07 12:58 --------- d-----w c:\program files\Common Files\Adobe
2008-11-05 15:30 --------- d-----w c:\program files\Glary Utilities
2008-10-31 17:24 --------- d-----w c:\program files\SqueezeCenter
2008-10-17 11:52 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-10-04 15:15 --------- d-----w c:\documents and settings\David\Application Data\GlarySoft
2008-09-29 11:12 --------- d-----w c:\program files\Paint.NET
2008-09-23 00:51 95,960 ----a-w c:\documents and settings\Rebecca.BEAR\Application Data\GDIPFONTCACHEV1.DAT
2008-09-20 10:44 99,648 ----a-w c:\windows\system32\drivers\AnyDVD.sys
2008-09-19 20:46 --------- d-----w c:\program files\IObit
2008-09-19 00:32 --------- d-----w c:\program files\Avidemux 2.4
2008-09-14 03:00 95,960 ----a-w c:\documents and settings\Diane.BEAR\Application Data\GDIPFONTCACHEV1.DAT
2008-09-08 10:41 333,824 ------w c:\windows\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((( snapshot@2008-11-07_15.45.13.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-19 02:10:48 94,920 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 19:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
- 2008-07-19 02:10:48 94,920 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 19:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2008-07-19 02:09:44 563,912 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 19:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2008-07-19 02:10:42 53,448 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2008-07-19 02:09:42 1,811,656 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2008-07-19 02:09:46 325,832 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 19:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2008-07-19 02:10:20 36,552 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 19:08:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
- 2008-07-19 02:09:44 205,000 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 19:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
- 2008-11-07 19:55:38 294,864 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-11-07 22:11:33 294,864 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-07-19 02:07:34 270,880 ----a-w c:\windows\system32\mucltui.dll
+ 2008-10-16 19:06:48 268,648 ----a-w c:\windows\system32\mucltui.dll
- 2008-07-19 02:07:32 210,976 ----a-w c:\windows\system32\muweb.dll
+ 2008-10-16 19:06:48 208,744 ----a-w c:\windows\system32\muweb.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2008-07-19 02:09:44 563,912 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 19:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2008-07-19 02:10:42 53,448 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2008-07-19 02:09:42 1,811,656 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2008-07-19 02:09:46 325,832 ----a-w c:\windows\system32\wucltui.dll
+ 2008-10-16 19:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2008-07-19 02:10:20 36,552 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2008-07-19 02:10:40 45,768 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\wups2.dll
- 2008-07-19 02:09:44 205,000 ----a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 19:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-09-20 2177984]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-28 160592]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 1941784]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 87584]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-26 2209224]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-10-23 1968880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-28 160592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]
c:\documents and settings\David\Start Menu\Programs\Startup\
Secunia PSI (RC4).lnk - c:\program files\Secunia\PSI (RC4)\psi.exe [2008-10-29 695656]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
SqueezeCenter Tray Tool.lnk - c:\program files\SqueezeCenter\SqueezeTray.exe [2008-06-28 1728601]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Linksys Wireless-G Wireless Network Monitor\\WMP54GS.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe [2008-10-21 4149248]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2006-01-13 18864]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-10-27 7808]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;c:\windows\system32\NSNDIS5.SYS [2004-03-23 17280]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a853402-2383-11dd-9258-000ea63f77b8}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2909a84-ad12-11dd-80a1-000ea63f77b8}]
\Shell\AutoRun\command - f:\truecrypt\TrueCrypt.exe
\Shell\dismount\command - f:\truecrypt\TrueCrypt.exe /q /d
\Shell\start\command - f:\truecrypt\TrueCrypt.exe
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 17:12:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\hphipm09.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\SQUEEZ~1\server\squeezecenter.exe
.
**************************************************************************
.
Completion time: 2008-11-07 17:16:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-07 22:16:16
ComboFix2.txt 2008-11-07 20:45:42
Pre-Run: 255,631,368,192 bytes free
Post-Run: 255,622,107,136 bytes free
230 --- E O F --- 2008-10-25 04:27:02
metamora
2008-11-07, 23:24
Things appear to be OK now. I removed all items in the scheduler. I would not have thought to look there. Hoping that this is licked I'll leave the machine running overnight to see what happens. Thanks for all your help on this one.
metamora
2008-11-08, 05:00
It has been several hours and I think we have it licked. No errant popups. Computer is calm. Thanks you for all your help pskelly. I couldn't have navigated this one without your capable assistance. Let me know if you still need anything from me. I will be very careful from here on out.
pskelley
2008-11-08, 13:45
Thanks for taking the time to provide that feedback:bigthumb: safe surfing.
Phil