PDA

View Full Version : Spybot Disabled, Unwanted browser redirects, malware for sure



thechairman
2010-08-10, 20:25
I've been a user of Spybot for years and this is the first time its failed to protect me. I'm amazed that I was able to get into the forum without being redirected as when I search on any other topic I am immediately redirected to garbage sites. I believe I've followed all the pre-post instructions. Here is my DDS. Unfortunately as I am running XP sp3 on this box and I don't have a file zipper utility installed I cannot zip the other report. I have backed up my registry. Thanks in advance.
Owner

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 12:28:09.31 on Tue 08/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2218 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sttray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Sigaba\SigabaSecure\OutlookExpress\sigoetray.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Password Safe\pwsafe.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NUET49U2\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AdobeBridge] "c:\program files\adobe\adobe bridge cs4\Bridge.exe" -stealth
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\Owner~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\Owner~1\startm~1\programs\startup\passwo~1.lnk - c:\program files\password safe\pwsafe.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secure~1.lnk - c:\program files\sigaba\sigabasecure\outlookexpress\sigoetray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238251092606
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\Owner~1\applic~1\mozilla\firefox\profiles\rjgrleqn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Owner converse\application data\mozilla\firefox\profiles\rjgrleqn.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Owner converse\application data\mozilla\firefox\profiles\rjgrleqn.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\Owner converse\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-8 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-2-26 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-3-18 11520]
S1 cfslmqfu;cfslmqfu;\??\c:\windows\system32\drivers\cfslmqfu.sys --> c:\windows\system32\drivers\cfslmqfu.sys [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]

=============== Created Last 30 ================

2010-08-10 15:20:43 0 d-----w- c:\windows\system32\wbem\Repository
2010-08-10 15:04:28 0 d-----w- c:\program files\VSO
2010-08-10 14:54:17 0 d-----w- c:\docume~1\Owner~1\applic~1\Philipp Winterberg
2010-08-10 14:54:13 0 d-----w- c:\program files\Free RAR Extract Frog
2010-08-07 12:29:19 8056520 ----a-w- c:\program files\common files\lpuninstall.exe
2010-08-07 12:29:18 0 d-----w- c:\program files\LastPass
2010-08-07 12:08:16 0 d-----w- c:\docume~1\Owner~1\applic~1\FireShot
2010-08-07 11:15:58 0 d-----w- c:\program files\VideoLAN
2010-08-07 11:08:32 0 d-----w- C:\DECCHECK
2010-08-05 12:19:25 0 d-----w- c:\program files\Super_DVD_Creator_9.8
2010-08-05 10:30:15 0 d-----w- c:\docume~1\Owner~1\applic~1\Sony Creative Software Inc
2010-08-05 10:26:23 0 d-----w- c:\program files\Sony
2010-07-29 14:34:35 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-07-20 14:00:36 0 d-----w- c:\program files\ClipArt
2010-07-20 13:59:04 0 d-----w- c:\program files\docs
2010-07-20 13:59:01 0 d-----w- c:\program files\Symbols
2010-07-20 13:58:58 0 d-----w- c:\program files\common files\SureThing Shared
2010-07-20 13:58:57 0 d-----w- c:\windows\MVUNINST
2010-07-20 13:58:57 0 d-----w- c:\program files\STCD
2010-07-17 11:50:47 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-08-08 15:04:25 231021 ----a-w- c:\windows\fonts\AdobeFnt11.lst
2010-06-24 13:48:37 88656 ----a-w- c:\windows\fonts\DidotLTStd-Italic.ttf
2010-06-24 13:48:19 135904 ----a-w- c:\windows\fonts\DidotLTStd-Roman.ttf
2010-06-24 13:48:04 108232 ----a-w- c:\windows\fonts\DidotLTStd-Headline.ttf
2010-06-24 13:47:05 51004 ----a-w- c:\windows\fonts\AkzidenzGroteskBE-Bold.ttf
2010-06-24 13:46:47 50192 ----a-w- c:\windows\fonts\AkzidenzGroteskBE-Light.ttf
2010-06-24 13:45:23 50940 ----a-w- c:\windows\fonts\Univers(10)
2010-06-24 13:44:54 53164 ----a-w- c:\windows\fonts\Univers(9)
2010-06-24 13:44:36 66396 ----a-w- c:\windows\fonts\Univers(8)
2010-06-24 13:43:56 50548 ----a-w- c:\windows\fonts\Univers(7)
2010-06-24 13:43:26 66704 ----a-w- c:\windows\fonts\Univers(6)
2010-06-24 13:43:08 70972 ----a-w- c:\windows\fonts\Univers(5)
2010-06-24 13:42:46 84556 ----a-w- c:\windows\fonts\Univers(4)
2010-06-24 13:42:29 85620 ----a-w- c:\windows\fonts\Univers(3)
2010-06-24 13:42:14 45516 ----a-w- c:\windows\fonts\Univers(2)
2010-06-24 13:40:33 71264 ----a-w- c:\windows\fonts\Trajan(2)
2010-06-24 13:40:18 71396 ----a-w- c:\windows\fonts\Trajan
2010-06-24 13:36:55 38860 ----a-w- c:\windows\fonts\Futura(15)
2010-06-24 13:36:38 38596 ----a-w- c:\windows\fonts\Futura(14)
2010-06-24 13:36:21 45784 ----a-w- c:\windows\fonts\Futura(13)
2010-06-24 13:36:02 38788 ----a-w- c:\windows\fonts\Futura(12)
2010-06-24 13:35:44 44592 ----a-w- c:\windows\fonts\Futura(11)
2010-06-24 13:35:29 38764 ----a-w- c:\windows\fonts\Futura(10)
2010-06-24 13:35:12 62188 ----a-w- c:\windows\fonts\Futura(9)
2010-06-24 13:35:01 75732 ----a-w- c:\windows\fonts\Futura(8)
2010-06-24 13:34:42 65612 ----a-w- c:\windows\fonts\Futura(7)
2010-06-24 13:34:09 38040 ----a-w- c:\windows\fonts\Futura(5)
2010-06-24 13:33:55 37272 ----a-w- c:\windows\fonts\Futura(4)
2010-06-24 13:33:40 37008 ----a-w- c:\windows\fonts\Futura(3)
2010-06-24 13:33:25 34924 ----a-w- c:\windows\fonts\Futura(2)
2010-06-24 13:33:08 35356 ----a-w- c:\windows\fonts\Futura
2010-06-24 13:28:42 56876 ----a-w- c:\windows\fonts\Frutiger(10)
2010-06-24 13:28:13 47836 ----a-w- c:\windows\fonts\Frutiger(9)
2010-06-24 13:27:47 42856 ----a-w- c:\windows\fonts\Frutiger(8)
2010-06-24 13:27:18 57056 ----a-w- c:\windows\fonts\Frutiger(7)
2010-06-24 13:27:04 40884 ----a-w- c:\windows\fonts\Frutiger(6)
2010-06-24 13:26:45 56284 ----a-w- c:\windows\fonts\Frutiger(5)
2010-06-24 13:26:28 57364 ----a-w- c:\windows\fonts\Frutiger(4)
2010-06-24 13:26:01 89772 ----a-w- c:\windows\fonts\Frutiger(3)
2010-06-24 13:22:08 40784 ----a-w- c:\windows\fonts\Frutiger
2010-06-24 13:21:27 79212 ----a-w- c:\windows\fonts\Trade(8)
2010-06-24 13:21:06 69592 ----a-w- c:\windows\fonts\Trade(7)
2010-06-24 13:20:47 82036 ----a-w- c:\windows\fonts\Trade(6)
2010-06-24 13:20:30 70748 ----a-w- c:\windows\fonts\Trade(5)
2010-06-24 13:20:14 75292 ----a-w- c:\windows\fonts\Trade(4)
2010-06-24 13:19:26 77384 ----a-w- c:\windows\fonts\Trade(2)
2010-06-24 13:14:51 39084 ----a-w- c:\windows\fonts\Humanist(14)
2010-06-24 13:14:31 37764 ----a-w- c:\windows\fonts\Humanist(13)
2010-06-24 13:14:10 40352 ----a-w- c:\windows\fonts\Humanist(12)
2010-06-24 13:13:32 41040 ----a-w- c:\windows\fonts\Humanist(11)
2010-06-24 13:13:12 35340 ----a-w- c:\windows\fonts\Humanist(10)
2010-06-24 13:12:54 35052 ----a-w- c:\windows\fonts\Humanist(9)
2010-06-24 13:12:38 38316 ----a-w- c:\windows\fonts\Humanist(8)
2010-06-24 13:12:22 36516 ----a-w- c:\windows\fonts\Humanist(7)
2010-06-24 13:11:44 35468 ----a-w- c:\windows\fonts\Humanist(6)
2010-06-24 13:11:22 34428 ----a-w- c:\windows\fonts\Humanist(5)
2010-06-24 13:10:43 35872 ----a-w- c:\windows\fonts\Humanist(3)
2010-06-24 13:10:26 38124 ----a-w- c:\windows\fonts\Humanist(2)
2010-06-24 13:07:38 39568 ----a-w- c:\windows\fonts\HelveticaNeue(4)
2010-06-24 13:07:14 39656 ----a-w- c:\windows\fonts\HelveticaNeue(3)
2010-06-24 13:06:30 40104 ----a-w- c:\windows\fonts\HelveticaNeue
2010-06-24 13:06:12 73176 ----a-w- c:\windows\fonts\Helvetica(2)
2010-06-24 13:05:54 51624 ----a-w- c:\windows\fonts\Helvetica
2010-06-24 13:05:05 72496 ----a-w- c:\windows\fonts\Minion(4)
2010-06-24 13:04:07 104588 ----a-w- c:\windows\fonts\Minion(3)
2010-06-24 13:03:29 98996 ----a-w- c:\windows\fonts\Minion(2)
2010-06-24 13:03:11 112712 ----a-w- c:\windows\fonts\Minion
2010-06-24 13:01:06 83084 ----a-w- c:\windows\fonts\Bell(4)
2010-06-24 13:00:45 37160 ----a-w- c:\windows\fonts\Bell(3)
2010-06-24 13:00:24 36372 ----a-w- c:\windows\fonts\Bell(2)
2010-06-24 12:52:22 70240 ----a-w- c:\windows\fonts\Trade
2010-06-24 11:46:49 150804 ----a-w- c:\windows\fonts\DroidSans-Bold.ttf
2010-06-24 11:46:49 149076 ----a-w- c:\windows\fonts\DroidSans.ttf
2010-06-24 11:45:38 95616 ----a-w- c:\windows\fonts\AllerDisplay.ttf
2010-06-24 11:45:38 134436 ----a-w- c:\windows\fonts\Aller_Rg.ttf
2010-06-24 11:45:38 132780 ----a-w- c:\windows\fonts\Aller_Lt.ttf
2010-06-24 11:45:38 123556 ----a-w- c:\windows\fonts\Aller_BdIt.ttf
2010-06-24 11:45:38 122296 ----a-w- c:\windows\fonts\Aller_LtIt.ttf
2010-06-24 11:45:38 120876 ----a-w- c:\windows\fonts\Aller_It.ttf
2010-06-24 11:45:37 128368 ----a-w- c:\windows\fonts\Aller_Bd.ttf
2010-06-24 11:43:15 62196 ----a-w- c:\windows\fonts\GeosansLight-Oblique.ttf
2010-06-24 11:43:15 60072 ----a-w- c:\windows\fonts\GeosansLight.ttf
2010-06-24 11:42:52 80460 ----a-w- c:\windows\fonts\mentone-semibol.otf
2010-06-24 11:42:30 52752 ----a-w- c:\windows\fonts\centabel.ttf
2010-06-24 11:42:07 83160 ----a-w- c:\windows\fonts\DAYROM__.ttf
2010-06-24 11:42:07 63035 ----a-w- c:\windows\fonts\TLDPR2.jpg
2010-06-24 11:42:07 61529 ----a-w- c:\windows\fonts\TLDPR5.jpg
2010-06-24 11:42:07 57839 ----a-w- c:\windows\fonts\TLDPR1.jpg
2010-06-24 11:42:07 5707 ----a-w- c:\windows\fonts\DAY-O.txt
2010-06-24 11:42:07 30088 ----a-w- c:\windows\fonts\DAYROM_X.ttf
2010-06-24 11:42:07 19005 ----a-w- c:\windows\fonts\TLDPR4.jpg
2010-06-24 11:42:07 14708 ----a-w- c:\windows\fonts\TLDPR3.jpg
2010-06-24 11:41:40 128936 ----a-w- c:\windows\fonts\KIN668.TTF
2010-06-24 11:19:18 21764 ----a-w- c:\windows\fonts\SLANT.TTF
2010-06-24 11:18:54 9850 ----a-w- c:\windows\fonts\read_me.html
2010-06-24 11:18:54 55820 ----a-w- c:\windows\fonts\bluehigh.ttf
2010-06-24 11:18:54 52456 ----a-w- c:\windows\fonts\bluecond.ttf
2010-06-24 11:18:54 51728 ----a-w- c:\windows\fonts\bluebold.ttf
2010-06-24 11:18:54 41460 ----a-w- c:\windows\fonts\BLUEHIGD.TTF
2010-06-24 11:18:54 34884 ----a-w- c:\windows\fonts\bluehigl.ttf
2009-06-28 23:01:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-06-28 23:01:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009062820090629\index.dat
2009-06-28 23:01:57 32768 --sha-w- c:\windows\system32\config\systemprofile\privacie\index.dat

============= FINISH: 12:29:18.29 ===============

km2357
2010-08-17, 21:11
Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.




Step # 2: Download and Run Gmer

Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.

Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.

GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post

km2357
2010-08-20, 21:04
thechairman? Do you still need help?

km2357
2010-08-23, 21:05
This topic has been archived due to inactivity.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Applies only to the original poster, anyone else with similar problems please start a new topic.