Hello again,
Original problem on this link.... http://forums.spybot.info/showthread.php?t=9374
Google links and favorites are still working okay, however, any 404 page not found errors are automatically redirected to a dubious search engine site.
Hello again,
Original problem on this link.... http://forums.spybot.info/showthread.php?t=9374
Google links and favorites are still working okay, however, any 404 page not found errors are automatically redirected to a dubious search engine site.
Hello
Do post a fresh hijackthis log
Also: Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com...h/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft MVP Windows-Security 2006
Hi Lonny,
Thanks for the reply.
Logs are as follows....
Logfile of HijackThis v1.99.1
Scan saved at 21:29:23, on 04/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AceGain\LiveUpdate\aceagent.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Sean Debling\My Documents\Unzipped\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
"Sean Debling" - 07-01-04 21:31:13.71 Service Pack 2
ComboFix 07-01-04W-BetaE2 - Running from: "C:\Documents and Settings\Sean Debling\Desktop\Security"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
d:\autorun.inf" . . . . failed to delete
e:\autorun.inf" . . . . failed to delete
((((((((((((((((((((((((((((((( Files Created from 2006-12-04 to 2007-01-04 ))))))))))))))))))))))))))))))))))
2006-12-27 13:25 <DIR> d-------- C:\Program Files\NovaLogic
2006-12-25 09:06 <DIR> d-------- C:\Program Files\Call of Duty
2006-12-21 21:50 92,728 --------- C:\WINDOWS\system32\bass.dll
2006-12-21 21:50 <DIR> d-------- C:\Program Files\You Ripper
2006-12-20 19:44 <DIR> d-------- C:\Program Files\Electronic Arts
2006-12-13 18:11 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-13 18:10 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-11 23:27 <DIR> d-------- C:\DOCUME~1\SEANDE~1\APPLIC~1\OfficeUpdate12
2006-12-11 21:39 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-12-11 21:39 <DIR> d-------- C:\WINDOWS\WBEM
2006-12-11 21:39 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-12-11 21:38 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-12-11 21:37 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-11 21:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-12-11 21:33 <DIR> d-------- C:\e17da79eb306db570881
2006-12-05 21:08 <DIR> d-------- C:\Themes
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-04 13:38 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\adobe
2007-01-02 13:45 -------- d-------- C:\Program Files\java
2006-12-29 16:11 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2006-12-27 13:32 -------- d--h----- C:\Program Files\installshield installation information
2006-12-11 23:47 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\officeupdate12
2006-12-11 23:39 -------- d-------- C:\Program Files\microsoft works
2006-12-10 13:33 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-10 13:33 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-07 05:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-05 21:20 2560 --a--c--- C:\WINDOWS\_msrstrt.exe
2006-12-05 21:18 -------- d-------- C:\Program Files\Common Files\stardock
2006-11-30 11:58 -------- d-------- C:\Program Files\quicktime
2006-11-30 11:48 -------- d-------- C:\Program Files\finepixviewer
2006-11-26 12:51 98304 --a--c--- C:\WINDOWS\system32\cmdlineext.dll
2006-11-26 12:48 -------- d-------- C:\Program Files\gameshadow
2006-11-26 12:45 86016 --a------ C:\WINDOWS\system32\openal32.dll
2006-11-26 12:45 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-11-26 12:38 -------- d-------- C:\Program Files\konami
2006-11-16 19:47 524288 --a------ C:\WINDOWS\opuc.dll
2006-11-15 23:42 -------- d-------- C:\Program Files\ashampoo
2006-11-15 22:45 -------- d-------- C:\Program Files\Common Files\fellowes
2006-11-15 22:43 1425594 --a--c--- C:\WINDOWS\recorder.reg
2006-11-15 22:43 1065 --a------ C:\WINDOWS\newrecorder.reg
2006-11-15 22:43 -------- d-------- C:\Program Files\pinnacle
2006-11-11 22:20 -------- d-------- C:\Program Files\grisoft
2006-11-11 20:24 -------- d-------- C:\Program Files\Common Files\java
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-06 23:43 4966912 --a------ C:\WINDOWS\system32\logonuix.exe
2006-11-04 21:48 -------- d---s---- C:\Documents and Settings\Sean Debling\Application Data\microsoft
2006-11-04 15:27 -------- d-------- C:\Program Files\thq
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 13:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 21:54 1024 --a--c--- C:\Documents and Settings\Sean Debling\Application Data\wavcodec.wff
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 12:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 12:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Start WingMan Profiler"=""
"Steam"=""
"tunebite.exe"="C:\\Program Files\\tunebite\\tunebite.exe -hidden"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PtiuPbmd"="Rundll32.exe ptipbm.dll,SetWriteBack"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"CARPService"="carpserv.exe"
"GSICONEXE"="GSICON.EXE"
"DSLAGENTEXE"="dslagent.exe USB"
"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AceGain LiveUpdate"="C:\\Program Files\\AceGain\\LiveUpdate\\LiveUpdate.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0F2.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Ip6FwHlp
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Autorun.exe
Completion time: 07-01-04 21:43:46.17
Incidently, I've noticed a new folder called e17da79eb306db570881 that has appeared. All that is inside is a text document called msxml4-KB927978-enu that has loads and loads of writing on it. I fear it will take at least 3 of these messages to convey it all Any ideas ?
Hi
That new folder is due to a windows update
If you have any flash drives, memory cards, usb disks plug them in
Run combofix again and post its log please
Also what are your d and e drives ?
What does this "dubious search engine site" look like ?
~~~~~~~~~~~~~~~~~~~~~~~
Microsoft MVP Windows-Security 2006
D drive is DVD drive and E drive is CD-RW drive.
I've taken some screenshots to show what these sites look like.
http://img99.imageshack.us/img99/5142/404v1hu1.jpg
http://img99.imageshack.us/img99/9875/404v2ct0.jpg
http://img99.imageshack.us/img99/3107/404v3vz6.jpg
http://img69.imageshack.us/img69/6981/404v4xm8.jpg
http://img99.imageshack.us/img99/4761/404v5yb9.jpg
As you can see same sort of interface (except one) using two fictitious web addresses. I don't use any usb sticks etc. I'll run the combo tonight and post the log (on my lunch hour at the moment )
Combo as follows.....
"Sean Debling" - 07-01-05 20:30:14.53 Service Pack 2
ComboFix 07-01-04W-BetaE2 - Running from: "C:\Documents and Settings\Sean Debling\Desktop\Security"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
d:\autorun.inf" . . . . failed to delete
((((((((((((((((((((((((((((((( Files Created from 2006-12-05 to 2007-01-05 ))))))))))))))))))))))))))))))))))
2007-01-04 23:53 <DIR> d-------- C:\DOCUME~1\SEANDE~1\APPLIC~1\Ashampoo Photo Commander 3
2007-01-04 23:11 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-01-04 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-01-04 23:10 <DIR> d-------- C:\DOCUME~1\SEANDE~1\APPLIC~1\Corel
2006-12-27 13:25 <DIR> d-------- C:\Program Files\NovaLogic
2006-12-25 09:06 <DIR> d-------- C:\Program Files\Call of Duty
2006-12-21 21:50 92,728 --------- C:\WINDOWS\system32\bass.dll
2006-12-21 21:50 <DIR> d-------- C:\Program Files\You Ripper
2006-12-20 19:44 <DIR> d-------- C:\Program Files\Electronic Arts
2006-12-13 18:11 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-13 18:10 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-11 23:27 <DIR> d-------- C:\DOCUME~1\SEANDE~1\APPLIC~1\OfficeUpdate12
2006-12-11 21:39 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-12-11 21:39 <DIR> d-------- C:\WINDOWS\WBEM
2006-12-11 21:39 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-12-11 21:38 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-12-11 21:37 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-11 21:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-12-11 21:33 <DIR> d-------- C:\e17da79eb306db570881
2006-12-05 21:08 <DIR> d-------- C:\Themes
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-04 23:53 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\ashampoo photo commander 3
2007-01-04 23:48 -------- d-------- C:\Program Files\ashampoo
2007-01-04 23:20 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\corel
2007-01-04 13:38 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\adobe
2007-01-02 13:45 -------- d-------- C:\Program Files\java
2006-12-29 16:11 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2006-12-27 13:32 -------- d--h----- C:\Program Files\installshield installation information
2006-12-11 23:47 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\officeupdate12
2006-12-11 23:39 -------- d-------- C:\Program Files\microsoft works
2006-12-10 13:33 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-10 13:33 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-07 05:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-05 21:20 2560 --a--c--- C:\WINDOWS\_msrstrt.exe
2006-12-05 21:18 -------- d-------- C:\Program Files\Common Files\stardock
2006-11-30 11:58 -------- d-------- C:\Program Files\quicktime
2006-11-30 11:48 -------- d-------- C:\Program Files\finepixviewer
2006-11-26 12:51 98304 --a--c--- C:\WINDOWS\system32\cmdlineext.dll
2006-11-26 12:48 -------- d-------- C:\Program Files\gameshadow
2006-11-26 12:45 86016 --a------ C:\WINDOWS\system32\openal32.dll
2006-11-26 12:45 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-11-26 12:38 -------- d-------- C:\Program Files\konami
2006-11-16 19:47 524288 --a------ C:\WINDOWS\opuc.dll
2006-11-15 22:45 -------- d-------- C:\Program Files\Common Files\fellowes
2006-11-15 22:43 1425594 --a--c--- C:\WINDOWS\recorder.reg
2006-11-15 22:43 1065 --a------ C:\WINDOWS\newrecorder.reg
2006-11-15 22:43 -------- d-------- C:\Program Files\pinnacle
2006-11-11 22:20 -------- d-------- C:\Program Files\grisoft
2006-11-11 20:24 -------- d-------- C:\Program Files\Common Files\java
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-06 23:43 4966912 --a------ C:\WINDOWS\system32\logonuix.exe
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 13:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 21:54 1024 --a--c--- C:\Documents and Settings\Sean Debling\Application Data\wavcodec.wff
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 12:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 12:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Start WingMan Profiler"=""
"Steam"=""
"tunebite.exe"="C:\\Program Files\\tunebite\\tunebite.exe -hidden"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PtiuPbmd"="Rundll32.exe ptipbm.dll,SetWriteBack"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"CARPService"="carpserv.exe"
"GSICONEXE"="GSICON.EXE"
"DSLAGENTEXE"="dslagent.exe USB"
"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AceGain LiveUpdate"="C:\\Program Files\\AceGain\\LiveUpdate\\LiveUpdate.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0F2.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Ip6FwHlp
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Autorun.exe
Completion time: 07-01-05 20:42:29.67