Browser hijacked & Broadcaster.com popups

**Gcarp** · 2007-04-06, 03:03

2007-04-04 17:13 147,456 --a------ C:\WINDOWS\system32\odbctrac.dll
2007-04-04 17:13 143,872 --a------ C:\WINDOWS\system32\msimtf.dll
2007-04-04 17:13 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-04-04 17:13 137,216 --a------ C:\WINDOWS\system32\ntshrui.dll
2007-04-04 17:13 135,680 --a------ C:\WINDOWS\system32\rdchost.dll
2007-04-04 17:13 134,144 --a------ C:\WINDOWS\regedit.exe
2007-04-04 17:13 133,632 --a------ C:\WINDOWS\system32\rsaenh.dll
2007-04-04 17:13 133,120 --a------ C:\WINDOWS\system32\sfc_os.dll
2007-04-04 17:13 131,072 --a------ C:\WINDOWS\system32\msorcl32.dll
2007-04-04 17:13 130,560 --a------ C:\WINDOWS\system32\sti_ci.dll
2007-04-04 17:13 13,824 --a------ C:\WINDOWS\system32\rassapi.dll
2007-04-04 17:13 13,312 --a------ C:\WINDOWS\system32\ssstars.scr
2007-04-04 17:13 13,056 --------- C:\WINDOWS\system32\drivers\wacompen.sys
2007-04-04 17:13 128,512 --a------ C:\WINDOWS\system32\taskmgr.exe
2007-04-04 17:13 122,880 --a------ C:\WINDOWS\system32\odbcconf.dll
2007-04-04 17:13 12,800 --a------ C:\WINDOWS\system32\runonce.exe
2007-04-04 17:13 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-04-04 17:13 12,288 --a------ C:\WINDOWS\system32\odbcp32r.dll
2007-04-04 17:13 12,047 --------- C:\WINDOWS\system32\drivers\atinpdxx.sys
2007-04-04 17:13 117,760 --a------ C:\WINDOWS\system32\stobject.dll
2007-04-04 17:13 115,200 --a------ C:\WINDOWS\system32\net1.exe
2007-04-04 17:13 113,664 --a------ C:\WINDOWS\system32\msvfw32.dll
2007-04-04 17:13 112,128 --a------ C:\WINDOWS\system32\ntmarta.dll
2007-04-04 17:13 110,080 --------- C:\WINDOWS\system32\sbeio.dll
2007-04-04 17:13 11,904 --------- C:\WINDOWS\system32\drivers\mutohpen.sys
2007-04-04 17:13 11,776 --a------ C:\WINDOWS\system32\sigtab.dll
2007-04-04 17:13 11,615 --------- C:\WINDOWS\system32\drivers\atinmdxx.sys
2007-04-04 17:13 109,568 --a------ C:\WINDOWS\system32\offfilt.dll
2007-04-04 17:13 10,752 --a------ C:\WINDOWS\system32\tracert.exe
2007-04-04 17:13 10,240 --a------ C:\WINDOWS\system32\msrle32.dll
2007-04-04 17:13 1,677,312 --------- C:\WINDOWS\system32\wmvcore2.dll
2007-04-04 17:13 1,350,144 --a------ C:\WINDOWS\system32\query.dll
2007-04-04 17:13 1,157,632 --a------ C:\WINDOWS\system32\sfcfiles.dll
2007-04-04 17:12 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-04-04 17:12 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2007-04-04 17:12 9,216 --a------ C:\WINDOWS\system32\dumprep.exe
2007-04-04 17:12 802,304 --a------ C:\WINDOWS\system32\dxmrtp.dll
2007-04-04 17:12 8,832 --a------ C:\WINDOWS\system32\framebuf.dll
2007-04-04 17:12 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-04-04 17:12 78,336 --a------ C:\WINDOWS\system32\irmon.dll
2007-04-04 17:12 76,288 --a------ C:\WINDOWS\system32\dfrgfat.exe
2007-04-04 17:12 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-04-04 17:12 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-04-04 17:12 73,728 --a------ C:\WINDOWS\system32\ils.dll
2007-04-04 17:12 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-04-04 17:12 70,656 --a------ C:\WINDOWS\system32\defrag.exe
2007-04-04 17:12 70,144 --a------ C:\WINDOWS\system32\cryptdlg.dll
2007-04-04 17:12 7,040 --a------ C:\WINDOWS\system32\kd1394.dll
2007-04-04 17:12 68,608 --a------ C:\WINDOWS\system32\mscms.dll
2007-04-04 17:12 67,584 --a------ C:\WINDOWS\system32\msctfp.dll
2007-04-04 17:12 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2007-04-04 17:12 64,512 --a------ C:\WINDOWS\system32\ciodm.dll
2007-04-04 17:12 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-04-04 17:12 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-04-04 17:12 596,480 --a------ C:\WINDOWS\system32\INETCOMM.DLL
2007-04-04 17:12 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-04-04 17:12 59,392 --a------ C:\WINDOWS\system32\iesetup.dll
2007-04-04 17:12 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2007-04-04 17:12 55,296 --a------ C:\WINDOWS\system32\digest.dll
2007-04-04 17:12 54,272 --a------ C:\WINDOWS\system32\clusapi.dll
2007-04-04 17:12 51,712 --a------ C:\WINDOWS\system32\ipconfig.exe
2007-04-04 17:12 504,320 --a------ C:\WINDOWS\system32\logonui.exe
2007-04-04 17:12 498,205 --a------ C:\WINDOWS\system32\dxmasf.dll
2007-04-04 17:12 49,664 --a------ C:\WINDOWS\system32\ixsso.dll
2007-04-04 17:12 49,152 --a------ C:\WINDOWS\system32\eventlog.dll
2007-04-04 17:12 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-04-04 17:12 489,984 --a------ C:\WINDOWS\system32\dbghelp.dll
2007-04-04 17:12 45,568 --a------ C:\WINDOWS\system32\docprop2.dll
2007-04-04 17:12 41,472 --a------ C:\WINDOWS\system32\cmdl32.exe
2007-04-04 17:12 4,126 --a------ C:\WINDOWS\system32\msdxmlc.dll
2007-04-04 17:12 381,440 --a------ C:\WINDOWS\system32\lmrt.dll
2007-04-04 17:12 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-04-04 17:12 36,922 --a------ C:\WINDOWS\system32\imeshare.dll
2007-04-04 17:12 35,328 --a------ C:\WINDOWS\system32\dfrgsnap.dll
2007-04-04 17:12 324,608 --a------ C:\WINDOWS\system32\cmdial32.dll
2007-04-04 17:12 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-04-04 17:12 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-04-04 17:12 318,464 --a------ C:\WINDOWS\system32\ippromon.dll
2007-04-04 17:12 307,712 --a------ C:\WINDOWS\system32\cscui.dll
2007-04-04 17:12 30,208 --a------ C:\WINDOWS\system32\imgutil.dll
2007-04-04 17:12 28,672 --a------ C:\WINDOWS\system32\dbnmpntw.dll
2007-04-04 17:12 27,648 --a------ C:\WINDOWS\system32\pidgen.dll
2007-04-04 17:12 266,752 --a------ C:\WINDOWS\system32\msctf.dll
2007-04-04 17:12 263,680 --a------ C:\WINDOWS\system32\duser.dll
2007-04-04 17:12 263,168 --a------ C:\WINDOWS\system32\devmgr.dll
2007-04-04 17:12 25,600 --a------ C:\WINDOWS\system32\dfsshlex.dll
2007-04-04 17:12 240,640 --a------ C:\WINDOWS\system32\hnetcfg.dll
2007-04-04 17:12 24,576 --a------ C:\WINDOWS\system32\dbmsvinn.dll
2007-04-04 17:12 24,576 --a------ C:\WINDOWS\system32\dbmsrpcn.dll
2007-04-04 17:12 24,576 --a------ C:\WINDOWS\system32\conime.exe
2007-04-04 17:12 238,592 --a------ C:\WINDOWS\system32\compatui.dll
2007-04-04 17:12 237,056 --a------ C:\WINDOWS\system32\icm32.dll
2007-04-04 17:12 227,840 --a------ C:\WINDOWS\system32\dsquery.dll
2007-04-04 17:12 219,648 --a------ C:\WINDOWS\system32\logon.scr
2007-04-04 17:12 210,944 --a------ C:\WINDOWS\system32\moricons.dll
2007-04-04 17:12 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2007-04-04 17:12 20,480 --a------ C:\WINDOWS\system32\dbmsadsn.dll
2007-04-04 17:12 196,096 --a------ C:\WINDOWS\system32\mobsync.dll
2007-04-04 17:12 19,456 --a------ C:\WINDOWS\system32\licmgr10.dll
2007-04-04 17:12 19,456 --a------ C:\WINDOWS\system32\fontview.exe
2007-04-04 17:12 19,456 --a------ C:\WINDOWS\system32\ersvc.dll
2007-04-04 17:12 186,880 --a------ C:\WINDOWS\system32\certcli.dll
2007-04-04 17:12 178,688 --a------ C:\WINDOWS\system32\eudcedit.exe
2007-04-04 17:12 168,960 --a------ C:\WINDOWS\system32\dinput8.dll
2007-04-04 17:12 165,376 --a------ C:\WINDOWS\system32\els.dll
2007-04-04 17:12 163,840 --a------ C:\WINDOWS\system32\mindex.dll
2007-04-04 17:12 16,384 --a------ C:\WINDOWS\system32\ds32gt.dll
2007-04-04 17:12 158,720 --a------ C:\WINDOWS\system32\credui.dll
2007-04-04 17:12 151,552 --a------ C:\WINDOWS\system32\dinput.dll
2007-04-04 17:12 135,680 --a------ C:\WINDOWS\system32\dsprop.dll
2007-04-04 17:12 13,312 --a------ C:\WINDOWS\system32\ctfmon.exe
2007-04-04 17:12 124,928 --a------ C:\WINDOWS\system32\dssenh.dll
2007-04-04 17:12 123,904 --a------ C:\WINDOWS\system32\imapi.exe
2007-04-04 17:12 12,288 --a------ C:\WINDOWS\system32\mscpx32r.dll
2007-04-04 17:12 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2007-04-04 17:12 115,200 --a------ C:\WINDOWS\system32\dpcdll.dll
2007-04-04 17:12 114,176 --a------ C:\WINDOWS\system32\input.dll
2007-04-04 17:12 113,152 --a------ C:\WINDOWS\system32\idq.dll
2007-04-04 17:12 113,152 --a------ C:\WINDOWS\system32\dfrgui.dll
2007-04-04 17:12 103,936 --a------ C:\WINDOWS\system32\imm32.dll
2007-04-04 17:12 103,424 --a------ C:\WINDOWS\system32\dgnet.dll
2007-04-04 17:12 10,240 --a------ C:\WINDOWS\system32\localui.dll
2007-04-04 17:12 1,740 --a------ C:\WINDOWS\system32\dcache.bin
2007-04-04 17:12 1,128,960 --a------ C:\WINDOWS\system32\mmcndmgr.dll
2007-04-04 17:11 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-04-04 17:11 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-04-04 17:11 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-04-04 17:11 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-04-04 17:11 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-04-04 17:11 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-04-04 17:11 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-04-04 17:11 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-04-04 17:11 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-04-04 17:09 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-04-04 17:09 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-04-03 17:30 119,822 --a------ C:\WINDOWS\system32\__c002423A.dat
2007-03-31 12:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-03-31 08:43 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-03-27 17:47 118,798 --a------ C:\WINDOWS\system32\__c001550F.dat
2007-03-25 14:27 38,400 --a------ C:\WINDOWS\system32\grpconv.exe
2007-03-25 14:26 316,928 --a------ C:\WINDOWS\system32\zipfldr.dll
2007-03-25 14:24 30,720 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-03-25 14:22 260,096 --a------ C:\WINDOWS\system32\mstask.dll
2007-03-25 14:22 172,544 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-03-25 14:22 10,752 --a------ C:\WINDOWS\system32\mstinit.exe
2007-03-25 14:22 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-03-25 14:13 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
2007-03-25 11:56 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-03-25 11:55 <DIR> d-------- C:\DOCUME~1\Betty\.housecall6.6
2007-03-25 11:54 <DIR> d-------- C:\WINDOWS\Sun
2007-03-25 11:54 <DIR> d-------- C:\DOCUME~1\Betty\APPLIC~1\Sun
2007-03-25 11:52 <DIR> d-------- C:\Program Files\Java
2007-03-25 11:49 <DIR> d-------- C:\Program Files\Common Files\Java
2007-03-25 09:19 118,798 --a------ C:\WINDOWS\system32\__c00B34CD.dat
2007-03-21 15:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-21 14:11 118,798 --a------ C:\WINDOWS\system32\__c00A2C2.dat
2007-03-18 09:31 24,192 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-03-17 14:25 0 --a------ C:\WINDOWS\YOURAPP.EXE
2007-03-17 14:25 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-03-17 14:25 0 --a------ C:\WINDOWS\ORUN32.EXE
2007-03-17 14:25 0 --a------ C:\WINDOWS\CPQDIAG.EXE
2007-03-17 14:16 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-03-17 14:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-03-17 14:16 <DIR> d-------- C:\DOCUME~1\Betty\APPLIC~1\SUPERAntiSpyware.com
2007-03-17 14:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-17 13:54 <DIR> d-------- C:\DOCUME~1\Betty\APPLIC~1\Yahoo!
2007-03-17 08:57 118,798 --a------ C:\WINDOWS\system32\__c00A987E.dat
2007-03-15 18:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-03-15 17:59 74,864 --a------ C:\WINDOWS\system32\VetRedir.dll
2007-03-15 17:59 629,264 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-03-15 17:59 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-03-15 17:59 21,031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-03-15 17:59 15,735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-03-15 17:59 15,478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-03-15 17:59 115,824 --a------ C:\WINDOWS\UnVet32.exe
2007-03-15 17:59 111,728 --a------ C:\WINDOWS\AVShlExt.dll
2007-03-15 17:59 108,592 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-03-15 17:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-03-15 17:58 95,344 --a------ C:\WINDOWS\system32\ISafeIf.dll
2007-03-15 17:58 89,088 --a------ C:\WINDOWS\system32\ATL71.DLL
2007-03-15 17:58 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2007-03-15 17:58 74,864 --a------ C:\WINDOWS\system32\iSafProd.dll
2007-03-15 17:58 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2007-03-15 17:58 243,824 --a------ C:\WINDOWS\unicows.dll
2007-03-15 17:58 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-03-15 17:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-03-14 19:55 <DIR> d-------- C:\Program Files\PlayLinc
2007-03-14 19:43 <DIR> d-------- C:\Program Files\SupportSoft
2007-03-14 18:51 3,474 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-14 18:49 1,310,720 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-14 18:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-03-14 18:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-03-14 18:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe
2007-03-11 11:16 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-03-10 19:10 <DIR> d-------- C:\DOCUME~1\Betty\APPLIC~1\Google
2007-03-10 19:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-03-05 19:47 9,546 --a------ C:\WINDOWS\system32\__c00B6700.dat
2007-03-05 19:47 9,546 --a------ C:\WINDOWS\system32\__c0047460.dat

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-05 20:29 9546 --a------ C:\WINDOWS\system32\__c0047460.dat
2007-04-04 17:56 -------- d-------- C:\Program Files\messenger
2007-04-04 17:19 -------- d-------- C:\Program Files\movie maker
2007-04-03 17:30 119822 --a------ C:\WINDOWS\system32\__c002423a.dat
2007-03-27 17:47 118798 --a------ C:\WINDOWS\system32\__c001550f.dat
2007-03-25 09:19 118798 --a------ C:\WINDOWS\system32\__c00b34cd.dat
2007-03-21 15:10 22852 --a------ C:\WINDOWS\compaq.reg
2007-03-21 14:11 118798 --a------ C:\WINDOWS\system32\__c00a2c2.dat
2007-03-17 15:34 -------- d-------- C:\Program Files\yahoo!
2007-03-17 14:25 -------- d-------- C:\Program Files\palm
2007-03-17 14:15 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-17 08:57 118798 --a------ C:\WINDOWS\system32\__c00a987e.dat
2007-03-14 19:52 -------- d-------- C:\Program Files\verizon
2007-03-11 10:13 -------- d--h----- C:\Program Files\installshield installation information
2007-03-11 10:13 -------- d-------- C:\Program Files\Common Files\installshield
2007-03-05 19:47 9546 --a------ C:\WINDOWS\system32\__c00b6700.dat
2007-03-04 16:41 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-04 14:42 -------- d-------- C:\Program Files\lavasoft
2007-03-04 14:42 -------- d-------- C:\DOCUME~1\Betty\APPLIC~1\lavasoft
2007-03-01 22:05 -------- d-------- C:\Program Files\lizardtech
2007-03-01 22:05 -------- d-------- C:\Program Files\Common Files\lizardtech shared
2007-02-14 19:45 -------- d-------- C:\Program Files\Common Files\supportsoft
2007-02-13 22:15 -------- d-------- C:\DOCUME~1\Betty\APPLIC~1\verizon
2007-02-13 22:14 -------- d-------- C:\Program Files\Common Files\motive
2007-02-13 21:20 -------- d-------- C:\Program Files\netzero
2007-02-13 21:19 4094 --a------ C:\WINDOWS\system32\rtcsses.dll
2007-02-10 11:59 -------- d-------- C:\Program Files\nzsearch
2007-02-10 11:54 180952 --a------ C:\DOCUME~1\Betty\APPLIC~1\shb.dat
2007-01-08 15:29 75512 --a------ C:\WINDOWS\zllsputility.exe
2007-01-08 15:29 1087216 --a------ C:\WINDOWS\system32\zpeng24.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"spc_w"="\"C:\\Program Files\\NZSearch\\nzspc.exe\" -w"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VerizonServicepoint.exe"="C:\\Program Files\\Verizon\\Servicepoint\\VerizonServicepoint.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"Cpqset"="c:\\compaq\\cpqsetup\\cpqset.exe"
"AtiPTA"="atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\Verizon\\SMARTB~1\\MotiveSB.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"eabconfg.cpl"="C:\\Program Files\\Compaq\\EAB\\EabServr.exe /Start"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0047460
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B6700

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-05 20:42:49
C:\ComboFix-quarantined-files.txt ... 07-04-05 20:42

**Mr_JAk3** · 2007-04-06, 10:12

Hi again, we'll continue

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - @A 3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - À@ 49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - ð@ BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O20 - Winlogon Notify: __c0047460 - C:\WINDOWS\System32\__c0047460.dat
O20 - Winlogon Notify: __c00B6700 - C:\WINDOWS\System32\__c00B6700.dat

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\__c002423A.dat
C:\WINDOWS\system32\__c001550F.dat
C:\WINDOWS\system32\__c00B34CD.dat
C:\WINDOWS\system32\__c00A2C2.dat
C:\WINDOWS\system32\__c00A987E.dat
C:\WINDOWS\system32\__c00B6700.dat
C:\WINDOWS\system32\__c0047460.dat

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run ATF Cleaner

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

**Gcarp** · 2007-04-07, 17:30

Mr Jak,

Having problems running AVG...

Hangs when trying to do system scan during memory/processes @ [120] VM_7FFE0000. This is related to process SMSS.EXE on the Analysis page. When I do Windows Task Manager, it shows that CSRSS.EXE is hogging the CPU. Have tried various ways to get around it but no joy. Date created and date modified in windows explorer for CSRSS.EXE shows as 8/18/2001; and SMSS.EXE Created 8/18/2001 modified 8/29/2002. How shall I proceed? I did run Registry scan and found nothing. BTW, only using Internet Explorer.

George

**Mr_JAk3** · 2007-04-07, 20:24

Hmm are you running AVG Anti-Spyware in safe mode?

**Gcarp** · 2007-04-11, 03:05

Yes, Tried it both in safe mode and in normal mode. Safe mode first. Also tried to run in diagnostic mode using msconfig. I also ran SFC/scanboot. That didn't do anything either.

When searching for info, I came across this...
http://support.microsoft.com/kb/555021

I am going to try to re-do the users on this computer. and if that doesn't work, I'll uninstall & re-install AVG. May take a few days. I'll get back when I'm done. Unless you have a better idea... I didn't want to leave you hanging.

George

**Mr_JAk3** · 2007-04-11, 21:00

Hello

Ok let's try this:

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

**Gcarp** · 2007-04-12, 01:48

Hello Mr Jak,
GMER rootkit as requested... I'm assuming you wanted it in safe mode.
George

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-11 19:33:32
Windows 5.1.2600 Service Pack 1

---- Kernel code sections - GMER 1.0.12 ----

.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 720342BA
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034445
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034329
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 720342D8

---- EOF - GMER 1.0.12 ----

**Mr_JAk3** · 2007-04-12, 20:53

Ok nothing there.

Please post a fresh HijackThis log and we'll see

**Gcarp** · 2007-04-12, 22:55

Mr Jak,

As requested.
George

Logfile of HijackThis v1.99.1
Scan saved at 4:51:29 PM, on 4/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Documents and Settings\Betty\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/re...c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/re...c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {8EB0F793-55E3-400A-9A58-9493B5D1C04B} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175720342404
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/f...all/isetup.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/inc...ivePreQual.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

**Mr_JAk3** · 2007-04-13, 22:05

Hello

HijackThis log looks pretty good now...

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Thread: Browser hijacked & Broadcaster.com popups

Thread Tools

Display

Posting Permissions