Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Browser Search Redirect Issue

  1. #1
    Junior Member
    Join Date
    Jun 2009
    Posts
    9

    Smile Browser Search Redirect Issue

    Hi,

    I am having problems with browser search redirects when using Google or Microsoft search bars. The problem doesn't seem to be restricted to just these two search engine bars.

    The symptom is that when browsing to some of the sites in the search results, I get to unexpected locations even when the site link URL's are good.

    I am running Norton AV 2009, and have Spybot S&D and Teatimer running.

    After I found the symptoms I downloaded and ran Malwarebytes Anti-malware tool, ad-ware and Super AntiSpyware 4.26.1004. Each found some cookies that were suspect, and I removed them. However the problem is still around.

    The main browser I found this with is IE8 but I see it in Firefox 3.0.11 too.

    HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:56:23, on 13/06/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MRTW.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: BrowserConnector Object - {B24A5F3C-E1D2-4ee6-8A3F-4B19D0DAF1A2} - C:\WINDOWS\system32\battx.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1232286679765
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: C:\WINDOWS\system32\DMINTFG.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
    O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
    O23 - Service: System kernel integrity service (Uha10kx2kO) (Ytfsnudfa) - SearchHelp, Inc. - C:\WINDOWS\system32\MRTW.exe

    --
    End of file - 10394 bytes


    Many thanks for any help,
    Mark

  2. #2
    Emeritus- Malware Team
    Join Date
    Oct 2008
    Location
    Cornwall, UK
    Posts
    592

    Default

    Hello and Welcome to forums!

    My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

    Please observe these rules while we work:


    • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
    • The fixes are specific to your problem and should only be used for this issue on this machine.
    • I f you don't know or understand something please don't hesitate to ask.
    • Please DO NOT run any other tools or scans whilst I am helping you.
    • It is important that you reply to this thread. Do not start a new topic.
    • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    • Absence of symptoms does not mean that everything is clear.



    No Reply Within 5 Days Will Result In Your Topic Being Closed!!
    MRU Master of Malware Removal University

    Member of UNITE and ASAP

  3. #3
    Emeritus- Malware Team
    Join Date
    Oct 2008
    Location
    Cornwall, UK
    Posts
    592

    Default

    STEP 1

    Download DDS

    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop from:

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.


    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:

      • DDS.txt
      • Attach.txt

    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply




    STEP 2


    RootRepeal - Rootkit Detector

    Download RootRepeal.zip and unzip it to your Desktop.


    • Double click RootRepeal.exe to start the program
    • Click on the Report tab at the bottom of the program window
    • Clickthe Scan button
    • In the Select Scan dialog, check:

      • Drivers
      • Files
      • Processes
      • SSDT
      • Stealth Objects
      • Hidden Services

    • Click the OK button
    • In the next dialog, select all drives showing
    • Click OK to start the scan

      The scan can take some time. DO NOT run any other programs while the scan is running
    • When the scan is complete, the Save Report button will become available
    • Click this and save the report to your Desktop as RootRepeal.txt
    • Go to File, then Exit to close the program




    Next Reply

    Please reply with:

    • DDS.txt
    • Attach.txt
    • RootRepeal.txt
    MRU Master of Malware Removal University

    Member of UNITE and ASAP

  4. #4
    Junior Member
    Join Date
    Jun 2009
    Posts
    9

    Arrow Browser Search Redirect Issue

    Hi and thanks for your support,


    DDS.TXT


    DDS (Ver_09-05-14.01) - NTFSx86
    Run by Mark at 10:20:58.62 on 14/06/2009
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.383 [GMT 1:00]

    AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\MRTW.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
    C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Mark\My Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = *.local
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: BrowserConnector Object: {b24a5f3c-e1d2-4ee6-8a3f-4b19d0daf1a2} - c:\windows\system32\battx.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
    mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
    mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
    mRun: [CTHelper] CTHELPER.EXE
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [LXBUCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBUtime.dll,_RunDLLEntry@16
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\mark\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232286679765
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
    Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    AppInit_DLLs: c:\windows\system32\DMINTFG.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\o5t3nuj1.default\
    FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
    FF - component: c:\program files\mozilla firefox\components\battxf.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-12 64160]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-3-23 310320]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-3-23 258608]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-3-23 482352]
    R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090610.006\IDSXpx86.sys [2009-6-12 276344]
    R1 IpFilterDrivery;Remote Procedure Call RT4s (PtilinkV);c:\windows\system32\HIMEMR.SYS [2009-5-13 24704]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
    R1 Uha10kx2k;System kernel configuration (VSparrow);c:\windows\system32\NTIOLE404.SYS [2009-5-13 38912]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-25 55152]
    R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-3-23 115560]
    R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
    R2 Ytfsnudfa;System kernel integrity service (Uha10kx2kO);c:\windows\system32\MRTW.exe [2009-5-13 276992]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-3 101936]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090613.003\NAVENG.SYS [2009-6-13 89104]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090613.003\NAVEX15.SYS [2009-6-13 876144]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
    S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

    =============== Created Last 30 ================

    2009-06-13 17:22 <DIR> --d----- C:\fixwareout
    2009-06-13 16:10 <DIR> -cd-h--- c:\windows\ie8
    2009-06-12 23:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2009-06-12 23:09 <DIR> --d----- c:\program files\SUPERAntiSpyware
    2009-06-12 23:09 <DIR> --d----- c:\docume~1\mark\applic~1\SUPERAntiSpyware.com
    2009-06-12 23:08 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
    2009-06-12 22:52 <DIR> --d----- c:\program files\Trend Micro
    2009-06-12 21:52 15,688 a------- c:\windows\system32\lsdelete.exe
    2009-06-12 21:39 64,160 a------- c:\windows\system32\drivers\Lbd.sys
    2009-06-12 21:38 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
    2009-06-12 21:38 <DIR> --d----- c:\program files\Lavasoft
    2009-06-11 22:40 <DIR> --d----- c:\docume~1\mark\applic~1\Malwarebytes
    2009-06-11 22:40 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-06-11 22:40 19,096 a------- c:\windows\system32\drivers\mbam.sys
    2009-06-11 22:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-06-11 22:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-06-11 14:58 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
    2009-06-11 14:58 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
    2009-06-10 13:48 <DIR> --d--r-- c:\program files\Norton Support
    2009-06-08 22:37 <DIR> --d----- c:\program files\common files\DivX Shared
    2009-06-08 20:43 <DIR> --d----- c:\program files\Free Video Joiner
    2009-06-02 11:16 <DIR> --d----- c:\program files\iPod
    2009-06-02 11:16 <DIR> --d----- c:\program files\iTunes
    2009-05-30 11:31 <DIR> --dsh--- c:\documents and settings\mark\IECompatCache
    2009-05-30 11:29 <DIR> --dsh--- c:\documents and settings\mark\PrivacIE
    2009-05-29 22:28 <DIR> --dsh--- c:\documents and settings\mark\IETldCache
    2009-05-29 22:25 <DIR> --d----- c:\windows\ie8updates
    2009-05-29 22:25 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
    2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
    2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
    2009-05-25 17:48 48,128 a------- C:\pclips.exe

    ==================== Find3M ====================

    2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
    2009-05-13 21:19 9,952 a------- c:\windows\system32\secrd.dat
    2009-05-13 21:19 9,952 a------- c:\windows\system32\sbnetkey.sys
    2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
    2009-05-13 06:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
    2009-05-13 06:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
    2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
    2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
    2009-05-05 18:33 244,224 a------- c:\windows\system32\wiaservca.dll
    2009-05-05 18:33 244,224 a------- c:\windows\system32\cdmg.dll
    2009-05-05 18:33 211,968 a------- c:\windows\system32\framebufo.dll
    2009-05-05 18:33 211,968 a------- c:\windows\system32\elsi.dll
    2009-05-05 18:33 244,224 a------- c:\windows\system32\msacmlt32.dll
    2009-05-05 18:33 244,224 a------- c:\windows\system32\kernelf32.dll
    2009-05-05 18:33 62,976 a------- c:\windows\system32\dsuiextp.dll
    2009-05-05 18:33 62,976 a------- c:\windows\system32\CTEMUPIAD.DLL
    2009-05-05 18:33 150,528 a------- c:\windows\system32\offfiltr.dll
    2009-05-05 18:33 150,528 a------- c:\windows\system32\KPDPMUII.dll
    2009-05-05 18:31 181,760 a------- c:\windows\system32\mtxocih.dll
    2009-05-01 22:02 90,112 a------- c:\windows\system32\dpl100.dll
    2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
    2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx07.dll
    2009-05-01 22:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
    2009-05-01 22:02 811,008 a------- c:\windows\system32\divx_xx16.dll
    2009-05-01 22:02 802,816 a------- c:\windows\system32\divx_xx11.dll
    2009-05-01 22:02 685,056 a------- c:\windows\system32\DivX.dll
    2009-04-30 22:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
    2009-04-30 22:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
    2009-04-30 22:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
    2009-04-30 22:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
    2009-04-30 22:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
    2009-04-30 12:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
    2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
    2009-04-17 13:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
    2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
    2009-04-15 15:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
    2009-04-14 17:50 4,286 a------- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}w.dat
    2009-04-14 17:50 4,286 a------- c:\windows\system32\ctdlangi.dat
    2009-04-14 17:49 294,912 a------- c:\windows\system32\msacml32.dll
    2009-04-14 17:49 294,912 a------- c:\windows\system32\mmcshexth.dll
    2009-03-23 18:22 60,808 a------- c:\windows\system32\S32EVNT1.DLL
    2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll

    ============= FINISH: 10:24:01.51 ===============

    ATTACH.TXT and RootRepeal.TXT are included as attachments.

    Thanks,

  5. #5
    Emeritus- Malware Team
    Join Date
    Oct 2008
    Location
    Cornwall, UK
    Posts
    592

    Default

    Use of P2P (Person to Person) file sharing programs

    I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    µTorrent

    Please read HERE the Safer Networking Forums policy on the use of P2P file sharing programs. Please remove it before we can continue any further. Post back when you have done it so we can continue the cleaning process.

    NOTE: Even if you are using a safe P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
    MRU Master of Malware Removal University

    Member of UNITE and ASAP

  6. #6
    Junior Member
    Join Date
    Jun 2009
    Posts
    9

    Default Browser Search Redirect Issue

    OK, I removed uTorrent ...

  7. #7
    Emeritus- Malware Team
    Join Date
    Oct 2008
    Location
    Cornwall, UK
    Posts
    592

    Default

    Download and Run ComboFix


    Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2
    Link 3





    --------------------------------------------------------------------

    Double click on Combo-Fix.exe & follow the prompts.

    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.



    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall
    MRU Master of Malware Removal University

    Member of UNITE and ASAP

  8. #8
    Junior Member
    Join Date
    Jun 2009
    Posts
    9

    Arrow Browser Search Redirect Issue

    Hi Bio-Hazard,

    OK, all done. Below is the HJT log, and attached is the ComboFix log file.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:26:36, on 14/06/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MRTW.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: BrowserConnector Object - {B24A5F3C-E1D2-4ee6-8A3F-4B19D0DAF1A2} - C:\WINDOWS\system32\battx.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1232286679765
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: C:\WINDOWS\SYSTEM32\DMINTFG.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
    O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
    O23 - Service: System kernel integrity service (Uha10kx2kO) (Ytfsnudfa) - SearchHelp, Inc. - C:\WINDOWS\system32\MRTW.exe

    --
    End of file - 10514 bytes



    ComboFix 09-06-13.09 - Mark 14/06/2009 21:49.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.692 [GMT 1:00]
    Running from: c:\documents and settings\Mark\My Downloads\Combo-Fix.exe
    AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\drivers\SKYNETydvkbgrn.sys
    c:\windows\system32\ippromonr.dll
    c:\windows\system32\mtxocih.dll
    c:\windows\system32\netapip32.dll
    c:\windows\system32\SKYNETejklydtt.dll
    c:\windows\system32\SKYNETtqodnyha.dll
    c:\windows\system32\SKYNETvcbpvakj.dat
    c:\windows\system32\SKYNETvpojjsdt.dat
    c:\windows\system32\dnsapim.dll
    c:\windows\system32\drivers\SKYNETydvkbgrn.sys
    c:\windows\system32\KBDHELAS3.DLL
    c:\windows\system32\scarddlgm.dll
    c:\windows\system32\SKYNETejklydtt.dll
    c:\windows\system32\SKYNETtqodnyha.dll
    c:\windows\system32\SKYNETvcbpvakj.dat
    c:\windows\system32\SKYNETvpojjsdt.dat
    G:\Autorun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_SKYNETvpacmxgu


    ((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
    .

    2009-06-14 21:04 . 2009-03-12 09:03 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
    2009-06-13 19:54 . 2009-06-13 19:54 -------- d-----w- c:\program files\ERUNT
    2009-06-13 16:22 . 2009-06-13 16:37 -------- d-----w- C:\fixwareout
    2009-06-13 15:10 . 2009-06-13 15:10 -------- dc-h--w- c:\windows\ie8
    2009-06-12 22:32 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\Scxpx86.dll
    2009-06-12 22:32 . 2009-01-29 21:50 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSXpx86.sys
    2009-06-12 22:32 . 2009-01-29 21:50 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSvix86.sys
    2009-06-12 22:32 . 2009-01-29 21:50 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSxpx86.dll
    2009-06-12 22:32 . 2009-01-29 21:50 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSviA64.sys
    2009-06-12 22:09 . 2009-06-14 21:05 117760 ----a-w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-06-12 22:09 . 2009-06-12 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-06-12 22:09 . 2009-06-12 22:09 65024 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    2009-06-12 22:09 . 2009-06-12 22:09 18944 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    2009-06-12 22:09 . 2009-06-12 22:09 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-06-12 22:09 . 2009-06-12 22:09 -------- d-----w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com
    2009-06-12 22:08 . 2009-06-12 22:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-06-12 21:52 . 2009-06-12 21:52 -------- d-----w- c:\program files\Trend Micro
    2009-06-12 20:52 . 2009-06-12 20:39 15688 ----a-w- c:\windows\system32\lsdelete.exe
    2009-06-12 20:38 . 2009-06-12 20:38 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
    2009-06-12 20:38 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
    2009-06-12 20:38 . 2009-06-12 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-06-12 20:38 . 2009-06-12 20:38 -------- d-----w- c:\program files\Lavasoft
    2009-06-11 21:40 . 2009-06-11 21:40 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes
    2009-06-11 21:40 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-06-11 21:40 . 2009-06-11 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-06-11 21:40 . 2009-06-11 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-06-11 21:40 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-06-11 17:38 . 2009-06-11 17:38 -------- d-----w- c:\documents and settings\Angel\Local Settings\Application Data\Symantec
    2009-06-11 14:43 . 2009-06-11 14:43 1915520 ----a-w- c:\documents and settings\Mark\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
    2009-06-11 13:58 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2009-06-11 13:58 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2009-06-10 12:48 . 2009-06-10 12:48 -------- d-----r- c:\program files\Norton Support
    2009-06-10 12:47 . 2009-06-10 12:47 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Symantec
    2009-06-10 09:57 . 2009-06-10 09:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2009-06-10 07:54 . 2009-06-10 07:54 152576 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
    2009-06-08 21:42 . 2009-06-08 21:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
    2009-06-08 21:37 . 2009-06-08 21:38 -------- d-----w- c:\program files\Common Files\DivX Shared
    2009-06-08 20:44 . 2009-06-08 20:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2009-06-08 19:43 . 2009-06-13 18:32 -------- d-----w- c:\program files\Free Video Joiner
    2009-06-08 19:27 . 2009-06-08 19:27 -------- d-sh--w- c:\documents and settings\Lourdes\IETldCache
    2009-06-08 19:03 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\Scxpx86.dll
    2009-06-08 19:03 . 2009-01-29 21:50 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSXpx86.sys
    2009-06-08 19:03 . 2009-01-29 21:50 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSvix86.sys
    2009-06-08 19:03 . 2009-01-29 21:50 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSxpx86.dll
    2009-06-08 19:03 . 2009-01-29 21:50 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSviA64.sys
    2009-06-05 15:38 . 2009-06-05 15:38 -------- d-sh--w- c:\documents and settings\Angel\PrivacIE
    2009-06-02 10:16 . 2009-06-02 10:16 -------- d-----w- c:\program files\iPod
    2009-06-02 10:16 . 2009-06-02 10:17 -------- d-----w- c:\program files\iTunes
    2009-06-02 10:13 . 2009-06-02 10:14 -------- d-----w- c:\program files\QuickTime
    2009-06-02 10:08 . 2009-06-02 10:08 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
    2009-05-30 19:11 . 2009-05-30 19:11 -------- d-sh--w- c:\documents and settings\Angel\IETldCache
    2009-05-30 10:31 . 2009-05-30 10:31 -------- d-sh--w- c:\documents and settings\Mark\IECompatCache
    2009-05-30 10:29 . 2009-05-30 10:29 -------- d-sh--w- c:\documents and settings\Mark\PrivacIE
    2009-05-29 21:28 . 2009-05-29 21:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2009-05-29 21:28 . 2009-05-29 21:28 -------- d-sh--w- c:\documents and settings\Mark\IETldCache
    2009-05-29 21:25 . 2009-06-13 14:46 -------- d-----w- c:\windows\ie8updates
    2009-05-29 21:25 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
    2009-05-29 21:13 . 2009-05-29 21:13 39552 ----a-w- c:\documents and settings\Lourdes\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-05-29 21:09 . 2009-05-29 21:09 -------- d-----w- c:\documents and settings\Lourdes\Local Settings\Application Data\BVRP Software
    2009-05-25 16:48 . 2009-05-25 16:48 48128 ----a-w- C:\pclips.exe
    2009-05-20 22:37 . 2009-05-20 22:37 -------- d-----w- c:\documents and settings\Lourdes\Local Settings\Application Data\Apple Computer

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-06-14 21:02 . 2005-03-04 11:56 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
    2009-06-14 21:02 . 2005-03-04 11:56 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
    2009-06-14 21:02 . 2009-05-13 23:30 67 ----a-w- c:\windows\system32\sysdnc.dat
    2009-06-14 12:54 . 2009-02-07 23:02 -------- d-----w- c:\documents and settings\Mark\Application Data\uTorrent
    2009-06-13 16:24 . 2009-01-24 17:21 -------- d-----w- c:\program files\Lx_cats
    2009-06-11 17:42 . 2009-02-14 11:38 1 ----a-w- c:\documents and settings\Angel\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2009-06-11 13:01 . 2009-01-18 14:27 -------- d-----w- c:\program files\Binary News Reaper
    2009-06-10 11:58 . 2009-02-24 20:44 -------- d-----w- c:\documents and settings\Mark\Application Data\DivX
    2009-06-10 07:55 . 2005-03-04 11:54 -------- d-----w- c:\program files\Java
    2009-06-09 20:42 . 2009-01-27 21:11 1 ----a-w- c:\documents and settings\Mark\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2009-06-08 21:47 . 2009-03-04 19:28 -------- d-----w- c:\program files\Google
    2009-06-08 21:42 . 2009-02-17 20:11 -------- d-----w- c:\program files\DivX
    2009-06-08 20:36 . 2009-05-04 16:54 -------- d-----w- c:\program files\Join
    2009-06-02 10:16 . 2009-01-18 13:51 -------- d-----w- c:\program files\Common Files\Apple
    2009-05-21 10:33 . 2009-02-27 20:32 410984 ----a-w- c:\windows\system32\deploytk.dll
    2009-05-13 23:28 . 2009-05-13 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-05-13 23:25 . 2009-05-13 23:25 -------- d-----w- c:\program files\Bonjour
    2009-05-13 20:19 . 2009-04-14 16:49 9952 ----a-w- c:\windows\system32\secrd.dat
    2009-05-13 20:19 . 2009-01-18 11:04 9952 ----a-w- c:\windows\system32\sbnetkey.sys
    2009-05-13 05:15 . 2004-08-04 05:00 915456 ----a-w- c:\windows\system32\wininet.dll
    2009-05-12 18:54 . 2009-05-12 18:54 -------- d-----w- c:\documents and settings\Lourdes\Application Data\ArcSoft
    2009-05-07 16:44 . 2009-02-25 16:04 39552 ----a-w- c:\documents and settings\Angel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-05-07 15:32 . 2004-08-04 05:00 345600 ----a-w- c:\windows\system32\localspl.dll
    2009-05-06 17:35 . 2005-03-04 11:54 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-05-05 17:33 . 2009-05-13 20:17 244224 ----a-w- c:\windows\system32\wiaservca.dll
    2009-05-05 17:33 . 2009-05-13 20:17 244224 ----a-w- c:\windows\system32\cdmg.dll
    2009-05-05 17:33 . 2009-05-13 20:17 211968 ----a-w- c:\windows\system32\framebufo.dll
    2009-05-05 17:33 . 2009-05-13 20:17 211968 ----a-w- c:\windows\system32\elsi.dll
    2009-05-05 17:33 . 2009-05-13 20:17 244224 ----a-w- c:\windows\system32\msacmlt32.dll
    2009-05-05 17:33 . 2009-05-13 20:17 244224 ----a-w- c:\windows\system32\kernelf32.dll
    2009-05-05 17:33 . 2009-05-13 20:17 62976 ----a-w- c:\windows\system32\dsuiextp.dll
    2009-05-05 17:33 . 2009-05-13 20:17 62976 ----a-w- c:\windows\system32\CTEMUPIAD.DLL
    2009-05-05 17:33 . 2009-05-13 20:17 150528 ----a-w- c:\windows\system32\offfiltr.dll
    2009-05-05 17:33 . 2009-05-13 20:17 150528 ----a-w- c:\windows\system32\KPDPMUII.dll
    2009-05-05 17:31 . 2009-05-13 20:17 276992 ----a-w- c:\windows\system32\MRTW.exe
    2009-05-01 21:02 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
    2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
    2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
    2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
    2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
    2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
    2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
    2009-04-17 12:26 . 2004-08-04 05:00 1847168 ----a-w- c:\windows\system32\win32k.sys
    2009-04-15 14:51 . 2004-08-04 05:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
    2009-04-14 16:50 . 2009-05-13 20:17 4286 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}w.dat
    2009-04-14 16:50 . 2009-05-13 20:17 4286 ----a-w- c:\windows\system32\ctdlangi.dat
    2009-04-14 16:49 . 2009-05-13 20:17 294912 ----a-w- c:\windows\system32\msacml32.dll
    2009-04-14 16:49 . 2009-05-13 20:17 294912 ----a-w- c:\windows\system32\mmcshexth.dll
    2009-04-12 11:58 . 2009-01-18 00:03 39552 ----a-w- c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-04-11 20:18 . 2009-02-27 17:09 1915520 ----a-w- c:\documents and settings\Angel\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
    2009-04-01 19:01 . 2009-04-01 19:01 152576 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
    2009-03-23 17:22 . 2009-03-10 23:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2009-03-23 17:22 . 2009-03-10 23:08 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
    2009-03-19 15:32 . 2009-01-18 13:56 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2009-05-05 17:31 . 2009-05-13 20:22 74752 ----a-w- c:\program files\mozilla firefox\components\battxf.dll
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B24A5F3C-E1D2-4ee6-8A3F-4B19D0DAF1A2}]
    2009-05-05 17:32 141312 ----a-w- c:\windows\SYSTEM32\battx.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-26 344064]
    "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
    "CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
    "CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "LXBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 69632]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-12 518488]
    "CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\Angel\Start Menu\Programs\Startup\
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

    c:\documents and settings\Mark\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\SYSTEM32\DMINTFG.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IpFilterDrivery]
    @="Base"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
    @="FSFilter Activity Monitor"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uha10kx2k]
    @="Base"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ytfsnudfa]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
    path=c:\documents and settings\Mark\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
    backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [12/06/2009 21:39 64160]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\SymEFA.sys [23/03/2009 18:22 310320]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\BHDrvx86.sys [23/03/2009 18:22 258608]
    R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\cchpx86.sys [23/03/2009 17:55 482352]
    R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSXpx86.sys [12/06/2009 23:32 276344]
    R1 IpFilterDrivery;Remote Procedure Call RT4s (PtilinkV);c:\windows\SYSTEM32\HIMEMR.SYS [13/05/2009 21:17 24704]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 72944]
    R1 Uha10kx2k;System kernel configuration (VSparrow);c:\windows\SYSTEM32\NTIOLE404.SYS [13/05/2009 21:17 38912]
    R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [25/02/2009 17:16 55152]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1005904]
    R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [23/03/2009 18:22 115560]
    R2 Ytfsnudfa;System kernel integrity service (Uha10kx2kO);c:\windows\SYSTEM32\MRTW.exe [13/05/2009 21:17 276992]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [03/05/2009 00:26 101936]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 7408]
    S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
    .
    Contents of the 'Scheduled Tasks' folder

    2009-06-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:39]

    2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath -
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-06-14 22:05
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...


    c:\docume~1\Mark\LOCALS~1\Temp\pcf1.tmp 533 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(984)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(1188)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SYSTEM32\ati2evxx.exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\SYSTEM32\CTSVCCDA.EXE
    c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
    c:\windows\SYSTEM32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-06-14 22:15 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-06-14 21:15

    Pre-Run: 85,339,299,840 bytes free
    Post-Run: 85,777,125,376 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    314 --- E O F --- 2009-06-11 14:21



    Thanks,
    Mark
    Last edited by Bio-Hazard; 2009-06-15 at 01:05. Reason: Added combofix log for easy reading

  9. #9
    Emeritus- Malware Team
    Join Date
    Oct 2008
    Location
    Cornwall, UK
    Posts
    592

    Default

    I'd like you to check (a file/some files) for Viruses.



    c:\windows\SYSTEM32\DMINTFG.DLL

    C:\pclips.exe


    • Copy/Paste the first file on the list into the white Upload a file box.
    • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
    • After a while, a window will open, with details of what the scans found.
    • Copy and Paste results in your next reply.
    • Repeat for all files on the list, and post me the details please




    ATF-Cleaner

    Please download ATF Cleaner by Atribune.


    • Save it to your desktop
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

      If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords please click No at the prompt.
    • Click Exit on the Main menu to close the program.





    Kaspersky Online Scan

    You can use either Internet Explorer or Mozilla FireFox for this scan.

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


    • Please go to Kaspersky website and perform an online antivirus scan.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives

    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply along with a fresh HijackThis log.






    Logs/Information to Post in Next Reply

    Please post the following logs/Information in your reply:

    • Virustotal or Jotti results
    • Kaspersky Log
    • A fresh HijackThis Log ( after all the above has been done)
    • A description of how your computer is behaving
    MRU Master of Malware Removal University

    Member of UNITE and ASAP

  10. #10
    Security Expert TonyKlein's Avatar
    Join Date
    Oct 2005
    Location
    The Netherlands
    Posts
    138

    Default

    My apologies for gatecrashing this thread, but there's a file we'd like to have a closer look at:

    C:\Windows\System32\battx.dll

    It's an unknown and it looks suspect, so we'd like to receive a sample for analysis in order to make sure that it really does belong on your computer!

    > It looks to be a new parasite, so we'd like to receive a sample for analysis!

    Please go to This Site and upload that battx.dll file for the contents to be analyzed.


    A convenient way of doing that is simply copying the full path to the file, in this case:

    C:\Windows\System32\battx.dll

    ... and paste it in in the "Browse to the file you want to submit" box, then press "Send File". The file will be found and uploaded.


    After that I'll again be leaving you in Bio-Hazard's care.

    Thank you very much for your cooperation!

    --------

    Tony CLSID List - A Collection of Autostart Locations
    Last edited by TonyKlein; 2009-06-15 at 21:29.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •