Search Results Redirect Virus

[ken545]

Hi,

I was just looking over your log and just want to make sure this file is gone.

You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE


C:\Documents and Settings\pmaslos\Local Settings\Temp\pxtdypob.sys <--This file, right click on it and delete it, let me know if it was present and would not delete

 

[ken545]

Still with me ?

 

[kobdog]

I'm back. Sorry about that! I checked for the file "pxtdypob.sys" and it's not there. I doubled checked my setting to "show all files" also.

Things have been working fine and I ran a Malwarbytes Quick Scan on Wednesday. We left the computer on overnight last night with two of us logged in, but nothing really running, I had IE open and my wife had Excel open but not any workbooks. When whe logged off this morning she received the message "Ending program sw". Is this some type of spyware??

Off to run a Malwarebytes, Spybot and AVG scan...

Thanks for keeping on top of this!!

 

[ken545]

Hi, That me be related to Silent Spy which is a rogue program.

You may have to Download SystemLook again

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :reg
  HKLM\Software\Microsoft\Windows\CurrentVersion\Run

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[kobdog]

The SystemLook output is below, and an HJT log too, just in case??

SystemLook.txt:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 09:55 on 13/11/2009 by pmaslos (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe"
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe"
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe"
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe"
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe"
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe"
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe"
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup"
"ISUSScheduler"=""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start"
"Malwarebytes Anti-Malware (reboot)"=""C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript"
"PCMService"=""C:\Program Files\Dell\Media Experience\PCMService.exe""
"SunJavaUpdateSched"=""C:\Program Files\Java\jre6\bin\jusched.exe""
"tgcmd"=""C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]


-=End Of File=-

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

hijackthis.log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:04 AM, on 11/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=...4233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {095CD655-22C4-4845-AA1D-10590EA36D1A} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {497B6553-405A-47A7-9E64-2695AFBF5A48} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {95ABACE8-8DCC-4871-9E26-1654AC49F0C8} - (no file)
O2 - BHO: (no name) - {95bc13d5-1e85-4af9-a538-c9452fc9392f} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E5D5BE53-CA78-4CEE-A405-456AE551483F} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128119231437
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - http://admin.mem.com/imagefunctions/imagxpress7.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} (MeM Media Uploader Control) - http://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
O16 - DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} (Pegasus TwainPRO Control v4.0) - http://admin.mem.com/imagefunctions/TwainPro4.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://webmail.mckesson.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

--
End of file - 8463 bytes

 

[ken545]

See if any of these are present, make sure you still have windows enabled to show all files and folders

C:\Silent-Spy.cnt
C:\Silent-Spy.hlp
C:\Wlp.sys
C:\Wlg.sys
C:\SW.htm

C:\SSS <--folder

 

[kobdog]

Didn't find any of them. I even searched for all of them and the only thing even similar was:

C:\Documents and Settings\pmaslos\Local Settings\Temporary Internet Files\sw.gif

And what's weird is it shows up twice in the search results.

 

[ken545]

Run this cleaner to clean that folder out

Please download ATF Cleaner by Atribune to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

You have Spybot Search and Destroy installed, make sure its the latest version , open Spybot and go to Help > About and it should be version 1.6.2, if not uninstall it via Add Remove Programs and download and install the latest version. Then run it, if Silent Spy or part of it is present Spybot will remove it. I dont need to see any report but when its done, see if Silent Spy was flagged to remove and let me know
http://www.safer-networking.org/en/home/index.html

 

[kobdog]

Ran ATF Cleaner and Spybot, no immediate threats were found.

I did a search of the entire hard drive for *.log files yesterday just to see if SW had created a log. Didn’t find anything related to that, but it looks like Qwest (our DSL provider) may have been running some checks or updates as there were logs in C:\Documents and Settings\All Users\Application Data\Support.com\profiles\dmasloski\{qwest}\logs. I copied the entries in the protect.log for November below. Not sure that it’s related, but I wonder if they were using sw to monitor things during the update?? May seem far fetched, but thought I’d pass it along. Probably worth a call to Qwest as to what they are probing and protecting. Your thoughts??

Thanks again!!!

protect.log:

----- Protection starting 11/10/2009 8:31:14 AM
* General initialization done 11/10/2009 8:31:14 AM
* General initialization done 11/10/2009 8:31:14 AM
* Mutex and server connect done 11/10/2009 8:31:15 AM
* Retrieving protection files from server 11/10/2009 8:31:15 AM
* Retrieval OK 11/10/2009 8:31:15 AM
Protection initialized 11/10/2009 8:31:15 AM
***Beginning probe 11/10/2009 8:31:16 AM ***
Checking {7341d696-c59a-4816-a60c-8dea7d62e56a}
Probing {7341d696-c59a-4816-a60c-8dea7d62e56a}
Finished probing {7341d696-c59a-4816-a60c-8dea7d62e56a}
Backing up {7341d696-c59a-4816-a60c-8dea7d62e56a}
Finished backing up {7341d696-c59a-4816-a60c-8dea7d62e56a}
Checking {a573cc4a-d7a1-4593-990a-fb581e573af4}
Probing {a573cc4a-d7a1-4593-990a-fb581e573af4}
Finished probing {a573cc4a-d7a1-4593-990a-fb581e573af4}
Backing up {a573cc4a-d7a1-4593-990a-fb581e573af4}
Finished backing up {a573cc4a-d7a1-4593-990a-fb581e573af4}
Checking {c39235c9-4974-11d4-a4ba-0010a4e61750}
Probing {c39235c9-4974-11d4-a4ba-0010a4e61750}
Finished probing {c39235c9-4974-11d4-a4ba-0010a4e61750}
Backing up {c39235c9-4974-11d4-a4ba-0010a4e61750}
Finished backing up {c39235c9-4974-11d4-a4ba-0010a4e61750}
Checking {f04b4727-5194-4d8f-a004-75b9c36fbbfb}
Probing {f04b4727-5194-4d8f-a004-75b9c36fbbfb}
Finished probing {f04b4727-5194-4d8f-a004-75b9c36fbbfb}
Backing up {f04b4727-5194-4d8f-a004-75b9c36fbbfb}
Finished backing up {f04b4727-5194-4d8f-a004-75b9c36fbbfb}
Checking {14d4ee36-4ef4-4678-b258-cb4dc98cd2b9}
Probing {14d4ee36-4ef4-4678-b258-cb4dc98cd2b9}
Finished probing {14d4ee36-4ef4-4678-b258-cb4dc98cd2b9}
Backing up {14d4ee36-4ef4-4678-b258-cb4dc98cd2b9}
Finished backing up {14d4ee36-4ef4-4678-b258-cb4dc98cd2b9}
Checking {28f10aee-6184-4ca9-af23-f75d39c475cc}
Probing {28f10aee-6184-4ca9-af23-f75d39c475cc}
Finished probing {28f10aee-6184-4ca9-af23-f75d39c475cc}
Backing up {28f10aee-6184-4ca9-af23-f75d39c475cc}
Finished backing up {28f10aee-6184-4ca9-af23-f75d39c475cc}
***Probe completed 11/10/2009 8:35:29 AM***
* Mutex and server connect done 11/10/2009 8:35:29 AM
* Retrieving protection files from server 11/10/2009 8:35:29 AM
* Retrieval OK 11/10/2009 8:35:29 AM
Protection initialized 11/10/2009 8:35:29 AM
***Beginning probe 11/10/2009 8:35:29 AM ***
Checking {4b6488ce-a39a-4bdd-9274-8c413275705b}
Probing {4b6488ce-a39a-4bdd-9274-8c413275705b}
Finished probing {4b6488ce-a39a-4bdd-9274-8c413275705b}
Backing up {4b6488ce-a39a-4bdd-9274-8c413275705b}
Finished backing up {4b6488ce-a39a-4bdd-9274-8c413275705b}
***Probe completed 11/10/2009 8:35:39 AM***
----- Protection starting 11/11/2009 11:15:05 AM
* General initialization done 11/11/2009 11:15:05 AM
* Mutex and server connect done 11/11/2009 11:15:05 AM
* Retrieving protection files from server 11/11/2009 11:15:05 AM
* Retrieval OK 11/11/2009 11:15:05 AM
Protection initialized 11/11/2009 11:15:05 AM
***Beginning probe 11/11/2009 11:15:05 AM ***
***Probe completed 11/11/2009 11:15:05 AM***
----- Protection starting 11/12/2009 12:26:03 PM
* General initialization done 11/12/2009 12:26:03 PM
* Mutex and server connect done 11/12/2009 12:26:03 PM
* Retrieving protection files from server 11/12/2009 12:26:03 PM
* Retrieval OK 11/12/2009 12:26:03 PM
Protection initialized 11/12/2009 12:26:03 PM
***Beginning probe 11/12/2009 12:26:03 PM ***
***Probe completed 11/12/2009 12:26:03 PM***
----- Protection starting 11/13/2009 1:20:12 AM
* General initialization done 11/13/2009 1:20:12 AM
* Mutex and server connect done 11/13/2009 1:20:12 AM
* Retrieving protection files from server 11/13/2009 1:20:12 AM
* Retrieval OK 11/13/2009 1:20:23 AM
Protection initialized 11/13/2009 1:20:23 AM
***Beginning probe 11/13/2009 1:20:23 AM ***
***Probe completed 11/13/2009 1:20:23 AM***

 

[ken545]

Hi, Dont know much about what Quest does, I guess a call to them to ask wouldn't hurt.

I will leave this thread open for you for a few days, any other issues just post back.