Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google searches hijacked

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google searches hijacked

Unread postby Bob in AZ » April 17th, 2007, 1:21 am

Hi. I'm mostly a novice at this stuff, so I haven't run HiJack This yet -- I also saw something in the "new to this board" section about NOT running HiJack w/o advice, so I didn't. All my past problems were cured by Ewido, Panda, SmitRem and other helpware, but this problem I can't fix.

Whenever I search Google and click on a listed link, I end up in another search engine. I've noticed the IE browser heading is "redirect", and the address 67.29.139.220/click pops up in the status bar briefly. I've also seen "extremetracking.com" there. I get the same result on MS LIVE Search.

I'm running WinXP, with ZoneAlarm and WinPatrol active. I recently deleted some programs (including Ewido) and installed the three free AVG programs. Oddly, the AVG spyware cleaner doesn't ever finish scanning, and an unusual error message pops up, saying the program "has done something bad" -- I've never seen "bad" used like that before in an error message.

I could sure use some help -- Thanks
Bob in AZ
Active Member
 
Posts: 9
Joined: April 17th, 2007, 12:39 am
Advertisement
Register to Remove

Unread postby Trogan » April 19th, 2007, 2:52 pm

Hi Bob in AZ and welcome to Malware Removal! Sorry for the late reply.

Lets download HijackThis to see what it reveals.

Click here to download HJTsetup.exe, and save it to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Copy and paste the log here

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Bob in AZ » April 20th, 2007, 7:41 am

Hi, Trogan - no problem with the delay, and thanks for replying. Here's my HiJack log:

Logfile of HijackThis v1.99.1
Scan saved at 4:39:33 AM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\BillP Studios\WinPatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://by117fd.bay117.hotmail.msn.com/c ... 300af3d584

b472d4676f0922b235ce62840fb17e9ded904c8504e14ef3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinPatrol] C:\BillP Studios\WinPatrol.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2120FF07-7BA4-738E-51D7-7DB75AEAFAD3} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {32CFB169-92F9-5EAE-1E7F-5A6F59F645AF} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {399F9FE3-7149-505E-6FB7-2B4F7D8C48F3} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {3AE89F3F-B612-3308-F393-0AD21E5DC526} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {49A45BB3-906B-4373-749F-51F8300C01E5} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {4D12728B-A365-01E7-FED1-7267450FC396} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2432f7f5d8a ... xIE601.cab
O16 - DPF: {598CE9FA-BCE3-0A12-DDFB-6F7620A4E806} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {5EE1479E-F1CC-5016-8994-216A664B2298} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {5F9847F7-D550-19ED-221E-13872665222F} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftup ... 0475788140
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -

http://download.zonelabs.com/bin/promot ... r37240.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = srhfinancial.corp
O17 - HKLM\Software\..\Telephony: DomainName = srhfinancial.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{65ADCC36-2D2E-4F11-96DA-60062B1B51B2}: NameServer = 4.2.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = srhfinancial.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = srhfinancial.corp
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Bob in AZ
Active Member
 
Posts: 9
Joined: April 17th, 2007, 12:39 am

Unread postby Trogan » April 20th, 2007, 10:29 am

Hi Bob. I don't see too much wrong in your Hijackthis log.

Please do the following...

1. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O16 - DPF: {2120FF07-7BA4-738E-51D7-7DB75AEAFAD3} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {32CFB169-92F9-5EAE-1E7F-5A6F59F645AF} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {399F9FE3-7149-505E-6FB7-2B4F7D8C48F3} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {3AE89F3F-B612-3308-F393-0AD21E5DC526} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {49A45BB3-906B-4373-749F-51F8300C01E5} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {4D12728B-A365-01E7-FED1-7267450FC396} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {598CE9FA-BCE3-0A12-DDFB-6F7620A4E806} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {5EE1479E-F1CC-5016-8994-216A664B2298} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {5F9847F7-D550-19ED-221E-13872665222F} - http://85.255.113.214/1/gdnUS2296.exe


- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

2. Please do an online scan with Panda ActiveScan

- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Bob in AZ » April 20th, 2007, 8:17 pm

Hmmm -- "gdnUS" sounds like something I had problems with about 2 years ago. Here's the Panda scan report and new HiJack log:

Incident Status Location

Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-37036d16-6d30b1e4.zip[BaaaaBaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-37036d16-6d30b1e4.zip[VaaaaaaaBaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-37036d16-6d30b1e4.zip[Dvnny.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-37036d16-6d30b1e4.zip[Baaaaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-37036d16-6d30b1e4.zip[Dex.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-37036d16-6d30b1e4.zip[Dix.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-37036d16-6d30b1e4.zip[Dux.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-11d5aa5b.zip[BaaaaBaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-11d5aa5b.zip[VaaaaaaaBaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-11d5aa5b.zip[Dvnny.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-11d5aa5b.zip[Baaaaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-11d5aa5b.zip[Dex.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-11d5aa5b.zip[Dix.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-4535331c-11d5aa5b.zip[Dux.class]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\HiJACK\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\smitRem\Process.exe
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@ads.pointroll[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@adtech[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@anm.co[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@as-us.falkag[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@ath.belnk[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@burstnet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@casalemedia[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@com[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@ct.360i[1].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@data.coremetrics[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@dist.belnk[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@doubleclick[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@entrepreneur[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@fastclick[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@gostats[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@go[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@media.adrevolver[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@mediaplex[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@realmedia[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@statcounter[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@target[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@www.burstbeacon[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@www3.addfreestats[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@www6.addfreestats[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@xiti[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\bhackney.SRH4\Cookies\bhackney@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\bhackney.SRH4\Desktop\System\smitRem.exe[smitRem/Process.exe]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\bhackney.SRHFINANCIAL\Local Settings\Temp\Cookies\bhackney@ccbill[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\bhackney.SRHFINANCIAL\Local Settings\Temp\Cookies\bhackney@kinghost[1].txt
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\bhackney.SRHFINANCIAL\Local Settings\Temp\Temporary Internet Files\Content.IE5\DJJZ95WA\asian02[1].htm
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Kids\Cookies\kids@888[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Kids\Cookies\kids@adopt.hbmediapro[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Kids\Cookies\kids@adultfriendfinder[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Kids\Cookies\kids@apmebf[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Kids\Cookies\kids@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Kids\Cookies\kids@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Kids\Cookies\kids@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Kids\Cookies\kids@belnk[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Kids\Cookies\kids@bravenet[2].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Kids\Cookies\kids@c.fsx[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Kids\Cookies\kids@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Kids\Cookies\kids@ccbill[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Kids\Cookies\kids@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Kids\Cookies\kids@cgi-bin[7].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Kids\Cookies\kids@data.coremetrics[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Kids\Cookies\kids@dist.belnk[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Kids\Cookies\kids@drivecleaner[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Kids\Cookies\kids@entrepreneur[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Kids\Cookies\kids@fe.lea.lycos[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Kids\Cookies\kids@gostats[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Kids\Cookies\kids@go[2].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Kids\Cookies\kids@hc2.humanclick[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Kids\Cookies\kids@i.screensavers[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Kids\Cookies\kids@landing.domainsponsor[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Kids\Cookies\kids@maxserving[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Kids\Cookies\kids@media.adrevolver[3].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Kids\Cookies\kids@offeroptimizer[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Kids\Cookies\kids@rn11[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Kids\Cookies\kids@target[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Kids\Cookies\kids@terra.com[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Kids\Cookies\kids@tickle[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Kids\Cookies\kids@web.tickle[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Kids\Cookies\kids@webpower[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Kids\Cookies\kids@www.drivecleaner[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Kids\Cookies\kids@www1.addfreestats[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@adrevolver[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@ath.belnk[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@banner[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@dist.belnk[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@maxserving[2].txt
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\S-1-5-21-2512832447-3499852398-3877017340-1214\Dc177\apennington@atwola[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\RECYCLER\S-1-5-21-2512832447-3499852398-3877017340-1214\Dc177\apennington@rightmedia[1].txt
Adware:adware/webattaker Not disinfected C:\WINDOWS\uniq

*

Logfile of HijackThis v1.99.1
Scan saved at 5:11:03 PM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\BillP Studios\WinPatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WinZip\WZQKPICK.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://by117fd.bay117.hotmail.msn.com/c ... 300af3d584

b472d4676f0922b235ce62840fb17e9ded904c8504e14ef3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinPatrol] C:\BillP Studios\WinPatrol.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2432f7f5d8a ... xIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftup ... 0475788140
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -

http://download.zonelabs.com/bin/promot ... r37240.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = srhfinancial.corp
O17 - HKLM\Software\..\Telephony: DomainName = srhfinancial.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{65ADCC36-2D2E-4F11-96DA-60062B1B51B2}: NameServer = 4.2.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = srhfinancial.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = srhfinancial.corp
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Bob in AZ
Active Member
 
Posts: 9
Joined: April 17th, 2007, 12:39 am

Unread postby Trogan » April 21st, 2007, 11:15 am

Hi Bob,

I'm away for the weekend. I'll get back to you soon.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Bob in AZ » April 21st, 2007, 11:16 am

OK - have a good weekend
Bob in AZ
Active Member
 
Posts: 9
Joined: April 17th, 2007, 12:39 am

Unread postby Bob in AZ » April 22nd, 2007, 12:39 pm

Hey, Trogan - Today I tried to run Ad-Aware and the AVG anti-spyware programs. As regularly happens lately, these programs (and the older Ewido, before I replaced it) "hang" without completing, generating the "Windows has encountered a problem . . . must shut down" error message, which of course terminates the program and reverts to desktop.

EACH TIME THIS HAPPENS the status/progress bar or screen shows this file:
c:\Documents and Settings\Kids\Local Settings\Temp\Temporary Internet Files\Content.IE5\FRP5X51Y

I used Windows' "search" feature to locate this file (folder, actually) and was sent to the desktop after the same shutdown message if I waited too long after the search found it or if I tried to delete it (when I was quick enough).

I don't see any mention of the string FRP5X51Y in the Panda or HiJack reports last posted, but this seems to be a persistent error (I noticed the same file/folder in connection with the AVG shutdown mentioned in my initial post). So, a couple of questions:
1. Could this have something to do with redirecting my 'net searches?
2. I don't want ANY temporary internet file that won't allow me to delete it - how can I kill this pest?

Thanks.
Bob in AZ
Active Member
 
Posts: 9
Joined: April 17th, 2007, 12:39 am

Unread postby Bob in AZ » April 22nd, 2007, 11:40 pm

Quick update - SpyBot runs without hanging; AVG rootkit cleaner also hangs.
Bob in AZ
Active Member
 
Posts: 9
Joined: April 17th, 2007, 12:39 am

Unread postby Trogan » April 23rd, 2007, 6:29 am

Hi Bob. There are no signs of malware in your log.

Please do the following...

1. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

2. Download this file to your Desktop - combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Bob in AZ » April 23rd, 2007, 11:24 am

Hi, Trogan. The first time I tried to run ATF, it hung, had to close and sent an error message to MicroSoft. I then ran ComboFix, which altered my Hosts file (according to WinPatrol) and produced the following report when it was finished:

Code: Select all
04-08-04 00:56      65999    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\kdtcv.exe.vir
07-04-23 06:17      37080    --a------    C:\Qoobox\Quarantine\Registry_backups\winlogon.reg.cf


Folder PATH listing
Volume serial number is C8E3-4234
C:\QOOBOX
\---Quarantine
    +---C
    |   \---WINDOWS
    |       \---system32
    |               kdtcv.exe.vir
    |               
    \---Registry_backups
            winlogon.reg.cf
            


I then was able to run ATF successfully, but was unable to run comboFix again (I got some rapid DOS messages saying the program/file was “already installedâ€
Bob in AZ
Active Member
 
Posts: 9
Joined: April 17th, 2007, 12:39 am

Unread postby Trogan » April 24th, 2007, 7:45 am

Hi Bob,

Glad to hear the programs are running back to normal.

As for ComboFix, did it produce a report in Notepad? You can find the log at C:\combofix.txt. Could you post that here please.

I'm not sure what would cause the delay in programs, sorry.

Could I see one more log please.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Bob in AZ » April 24th, 2007, 8:58 am

Trogan - actually, ComboFix did NOT generate "combofix.txt" when I first ran it, only the quarantine file. Perhaps those messages I saw about the program "already in use" mean it was trying to generate such a file but I interfered with it?

>>>>>>>In any case, I ran it again and here's the report:

"bhackney" - 07-04-24 5:33:25 Service Pack 2
ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\bhackney.SRH4\Desktop\Downloads\"


((((((((((((((((((((((((((((((( Files Created from 2007-03-24 to 2007-04-24 ))))))))))))))))))))))))))))))))))


2007-04-23 08:32 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-04-23 06:26 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-22 14:11 <DIR> d-------- C:\Program Files\BillP Studios
2007-04-20 12:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-19 11:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-19 10:13 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-19 10:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-16 21:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-16 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-04-16 17:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-04-16 16:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-31 09:09 4,456,448 --a------ C:\DOCUME~1\BHACKN~2.SRH\ntuser.dat
2007-03-30 16:48 <DIR> d-------- C:\DOCUME~1\BHACKN~2.SRH\APPLIC~1\MailFrontier
2007-03-29 17:25 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-03-29 17:25 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-03-29 17:25 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-03-28 10:43 <DIR> d-------- C:\EAW SAV
2007-03-26 08:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YNAB
2007-03-26 08:04 <DIR> d-------- C:\YNAB Pro


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-23 06:22 -------- d-------- C:\DOCUME~1\BHACKN~2.SRH\APPLIC~1\winpatrol
2007-04-20 14:08 -------- d-------- C:\Program Files\navnt
2007-04-20 13:57 -------- d-------- C:\Program Files\google
2007-03-29 17:28 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-23 07:52 -------- d-------- C:\Program Files\moneytools
2007-03-17 06:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 11:27 -------- d-------- C:\DOCUME~1\BHACKN~2.SRH\APPLIC~1\real
2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-05 07:07 -------- d-------- C:\DOCUME~1\BHACKN~2.SRH\APPLIC~1\viewpoint
2007-02-05 13:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} C:\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-2512832447-3499852398-3877017340-1172\scripts\logon\0\0
script REG_SZ \\srhfinancial.corp\SysVol\srhfinancial.corp\scripts\srh_logon.bat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-2512832447-3499852398-3877017340-1186\scripts\logon\0\0
script REG_SZ \\srhfinancial.corp\SysVol\srhfinancial.corp\scripts\bc_logon.bat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-2512832447-3499852398-3877017340-1207\scripts\logon\0\0
script REG_SZ \\srhfinancial.corp\SysVol\srhfinancial.corp\scripts\bc_logon.bat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-2512832447-3499852398-3877017340-1212\scripts\logon\0\0
script REG_SZ \\srhfinancial.corp\SysVol\srhfinancial.corp\scripts\bc_logon.bat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-2512832447-3499852398-3877017340-1214\scripts\logon\0\0
script REG_SZ \\srhfinancial.corp\SysVol\srhfinancial.corp\scripts\bc_logon.bat


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Capinst.exe

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-24 05:41:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-24 5:44:06
C:\ComboFix-quarantined-files.txt ... 07-04-24 05:44

==============================

>>>>>>>>Here is the uninstall.list from HiJack:

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8
AOL Deskbar
AOL Toolbar
AOL You've Got Pictures Screensaver
Apple Software Update
AVG 7.5
AVG Anti-Rootkit Free
AVG Anti-Spyware 7.5
Billionaire II v.1.07
Business Plan Pro 4.0
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
Capitalism II
del.icio.us Buttons for Internet Explorer
European Air War
Galactic Civilizations II Demo
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
Hearts of Iron 2
Hearts of Iron II Research Assistant
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IL-2 Sturmovik: Forgotten Battles
Industryplayer 4.0
IngenMoney Pro 3.0
Intel(R) PRO Ethernet Adapter and Software
InterBase
iPod for Windows 2005-03-23
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Lemonade Tycoon
Medieval - Total War (TM) - Viking Invasion (TM)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
Money Tools
MSN Music Assistant
Norton AntiVirus Corporate Edition
Panda ActiveScan
QuickBooks Premier Edition 2004
QuickTime
Railroad Tycoon II - Platinum
Railroad Tycoon II - The Next Millenium
RealPlayer
Risk II
Rome - Total War
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Sid Meier's Pirates!
SoundMAX
Spybot - Search & Destroy 1.4
Starfleet Command II - Demo
Tropico
ubi.com
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Viewpoint Media Player
WebEx
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinPatrol
WinPatrol
WinPatrol
WinZip
Yahoo! Toolbar
YNAB Pro version 1.2.6.0
ZoneAlarm
Bob in AZ
Active Member
 
Posts: 9
Joined: April 17th, 2007, 12:39 am

Unread postby Trogan » April 24th, 2007, 11:28 am

Hi Bob,

Trogan - actually, ComboFix did NOT generate "combofix.txt" when I first ran it, only the quarantine file. Perhaps those messages I saw about the program "already in use" mean it was trying to generate such a file but I interfered with it?

Could be, but it doesn't matter now.

Everything looks fine in those logs. However, you need to update Java.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement."
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
    • J2SE Runtime Environment 5.0 Update 10
    • J2SE Runtime Environment 5.0 Update 11
    • J2SE Runtime Environment 5.0 Update 4
    • J2SE Runtime Environment 5.0 Update 6
    • J2SE Runtime Environment 5.0 Update 8
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

How is the computer?
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Bob in AZ » April 24th, 2007, 12:10 pm

Hey, Trogan - everything is running smoothly. In fact, I think the slow loading I've noticed is just related to trying to open programs while the TSRs (WinPatrol, ZoneAlarm, WinZip, AVG, etc.) are trying to load at logon - uh, I've always been a bit impatient.

I sincerely appreciate you (and MWR) for helping me out with this. I'm even thinking of signing up for MRUniversity. Thanks again!

Regards, Bob Hackney
Bob in AZ
Active Member
 
Posts: 9
Joined: April 17th, 2007, 12:39 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 329 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware