Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijacked, Extra web pages opening on their own.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hijacked, Extra web pages opening on their own.

Unread postby tracemate » March 6th, 2008, 7:08 pm

Hi,
Tried running combofix.
It deleted three files then started stage 1 etc
It got to stage 8 completed and hung the computer, I waited ages but no movement.
I've located the text file,
c:combofix.txt
ComboFix 08-03-05.3 - Gary Fullick 2008-03-06 22:37:18.2 - NTFSx86
Running from: C:\Documents and Settings\Gary Fullick\Desktop\ComboFix.exe

I've been online for a while posting this and no windows have appeared :cheers:

New HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:06, on 2008-03-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\MSSQL7\binn\sqlagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhos;<local>;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [OWS Setup CmdLine] "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" /pkg "Office 2000 Server Extensions"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {65E8E2DC-186A-4AAC-9E56-FDC683055A9E} (CNetOnlineInstall Control) - http://www.download.com/html/dl/bug2116 ... nstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37380.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promot ... WebAAS.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/6c5 ... taller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... -0-3-0.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Server Extensions Notification Service (OWSTimer) - Unknown owner - C:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9958 bytes

Still no windows opened? Im sure they would have normally.
Thanks
Gary
tracemate
Regular Member
 
Posts: 18
Joined: March 4th, 2008, 7:20 pm
Advertisement
Register to Remove

Re: Hijacked, Extra web pages opening on their own.

Unread postby km2357 » March 6th, 2008, 10:55 pm

That's great that no windows popped up. :) That was strange the ComboFix didn't complete itself. The log you posted is very very short compared to a normal ComboFix log.

Can you try running ComboFix again? This time disconnect the computer completely from the Internet then disable all your security programs (Anti-Virus, Firewall, Anti-Spyware) and then run ComboFix. Once its done post any Combofix.txt files you find in C: or C:\ComboFix. There may be multiples file, named ComboFix.txt, ComboFix1.txt, etc. Once ComboFix is done you renable everything and connect your computer back to the 'Net.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijacked, Extra web pages opening on their own.

Unread postby tracemate » March 7th, 2008, 3:19 pm

Hi,
Finally got combofix to finish.
Log below

ComboFix 08-03-05.3 - Gary Fullick 2008-03-07 17:39:45.4 - NTFSx86
Running from: C:\Documents and Settings\Gary Fullick\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\HbTools\
C:\Program Files\Hotbar\
C:\Program Files\MyWebSearch\
.
---- Previous Run -------
.
C:\Documents and Settings\Chris fullick\err.log
c:\Documents and Settings\Gary Fullick\Local Settings\Application Data\jzbpufney.dat
c:\documents and settings\gary fullick\local settings\application data\jzbpufney.exe
c:\Documents and Settings\Gary Fullick\Local Settings\Application Data\jzbpufney_nav.dat
c:\Documents and Settings\Gary Fullick\Local Settings\Application Data\jzbpufney_navps.dat
C:\Documents and Settings\Gary Fullick\Local Settings\Application Data\ltkjzvzbt_navfx.dat
C:\Program Files\HbTools\
C:\Program Files\Hotbar\
C:\Program Files\MyWebSearch\

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 13:37 . 2008-03-07 13:37 <DIR> d-------- C:\Documents and Settings\Chris fullick\Application Data\Malwarebytes
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\Malwarebytes
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 22:52 . 2008-03-05 21:57 3,116 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-04 22:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-04 22:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-04 22:43 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-04 22:43 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-04 22:43 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-04 22:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-04 22:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-04 18:21 . 2008-03-04 18:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 12:34 . 2008-03-07 17:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 12:34 . 2008-03-02 12:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-01 13:37 . 2008-03-01 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-01 13:36 . 2008-03-01 13:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 00:32 . 2008-03-01 00:32 <DIR> d-------- C:\Documents and Settings\Carol Fullick.TRACEMATE\Application Data\Lavasoft
2008-02-28 01:40 . 2008-02-28 01:40 <DIR> d-------- C:\Documents and Settings\Chris fullick\Application Data\SUPERAntiSpyware.com
2008-02-27 20:49 . 2008-03-01 13:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-27 20:49 . 2008-02-27 20:49 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\SUPERAntiSpyware.com
2008-02-27 20:38 . 2008-03-01 16:37 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-23 19:23 . 2008-03-01 20:19 <DIR> d-------- C:\Program Files\Macrogaming
2008-02-23 14:12 . 2008-02-23 17:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 14:12 . 2008-02-23 14:12 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\VideoEgg
2008-02-20 21:49 . 2008-02-23 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 17:51 124,395,552 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-07 13:39 1,459,520 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-07 07:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-05 03:22 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\Azureus
2008-03-04 20:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-01 20:19 --------- d-----w C:\Program Files\TightVNC
2008-02-28 20:32 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\Nokia
2008-02-23 14:12 --------- d-----w C:\Program Files\SSC Service Utility
2008-01-26 20:36 3 ----a-w C:\winptfd.dat
2008-01-23 14:26 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\cs
2008-01-21 19:25 --------- d-----w C:\Program Files\iTunes
2008-01-21 19:25 --------- d-----w C:\Program Files\iPod
2008-01-21 19:18 --------- d-----w C:\Program Files\Bonjour
2008-01-21 19:17 --------- d-----w C:\Program Files\QuickTime
2008-01-20 16:27 --------- d-----w C:\Program Files\Auction Sentry
2008-01-17 23:46 --------- d-----w C:\Program Files\PishTech
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-19 18:20 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-19 18:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-09-26 21:13 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-20 20:01 49152]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [2003-07-29 04:31 61440]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 09:29 40960]
"OWS Setup CmdLine"="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" [2004-08-03 23:56 188480]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 07:24 579072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 21:21 53248 C:\WINDOWS\system32\BtUsrBdg.exe]
"BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 09:48 36864 C:\WINDOWS\system32\BTSetBootKey.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 20:01 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=interceptor.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\syste

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 3.0 SE Calendar Checker.lnk]
backup=C:\WINDOWS\pss\Ulead Photo Express 3.0 SE Calendar Checker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Gary Fullick^Start Menu^Programs^Startup^Launch K9.lnk]
backup=C:\WINDOWS\pss\Launch K9.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-04-26 07:29 237568 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-04-11 16:52 1409024 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-21 14:19 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 20:00:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-26 19:15:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.1.30.7.sxt _RegistrationOffer@16
"2008-03-03 22:14:19 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-05 03:30:01 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
"2005-12-30 01:57:46 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-03-07 17:25:56 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-04 20:05:05 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 17:50:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-07 18:02:30
ComboFix-quarantined-files.txt 2008-03-07 18:02:21
.
2008-02-14 03:19:34 --- E O F ---



New HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:16:18, on 07/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\MSSQL7\binn\sqlagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhos;<local>;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [OWS Setup CmdLine] "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" /pkg "Office 2000 Server Extensions"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {65E8E2DC-186A-4AAC-9E56-FDC683055A9E} (CNetOnlineInstall Control) - http://www.download.com/html/dl/bug2116 ... nstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37380.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promot ... WebAAS.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/6c5 ... taller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... -0-3-0.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Server Extensions Notification Service (OWSTimer) - Unknown owner - C:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10254 bytes


After turning the compuer back on today, extra windows were back, all the normal ones.
The first time I opened IE there were no tool bars just a complete google page, I did not get extra pages like this.
I exited and re-opened and they were back as were the tool bars.
As I type now no other windows have opened yet.

Cheers
Gary
tracemate
Regular Member
 
Posts: 18
Joined: March 4th, 2008, 7:20 pm

Re: Hijacked, Extra web pages opening on their own.

Unread postby km2357 » March 8th, 2008, 4:11 am

Hi.

Just wanted to let you know I'm researching something in your ComboFix Log. I'll be back with you as soon as I can.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijacked, Extra web pages opening on their own.

Unread postby km2357 » March 8th, 2008, 9:22 pm

Step # 1: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.


  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    
    Registry:: 
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Image



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step # 2: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

You must be using Internet Explorer, Kaspersky does not work with Firefox

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    • Scan using the following Anti-Virus database:


      Extended (if available otherwise Standard)


    • Scan Options:


      Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan:

      Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


In your next post/reply, I need to see the ComboFix Log, the Kaspersky results (KAV.txt) and a fresh HiJackThis Log. Also, let me know how your computer is running? Any problems?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijacked, Extra web pages opening on their own.

Unread postby tracemate » March 9th, 2008, 8:33 am

Hi,
Combofix Log

ComboFix 08-03-08.2 - Gary Fullick 2008-03-09 11:52:18.6 - NTFSx86
Running from: C:\Documents and Settings\Gary Fullick\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\HbTools\
C:\Program Files\Hotbar\
C:\Program Files\MyWebSearch\

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-07 13:37 . 2008-03-07 13:37 <DIR> d-------- C:\Documents and Settings\Chris fullick\Application Data\Malwarebytes
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\Malwarebytes
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 22:52 . 2008-03-05 21:57 3,116 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-04 22:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-04 22:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-04 22:43 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-04 22:43 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-04 22:43 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-04 22:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-04 22:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-04 18:21 . 2008-03-04 18:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 12:34 . 2008-03-09 11:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 12:34 . 2008-03-02 12:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-01 13:37 . 2008-03-01 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-01 13:36 . 2008-03-01 13:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 00:32 . 2008-03-01 00:32 <DIR> d-------- C:\Documents and Settings\Carol Fullick.TRACEMATE\Application Data\Lavasoft
2008-02-28 01:40 . 2008-02-28 01:40 <DIR> d-------- C:\Documents and Settings\Chris fullick\Application Data\SUPERAntiSpyware.com
2008-02-27 20:49 . 2008-03-01 13:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-27 20:49 . 2008-02-27 20:49 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\SUPERAntiSpyware.com
2008-02-27 20:38 . 2008-03-01 16:37 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-23 19:23 . 2008-03-01 20:19 <DIR> d-------- C:\Program Files\Macrogaming
2008-02-23 14:12 . 2008-02-23 17:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 14:12 . 2008-02-23 14:12 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\VideoEgg
2008-02-20 21:49 . 2008-02-23 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 11:44 564,224 ----a-w C:\WINDOWS\Internet Logs\xDBBB.tmp
2008-03-09 11:44 1,530,368 ----a-w C:\WINDOWS\Internet Logs\xDBBC.tmp
2008-03-09 11:41 127,381,536 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-09 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-08 19:35 --------- d-----w C:\Program Files\MSN Messenger
2008-03-08 11:06 1,460,768 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-05 03:22 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\Azureus
2008-03-04 20:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-01 20:19 --------- d-----w C:\Program Files\TightVNC
2008-02-28 20:32 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\Nokia
2008-02-23 14:12 --------- d-----w C:\Program Files\SSC Service Utility
2008-02-19 13:11 1,661,952 ----a-w C:\WINDOWS\Internet Logs\xDBBA.tmp
2008-01-26 20:36 3 ----a-w C:\winptfd.dat
2008-01-23 14:26 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\cs
2008-01-21 19:25 --------- d-----w C:\Program Files\iTunes
2008-01-21 19:25 --------- d-----w C:\Program Files\iPod
2008-01-21 19:18 --------- d-----w C:\Program Files\Bonjour
2008-01-21 19:17 --------- d-----w C:\Program Files\QuickTime
2008-01-20 16:27 --------- d-----w C:\Program Files\Auction Sentry
2008-01-17 23:46 --------- d-----w C:\Program Files\PishTech
2008-01-04 01:52 1,110,016 ----a-w C:\WINDOWS\Internet Logs\xDBB9.tmp
2007-12-10 00:16 2,171,392 ----a-w C:\WINDOWS\Internet Logs\xDBB7.tmp
2007-12-10 00:16 1,346,048 ----a-w C:\WINDOWS\Internet Logs\xDBB8.tmp
2007-12-04 03:24 1,338,880 ----a-w C:\WINDOWS\Internet Logs\xDBB6.tmp
2007-11-18 15:36 2,626,560 ----a-w C:\WINDOWS\Internet Logs\xDBB4.tmp
2007-11-18 15:35 2,626,560 ----a-w C:\WINDOWS\Internet Logs\xDBB5.tmp
2007-11-09 17:43 2,616,320 ----a-w C:\WINDOWS\Internet Logs\xDBB3.tmp
2007-10-15 22:41 33,452,045 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-09-21 19:39 2,528,768 ----a-w C:\WINDOWS\Internet Logs\xDBB2.tmp
2007-09-03 18:59 2,464,768 ----a-w C:\WINDOWS\Internet Logs\xDBB1.tmp
2007-08-21 19:57 214,528 ----a-w C:\WINDOWS\Internet Logs\xDBB0.tmp
2007-08-20 11:07 2,417,664 ----a-w C:\WINDOWS\Internet Logs\xDBAF.tmp
2007-08-19 16:15 2,416,640 ----a-w C:\WINDOWS\Internet Logs\xDBFD.tmp
2007-08-17 16:37 2,419,200 ----a-w C:\WINDOWS\Internet Logs\xDBAE.tmp
2007-08-11 09:30 2,402,304 ----a-w C:\WINDOWS\Internet Logs\xDBAD.tmp
2007-08-05 20:21 2,400,256 ----a-w C:\WINDOWS\Internet Logs\xDBAC.tmp
2007-08-03 22:53 2,399,232 ----a-w C:\WINDOWS\Internet Logs\xDBAB.tmp
2007-07-31 15:11 2,391,040 ----a-w C:\WINDOWS\Internet Logs\xDBAA.tmp
2007-07-30 14:44 2,383,360 ----a-w C:\WINDOWS\Internet Logs\xDBA8.tmp
2007-07-12 21:04 2,357,248 ----a-w C:\WINDOWS\Internet Logs\xDBA7.tmp
2007-07-10 19:09 94,720 ----a-w C:\WINDOWS\Internet Logs\xDBA6.tmp
2007-06-29 23:17 1,083,904 ----a-w C:\WINDOWS\Internet Logs\xDBA5.tmp
2007-06-27 20:43 2,310,656 ----a-w C:\WINDOWS\Internet Logs\xDBA4.tmp
2007-06-10 00:13 2,285,568 ----a-w C:\WINDOWS\Internet Logs\xDBA3.tmp
2007-06-02 00:55 2,278,912 ----a-w C:\WINDOWS\Internet Logs\xDBA2.tmp
2007-04-04 22:44 1,920,000 ----a-w C:\WINDOWS\Internet Logs\xDBA1.tmp
2006-09-19 23:39 1,865,216 ----a-w C:\WINDOWS\Internet Logs\xDBA0.tmp
2006-09-09 09:10 2,811,392 ----a-w C:\WINDOWS\Internet Logs\xDB9E.tmp
2006-09-09 09:10 1,841,152 ----a-w C:\WINDOWS\Internet Logs\xDB9F.tmp
2006-08-27 08:49 1,824,256 ----a-w C:\WINDOWS\Internet Logs\xDBA9.tmp
2006-08-26 23:15 1,823,744 ----a-w C:\WINDOWS\Internet Logs\xDB9D.tmp
2006-08-20 21:04 1,842,176 ----a-w C:\WINDOWS\Internet Logs\xDB9C.tmp
2006-04-21 23:42 795,136 ----a-w C:\WINDOWS\Internet Logs\xDB9B.tmp
2006-04-11 10:53 2,648,064 ----a-w C:\WINDOWS\Internet Logs\xDB9A.tmp
2005-11-12 01:46 839,168 ----a-w C:\WINDOWS\Internet Logs\xDB99.tmp
2005-10-02 08:58 12,283,581 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_10_02_09_46_38.dmp.zip
2005-10-02 08:49 2,738,176 ----a-w C:\WINDOWS\Internet Logs\xDB94.tmp
2005-10-02 08:49 17,920 ----a-w C:\WINDOWS\Internet Logs\xDB96.tmp
2005-10-01 23:56 83,456 ----a-w C:\WINDOWS\Internet Logs\xDB95.tmp
2005-10-01 23:55 2,738,176 ----a-w C:\WINDOWS\Internet Logs\xDB93.tmp
2005-09-09 01:54 2,740,736 ----a-w C:\WINDOWS\Internet Logs\xDB97.tmp
2005-09-09 01:54 183,296 ----a-w C:\WINDOWS\Internet Logs\xDB98.tmp
2005-08-29 00:17 17,920 ----a-w C:\WINDOWS\Internet Logs\xDB92.tmp
2005-08-29 00:07 2,738,176 ----a-w C:\WINDOWS\Internet Logs\xDB91.tmp
2005-08-28 23:18 54,272 ----a-w C:\WINDOWS\Internet Logs\xDB90.tmp
2005-08-28 23:18 2,738,176 ----a-w C:\WINDOWS\Internet Logs\xDB8F.tmp
2005-08-26 13:59 424,960 ----a-w C:\WINDOWS\Internet Logs\xDB8E.tmp
2005-08-26 13:59 2,740,224 ----a-w C:\WINDOWS\Internet Logs\xDB8D.tmp
2005-08-05 16:38 2,746,880 ----a-w C:\WINDOWS\Internet Logs\xDB8B.tmp
2005-08-05 16:32 43,520 ----a-w C:\WINDOWS\Internet Logs\xDB8C.tmp
2005-08-03 01:58 249,344 ----a-w C:\WINDOWS\Internet Logs\xDB8A.tmp
2005-08-03 01:58 2,712,576 ----a-w C:\WINDOWS\Internet Logs\xDB89.tmp
2005-07-24 04:40 83,456 ----a-w C:\WINDOWS\Internet Logs\xDB88.tmp
2005-07-24 04:40 2,568,704 ----a-w C:\WINDOWS\Internet Logs\xDB86.tmp
2005-07-15 16:40 2,565,120 ----a-w C:\WINDOWS\Internet Logs\xDB85.tmp
2005-07-15 12:20 187,392 ----a-w C:\WINDOWS\Internet Logs\xDB87.tmp
2005-07-04 13:17 2,512,896 ----a-w C:\WINDOWS\Internet Logs\xDB82.tmp
2005-07-02 20:37 160,768 ----a-w C:\WINDOWS\Internet Logs\xDB81.tmp
2005-07-02 20:36 2,512,896 ----a-w C:\WINDOWS\Internet Logs\xDB80.tmp
2005-06-23 17:06 124,928 ----a-w C:\WINDOWS\Internet Logs\xDB7F.tmp
2005-06-23 16:54 2,493,952 ----a-w C:\WINDOWS\Internet Logs\xDB7E.tmp
2005-06-17 00:38 2,488,832 ----a-w C:\WINDOWS\Internet Logs\xDB7C.tmp
2005-06-17 00:38 175,616 ----a-w C:\WINDOWS\Internet Logs\xDB7D.tmp
2005-06-10 16:24 2,496,000 ----a-w C:\WINDOWS\Internet Logs\xDB79.tmp
2005-06-10 16:24 130,048 ----a-w C:\WINDOWS\Internet Logs\xDB7A.tmp
2005-06-04 13:25 2,496,000 ----a-w C:\WINDOWS\Internet Logs\xDB77.tmp
2005-06-04 13:25 162,816 ----a-w C:\WINDOWS\Internet Logs\xDB78.tmp
2005-06-01 19:19 2,488,832 ----a-w C:\WINDOWS\Internet Logs\xDB7B.tmp
2005-05-29 12:16 854,016 ----a-w C:\WINDOWS\Internet Logs\xDB76.tmp
2005-05-29 11:44 2,481,152 ----a-w C:\WINDOWS\Internet Logs\xDB75.tmp
2005-04-25 23:26 175,616 ----a-w C:\WINDOWS\Internet Logs\xDB74.tmp
2005-04-25 23:23 2,409,472 ----a-w C:\WINDOWS\Internet Logs\xDB73.tmp
2005-04-20 11:49 625,664 ----a-w C:\WINDOWS\Internet Logs\xDB72.tmp
2005-04-20 11:45 2,409,472 ----a-w C:\WINDOWS\Internet Logs\xDB71.tmp
2005-04-09 16:09 77,312 ----a-w C:\WINDOWS\Internet Logs\xDB70.tmp
2005-04-09 16:09 2,381,824 ----a-w C:\WINDOWS\Internet Logs\xDB6F.tmp
2005-04-08 14:51 6,866,815 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_04_08_15_47_14.dmp.zip
2005-04-08 14:46 25,088 ----a-w C:\WINDOWS\Internet Logs\xDB6D.tmp
2005-04-08 14:46 2,388,480 ----a-w C:\WINDOWS\Internet Logs\xDB6C.tmp
2005-04-08 13:09 23,552 ----a-w C:\WINDOWS\Internet Logs\xDB6B.tmp
.

((((((((((((((((((((((((((((( snapshot@2008-03-07_18.01.41.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-16 19:53:50 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2008-03-08 19:35:43 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2008-03-09 11:47:32 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_390.dat
- 2006-06-05 13:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 14:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
- 2006-06-05 13:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 14:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
- 2006-06-05 13:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
+ 2006-06-05 14:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-19 18:20 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-19 18:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-19 18:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-09-26 21:13 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-20 20:01 49152]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [2003-07-29 04:31 61440]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 09:29 40960]
"OWS Setup CmdLine"="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" [2004-08-03 23:56 188480]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 07:24 579072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 21:21 53248 C:\WINDOWS\system32\BtUsrBdg.exe]
"BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 09:48 36864 C:\WINDOWS\system32\BTSetBootKey.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 20:01 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=interceptor.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\syste

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 3.0 SE Calendar Checker.lnk]
backup=C:\WINDOWS\pss\Ulead Photo Express 3.0 SE Calendar Checker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Gary Fullick^Start Menu^Programs^Startup^Launch K9.lnk]
backup=C:\WINDOWS\pss\Launch K9.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-04-26 07:29 237568 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-04-11 16:52 1409024 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-21 14:19 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 20:00:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-26 19:15:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.1.30.7.sxt _RegistrationOffer@16
"2008-03-03 22:14:19 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-09 03:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
"2005-12-30 01:57:46 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-03-09 11:45:44 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-04 20:05:05 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 12:02:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 12:09:30
ComboFix-quarantined-files.txt 2008-03-09 12:09:23
ComboFix2.txt 2008-03-09 11:42:07
ComboFix3.txt 2008-03-07 18:02:31
.
2008-02-14 03:19:34 --- E O F ---

Having trouble downloading the Kaperski scanner, it has been going 20 minuteswith no change.
This may be due to the activx I can run flash player in FF but it will not work in IE.

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:22, on 09/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\MSSQL7\binn\sqlagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhos;<local>;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [OWS Setup CmdLine] "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" /pkg "Office 2000 Server Extensions"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {65E8E2DC-186A-4AAC-9E56-FDC683055A9E} (CNetOnlineInstall Control) - http://www.download.com/html/dl/bug2116 ... nstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37380.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promot ... WebAAS.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/6c5 ... taller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... -0-3-0.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Server Extensions Notification Service (OWSTimer) - Unknown owner - C:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10357 bytes

The computer is running ok on line now, no extra web pages loading.
Cheers
Gary
tracemate
Regular Member
 
Posts: 18
Joined: March 4th, 2008, 7:20 pm

Re: Hijacked, Extra web pages opening on their own.

Unread postby tracemate » March 9th, 2008, 8:38 am

Hi,
Just been to the Adobe Flash Player download,
It comes up failed to download, this was the reason I started using FF as I could not get it to install on IE.
This may be the problem with Kaperski installing.
Gary
tracemate
Regular Member
 
Posts: 18
Joined: March 4th, 2008, 7:20 pm

Re: Hijacked, Extra web pages opening on their own.

Unread postby km2357 » March 9th, 2008, 4:21 pm

Hi, you didn't run the CFScript for ComboFix, please follow the instructions below and run ComboFix again:

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    
    Registry:: 
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Image



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Let's try another online scan instead of Kaspersky:



Step # 1: Run Panda Online Scan
Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- Save the log file to your desktop


Post the Panda Log in your next reply/post.


In your next post/reply, I need to see the ComboFix and Panda logs.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijacked, Extra web pages opening on their own.

Unread postby tracemate » March 10th, 2008, 8:14 pm

Hi,
Ive tried the panda scan twice now, looks like it's running but after 20 minutes gave up each time.
The CFScript was probably my fault, as it started scanning I remembered I had AVG and Zone Alarm running so I stopped it disabled these then re run.
New Log

ComboFix 08-03-08.2 - Gary Fullick 2008-03-10 19:33:00.7 - NTFSx86
Running from: C:\Documents and Settings\Gary Fullick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gary Fullick\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\HbTools\
C:\Program Files\Hotbar\
C:\Program Files\MyWebSearch\

.
((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-09 12:18 . 2008-03-09 12:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 12:18 . 2008-03-09 12:35 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-09 12:18 . 2008-03-09 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-07 13:37 . 2008-03-07 13:37 <DIR> d-------- C:\Documents and Settings\Chris fullick\Application Data\Malwarebytes
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\Malwarebytes
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 22:52 . 2008-03-05 21:57 3,116 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-04 22:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-04 22:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-04 22:43 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-04 22:43 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-04 22:43 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-04 22:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-04 22:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-04 18:21 . 2008-03-04 18:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 12:34 . 2008-03-10 19:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 12:34 . 2008-03-02 12:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-01 13:37 . 2008-03-01 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-01 13:36 . 2008-03-01 13:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 00:32 . 2008-03-01 00:32 <DIR> d-------- C:\Documents and Settings\Carol Fullick.TRACEMATE\Application Data\Lavasoft
2008-02-28 01:40 . 2008-02-28 01:40 <DIR> d-------- C:\Documents and Settings\Chris fullick\Application Data\SUPERAntiSpyware.com
2008-02-27 20:49 . 2008-03-01 13:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-27 20:49 . 2008-02-27 20:49 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\SUPERAntiSpyware.com
2008-02-27 20:38 . 2008-03-01 16:37 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-23 19:23 . 2008-03-01 20:19 <DIR> d-------- C:\Program Files\Macrogaming
2008-02-23 14:12 . 2008-02-23 17:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 14:12 . 2008-02-23 14:12 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\VideoEgg
2008-02-20 21:49 . 2008-02-23 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 19:46 127,719,456 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-10 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-08 19:35 --------- d-----w C:\Program Files\MSN Messenger
2008-03-08 11:06 1,460,768 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-05 03:22 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\Azureus
2008-03-04 20:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-01 20:19 --------- d-----w C:\Program Files\TightVNC
2008-02-28 20:32 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\Nokia
2008-02-23 14:12 --------- d-----w C:\Program Files\SSC Service Utility
2008-01-26 20:36 3 ----a-w C:\winptfd.dat
2008-01-23 14:26 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\cs
2008-01-21 19:25 --------- d-----w C:\Program Files\iTunes
2008-01-21 19:25 --------- d-----w C:\Program Files\iPod
2008-01-21 19:18 --------- d-----w C:\Program Files\Bonjour
2008-01-21 19:17 --------- d-----w C:\Program Files\QuickTime
2008-01-20 16:27 --------- d-----w C:\Program Files\Auction Sentry
2008-01-17 23:46 --------- d-----w C:\Program Files\PishTech
2004-06-18 10:05 45,056 ----a-w C:\WINDOWS\inf\Slntinst.exe
2003-08-22 10:09 45,056 ----a-w C:\WINDOWS\inf\slntinst_staticW2k.exe
2002-03-26 02:43 349,636 ------w C:\WINDOWS\Fonts\uninst65.tmp
.

((((((((((((((((((((((((((((( snapshot@2008-03-07_18.01.41.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-16 19:53:50 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2008-03-08 19:35:43 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2005-05-24 12:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-12-03 16:39:18 112,016 ----a-w C:\WINDOWS\system32\Macromed\Download\Download.dll
+ 2007-12-03 16:39:18 59,717 ----a-w C:\WINDOWS\system32\Macromed\Download\Install.exe
+ 2008-03-09 12:13:07 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_70.dat
- 2006-06-05 13:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 14:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
- 2006-06-05 13:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 14:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
- 2006-06-05 13:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
+ 2006-06-05 14:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-19 18:20 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-19 18:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-19 18:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-09-26 21:13 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-20 20:01 49152]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [2003-07-29 04:31 61440]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 09:29 40960]
"OWS Setup CmdLine"="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" [2004-08-03 23:56 188480]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 07:24 579072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 21:21 53248 C:\WINDOWS\system32\BtUsrBdg.exe]
"BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 09:48 36864 C:\WINDOWS\system32\BTSetBootKey.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 20:01 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=interceptor.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\syste

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 3.0 SE Calendar Checker.lnk]
backup=C:\WINDOWS\pss\Ulead Photo Express 3.0 SE Calendar Checker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Gary Fullick^Start Menu^Programs^Startup^Launch K9.lnk]
backup=C:\WINDOWS\pss\Launch K9.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-04-26 07:29 237568 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-04-11 16:52 1409024 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-21 14:19 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 20:00:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-26 19:15:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exe
"2008-03-03 22:14:19 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-10 03:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
- C:\Program Files\RegistrySmart
"2005-12-30 01:57:46 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-03-10 17:00:00 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-04 20:05:05 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 19:46:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-10 19:56:18
ComboFix-quarantined-files.txt 2008-03-10 19:56:01
ComboFix2.txt 2008-03-09 12:09:31
ComboFix3.txt 2008-03-09 11:42:07
ComboFix4.txt 2008-03-07 18:02:31
.
2008-02-14 03:19:34 --- E O F ---


New HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:12:38, on 11/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhos;<local>;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [OWS Setup CmdLine] "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" /pkg "Office 2000 Server Extensions"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1790521817-3293823761-810355832-1009\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (User 'Chris fullick')
O4 - HKUS\S-1-5-21-1790521817-3293823761-810355832-1009\..\Run: [msnmsgr] ~"C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Chris fullick')
O4 - HKUS\S-1-5-21-1790521817-3293823761-810355832-1009\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Chris fullick')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {65E8E2DC-186A-4AAC-9E56-FDC683055A9E} (CNetOnlineInstall Control) - http://www.download.com/html/dl/bug2116 ... nstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37380.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promot ... WebAAS.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/6c5 ... taller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... -0-3-0.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Server Extensions Notification Service (OWSTimer) - Unknown owner - C:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10841 bytes


Could it be my activex settings stopping me running the checks?

I seem to be cured of the extra pages opening.
Cheers
Gary
tracemate
Regular Member
 
Posts: 18
Joined: March 4th, 2008, 7:20 pm

Re: Hijacked, Extra web pages opening on their own.

Unread postby km2357 » March 11th, 2008, 2:07 am

There's still one line in the ComboFix log that won't go. I've made a modification to the CFscript, let's try it again. Before running it, disconnect from the internet and disable all your security programs. Once ComboFix is done, you can renable everything. And let's try another scan, hopefully third's time the charm. :)


Step # 1: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

Also delete the CFScript.txt that is on your Desktop.


  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Registry:: 
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Image



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.

  1. Check (tick) this box: YES, I accept the Terms of Use.
  2. Click on the Start button next to it.
  3. When prompted to run ActiveX. click Yes.
  4. You will be asked to install an ActiveX. Click Install.
  5. Once installed, the scanner will be initialized.
  6. After the scanner is initialized, click Start.
  7. Uncheck (untick) Remove found threats box.
  8. Check (tick) Scan unwanted applications.
  9. Click on Scan.
  10. It will start scanning. Please be patient.
  11. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.


Post the ComboFix and Eset logs in your next post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijacked, Extra web pages opening on their own.

Unread postby tracemate » March 12th, 2008, 2:43 pm

Hi,
The online scan took for ever, in the end I went to bed leaving it running. Logs Below.

ComboFix 08-03-10.1 - Gary Fullick 2008-03-11 21:52:12.8 - NTFSx86
Running from: C:\Documents and Settings\Gary Fullick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gary Fullick\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\HbTools\
C:\Program Files\Hotbar\
C:\Program Files\MyWebSearch\

.
((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-09 12:18 . 2008-03-09 12:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 12:18 . 2008-03-09 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-07 13:37 . 2008-03-07 13:37 <DIR> d-------- C:\Documents and Settings\Chris fullick\Application Data\Malwarebytes
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\Malwarebytes
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 22:52 . 2008-03-05 21:57 3,116 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-04 22:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-04 22:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-04 22:43 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-04 22:43 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-04 22:43 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-04 22:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-04 22:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-04 18:21 . 2008-03-04 18:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 12:34 . 2008-03-11 21:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 12:34 . 2008-03-02 12:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-01 13:37 . 2008-03-01 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-01 13:36 . 2008-03-01 13:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 00:32 . 2008-03-01 00:32 <DIR> d-------- C:\Documents and Settings\Carol Fullick.TRACEMATE\Application Data\Lavasoft
2008-02-28 01:40 . 2008-02-28 01:40 <DIR> d-------- C:\Documents and Settings\Chris fullick\Application Data\SUPERAntiSpyware.com
2008-02-27 20:49 . 2008-03-01 13:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-27 20:49 . 2008-02-27 20:49 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\SUPERAntiSpyware.com
2008-02-27 20:38 . 2008-03-01 16:37 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-23 19:23 . 2008-03-01 20:19 <DIR> d-------- C:\Program Files\Macrogaming
2008-02-23 14:12 . 2008-02-23 17:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 14:12 . 2008-02-23 14:12 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\VideoEgg
2008-02-20 21:49 . 2008-02-23 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 21:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-11 16:29 89,600 ----a-w C:\WINDOWS\Internet Logs\xDBBD.tmp
2008-03-11 16:29 1,532,416 ----a-w C:\WINDOWS\Internet Logs\xDBBE.tmp
2008-03-11 16:22 130,885,664 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-11 00:22 1,500,896 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-09 11:44 564,224 ----a-w C:\WINDOWS\Internet Logs\xDBBB.tmp
2008-03-09 11:44 1,530,368 ----a-w C:\WINDOWS\Internet Logs\xDBBC.tmp
2008-03-08 19:35 --------- d-----w C:\Program Files\MSN Messenger
2008-03-05 03:22 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\Azureus
2008-03-04 20:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-01 20:19 --------- d-----w C:\Program Files\TightVNC
2008-02-28 20:32 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\Nokia
2008-02-23 14:12 --------- d-----w C:\Program Files\SSC Service Utility
2008-02-19 13:11 1,661,952 ----a-w C:\WINDOWS\Internet Logs\xDBBA.tmp
2008-01-26 20:36 3 ----a-w C:\winptfd.dat
2008-01-23 14:26 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\cs
2008-01-21 19:25 --------- d-----w C:\Program Files\iTunes
2008-01-21 19:25 --------- d-----w C:\Program Files\iPod
2008-01-21 19:18 --------- d-----w C:\Program Files\Bonjour
2008-01-21 19:17 --------- d-----w C:\Program Files\QuickTime
2008-01-20 16:27 --------- d-----w C:\Program Files\Auction Sentry
2008-01-17 23:46 --------- d-----w C:\Program Files\PishTech
2008-01-04 01:52 1,110,016 ----a-w C:\WINDOWS\Internet Logs\xDBB9.tmp
2007-12-10 00:16 2,171,392 ----a-w C:\WINDOWS\Internet Logs\xDBB7.tmp
2007-12-10 00:16 1,346,048 ----a-w C:\WINDOWS\Internet Logs\xDBB8.tmp
2007-12-04 03:24 1,338,880 ----a-w C:\WINDOWS\Internet Logs\xDBB6.tmp
2007-11-18 15:36 2,626,560 ----a-w C:\WINDOWS\Internet Logs\xDBB4.tmp
2007-11-18 15:35 2,626,560 ----a-w C:\WINDOWS\Internet Logs\xDBB5.tmp
2007-11-09 17:43 2,616,320 ----a-w C:\WINDOWS\Internet Logs\xDBB3.tmp
2007-10-15 22:41 33,452,045 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-09-21 19:39 2,528,768 ----a-w C:\WINDOWS\Internet Logs\xDBB2.tmp
2007-09-03 18:59 2,464,768 ----a-w C:\WINDOWS\Internet Logs\xDBB1.tmp
2007-08-21 19:57 214,528 ----a-w C:\WINDOWS\Internet Logs\xDBB0.tmp
2007-08-20 11:07 2,417,664 ----a-w C:\WINDOWS\Internet Logs\xDBAF.tmp
2007-08-19 16:15 2,416,640 ----a-w C:\WINDOWS\Internet Logs\xDBFD.tmp
2007-08-17 16:37 2,419,200 ----a-w C:\WINDOWS\Internet Logs\xDBAE.tmp
2007-08-11 09:30 2,402,304 ----a-w C:\WINDOWS\Internet Logs\xDBAD.tmp
2007-08-05 20:21 2,400,256 ----a-w C:\WINDOWS\Internet Logs\xDBAC.tmp
2007-08-03 22:53 2,399,232 ----a-w C:\WINDOWS\Internet Logs\xDBAB.tmp
2007-07-31 15:11 2,391,040 ----a-w C:\WINDOWS\Internet Logs\xDBAA.tmp
2007-07-30 14:44 2,383,360 ----a-w C:\WINDOWS\Internet Logs\xDBA8.tmp
2007-07-12 21:04 2,357,248 ----a-w C:\WINDOWS\Internet Logs\xDBA7.tmp
2007-07-10 19:09 94,720 ----a-w C:\WINDOWS\Internet Logs\xDBA6.tmp
2007-06-29 23:17 1,083,904 ----a-w C:\WINDOWS\Internet Logs\xDBA5.tmp
2007-06-27 20:43 2,310,656 ----a-w C:\WINDOWS\Internet Logs\xDBA4.tmp
2007-06-10 00:13 2,285,568 ----a-w C:\WINDOWS\Internet Logs\xDBA3.tmp
2007-06-02 00:55 2,278,912 ----a-w C:\WINDOWS\Internet Logs\xDBA2.tmp
2007-04-04 22:44 1,920,000 ----a-w C:\WINDOWS\Internet Logs\xDBA1.tmp
2006-09-19 23:39 1,865,216 ----a-w C:\WINDOWS\Internet Logs\xDBA0.tmp
2006-09-09 09:10 2,811,392 ----a-w C:\WINDOWS\Internet Logs\xDB9E.tmp
2006-09-09 09:10 1,841,152 ----a-w C:\WINDOWS\Internet Logs\xDB9F.tmp
2006-08-27 08:49 1,824,256 ----a-w C:\WINDOWS\Internet Logs\xDBA9.tmp
2006-08-26 23:15 1,823,744 ----a-w C:\WINDOWS\Internet Logs\xDB9D.tmp
2006-08-20 21:04 1,842,176 ----a-w C:\WINDOWS\Internet Logs\xDB9C.tmp
2006-04-21 23:42 795,136 ----a-w C:\WINDOWS\Internet Logs\xDB9B.tmp
2006-04-11 10:53 2,648,064 ----a-w C:\WINDOWS\Internet Logs\xDB9A.tmp
2005-11-12 01:46 839,168 ----a-w C:\WINDOWS\Internet Logs\xDB99.tmp
2005-10-02 08:58 12,283,581 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_10_02_09_46_38.dmp.zip
2005-10-02 08:49 2,738,176 ----a-w C:\WINDOWS\Internet Logs\xDB94.tmp
2005-10-02 08:49 17,920 ----a-w C:\WINDOWS\Internet Logs\xDB96.tmp
2005-10-01 23:56 83,456 ----a-w C:\WINDOWS\Internet Logs\xDB95.tmp
2005-10-01 23:55 2,738,176 ----a-w C:\WINDOWS\Internet Logs\xDB93.tmp
2005-09-09 01:54 2,740,736 ----a-w C:\WINDOWS\Internet Logs\xDB97.tmp
2005-09-09 01:54 183,296 ----a-w C:\WINDOWS\Internet Logs\xDB98.tmp
2005-08-29 00:17 17,920 ----a-w C:\WINDOWS\Internet Logs\xDB92.tmp
2005-08-29 00:07 2,738,176 ----a-w C:\WINDOWS\Internet Logs\xDB91.tmp
2005-08-28 23:18 54,272 ----a-w C:\WINDOWS\Internet Logs\xDB90.tmp
2005-08-28 23:18 2,738,176 ----a-w C:\WINDOWS\Internet Logs\xDB8F.tmp
2005-08-26 13:59 424,960 ----a-w C:\WINDOWS\Internet Logs\xDB8E.tmp
2005-08-26 13:59 2,740,224 ----a-w C:\WINDOWS\Internet Logs\xDB8D.tmp
2005-08-05 16:38 2,746,880 ----a-w C:\WINDOWS\Internet Logs\xDB8B.tmp
2005-08-05 16:32 43,520 ----a-w C:\WINDOWS\Internet Logs\xDB8C.tmp
2005-08-03 01:58 249,344 ----a-w C:\WINDOWS\Internet Logs\xDB8A.tmp
2005-08-03 01:58 2,712,576 ----a-w C:\WINDOWS\Internet Logs\xDB89.tmp
2005-07-24 04:40 83,456 ----a-w C:\WINDOWS\Internet Logs\xDB88.tmp
2005-07-24 04:40 2,568,704 ----a-w C:\WINDOWS\Internet Logs\xDB86.tmp
2005-07-15 16:40 2,565,120 ----a-w C:\WINDOWS\Internet Logs\xDB85.tmp
2005-07-15 12:20 187,392 ----a-w C:\WINDOWS\Internet Logs\xDB87.tmp
2005-07-04 13:17 2,512,896 ----a-w C:\WINDOWS\Internet Logs\xDB82.tmp
2005-07-02 20:37 160,768 ----a-w C:\WINDOWS\Internet Logs\xDB81.tmp
2005-07-02 20:36 2,512,896 ----a-w C:\WINDOWS\Internet Logs\xDB80.tmp
2005-06-23 17:06 124,928 ----a-w C:\WINDOWS\Internet Logs\xDB7F.tmp
2005-06-23 16:54 2,493,952 ----a-w C:\WINDOWS\Internet Logs\xDB7E.tmp
2005-06-17 00:38 2,488,832 ----a-w C:\WINDOWS\Internet Logs\xDB7C.tmp
2005-06-17 00:38 175,616 ----a-w C:\WINDOWS\Internet Logs\xDB7D.tmp
2005-06-10 16:24 2,496,000 ----a-w C:\WINDOWS\Internet Logs\xDB79.tmp
2005-06-10 16:24 130,048 ----a-w C:\WINDOWS\Internet Logs\xDB7A.tmp
2005-06-04 13:25 2,496,000 ----a-w C:\WINDOWS\Internet Logs\xDB77.tmp
2005-06-04 13:25 162,816 ----a-w C:\WINDOWS\Internet Logs\xDB78.tmp
2005-06-01 19:19 2,488,832 ----a-w C:\WINDOWS\Internet Logs\xDB7B.tmp
2005-05-29 12:16 854,016 ----a-w C:\WINDOWS\Internet Logs\xDB76.tmp
2005-05-29 11:44 2,481,152 ----a-w C:\WINDOWS\Internet Logs\xDB75.tmp
2005-04-25 23:26 175,616 ----a-w C:\WINDOWS\Internet Logs\xDB74.tmp
2005-04-25 23:23 2,409,472 ----a-w C:\WINDOWS\Internet Logs\xDB73.tmp
2005-04-20 11:49 625,664 ----a-w C:\WINDOWS\Internet Logs\xDB72.tmp
2005-04-20 11:45 2,409,472 ----a-w C:\WINDOWS\Internet Logs\xDB71.tmp
2005-04-09 16:09 77,312 ----a-w C:\WINDOWS\Internet Logs\xDB70.tmp
2005-04-09 16:09 2,381,824 ----a-w C:\WINDOWS\Internet Logs\xDB6F.tmp
2005-04-08 14:51 6,866,815 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_04_08_15_47_14.dmp.zip
2005-04-08 14:46 25,088 ----a-w C:\WINDOWS\Internet Logs\xDB6D.tmp
.

((((((((((((((((((((((((((((( snapshot@2008-03-07_18.01.41.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-16 19:53:50 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2008-03-08 19:35:43 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2005-05-24 12:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-03-11 16:31:45 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_c4.dat
- 2006-06-05 13:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 14:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
- 2006-06-05 13:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 14:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
- 2006-06-05 13:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
+ 2006-06-05 14:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-19 18:20 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-19 18:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-19 18:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-09-26 21:13 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-20 20:01 49152]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [2003-07-29 04:31 61440]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 09:29 40960]
"OWS Setup CmdLine"="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" [2004-08-03 23:56 188480]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 07:24 579072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 21:21 53248 C:\WINDOWS\system32\BtUsrBdg.exe]
"BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 09:48 36864 C:\WINDOWS\system32\BTSetBootKey.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 20:01 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=interceptor.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\syste

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 3.0 SE Calendar Checker.lnk]
backup=C:\WINDOWS\pss\Ulead Photo Express 3.0 SE Calendar Checker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Gary Fullick^Start Menu^Programs^Startup^Launch K9.lnk]
backup=C:\WINDOWS\pss\Launch K9.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-04-26 07:29 237568 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-04-11 16:52 1409024 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-21 14:19 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 20:00:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-11 19:15:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.1.30.7.sxt _RegistrationOffer@16
"2008-03-10 22:00:06 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-10 03:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
"2005-12-30 01:57:46 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-03-11 21:15:35 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-11 20:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 22:03:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-11 22:10:35
ComboFix-quarantined-files.txt 2008-03-11 22:10:28
ComboFix2.txt 2008-03-10 19:56:20
ComboFix3.txt 2008-03-09 12:09:31
ComboFix4.txt 2008-03-09 11:42:07
ComboFix5.txt 2008-03-07 18:02:31
.
2008-02-14 03:19:34 --- E O F ---


NEXT


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2938 (20080311)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=0397ee15c9921a44853f33a328aa3e06
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-03-12 01:48:17
# local_time=2008-03-12 01:48:18 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=362622
# found=0
# scan_time=12203


There was also a debug log

# vers_standard_module=2938 (20080311)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)

Cheers
Gary
tracemate
Regular Member
 
Posts: 18
Joined: March 4th, 2008, 7:20 pm

Re: Hijacked, Extra web pages opening on their own.

Unread postby km2357 » March 12th, 2008, 3:38 pm

The ESET scan came back clean, which is good. :) However that CF line I want to remove is still there. :( Please run the following CFScript, hopefully it will get it this time. We are almost done. :)

Step # 1: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

Also delete the CFScript.txt from your Desktop, you will be creating and running a new one.



  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    KillAll::
    
    Registry::
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Image



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijacked, Extra web pages opening on their own.

Unread postby tracemate » March 12th, 2008, 5:03 pm

Hi,

Combofix log

ComboFix 08-03-10.1 - Gary Fullick 2008-03-12 20:28:54.9 - NTFSx86
Running from: C:\Documents and Settings\Gary Fullick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gary Fullick\Desktop\CFscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\HbTools\
C:\Program Files\Hotbar\
C:\Program Files\MyWebSearch\

.
((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-11 22:24 . 2008-03-12 01:48 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-09 12:18 . 2008-03-09 12:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 12:18 . 2008-03-09 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-07 13:37 . 2008-03-07 13:37 <DIR> d-------- C:\Documents and Settings\Chris fullick\Application Data\Malwarebytes
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\Malwarebytes
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 22:52 . 2008-03-05 21:57 3,116 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-04 22:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-04 22:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-04 22:43 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-04 22:43 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-04 22:43 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-04 22:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-04 22:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-04 18:21 . 2008-03-04 18:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 12:34 . 2008-03-11 22:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 12:34 . 2008-03-02 12:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-01 13:37 . 2008-03-01 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-01 13:36 . 2008-03-01 13:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 00:32 . 2008-03-01 00:32 <DIR> d-------- C:\Documents and Settings\Carol Fullick.TRACEMATE\Application Data\Lavasoft
2008-02-28 01:40 . 2008-02-28 01:40 <DIR> d-------- C:\Documents and Settings\Chris fullick\Application Data\SUPERAntiSpyware.com
2008-02-27 20:49 . 2008-03-01 13:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-27 20:49 . 2008-02-27 20:49 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\SUPERAntiSpyware.com
2008-02-27 20:38 . 2008-03-01 16:37 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-23 19:23 . 2008-03-01 20:19 <DIR> d-------- C:\Program Files\Macrogaming
2008-02-23 14:12 . 2008-02-23 17:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 14:12 . 2008-02-23 14:12 <DIR> d-------- C:\Documents and Settings\Gary Fullick\Application Data\VideoEgg
2008-02-20 21:49 . 2008-02-23 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 20:40 138,840,096 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-12 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-11 22:12 1,501,448 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-11 16:29 89,600 ----a-w C:\WINDOWS\Internet Logs\xDBBD.tmp
2008-03-11 16:29 1,532,416 ----a-w C:\WINDOWS\Internet Logs\xDBBE.tmp
2008-03-09 11:44 564,224 ----a-w C:\WINDOWS\Internet Logs\xDBBB.tmp
2008-03-09 11:44 1,530,368 ----a-w C:\WINDOWS\Internet Logs\xDBBC.tmp
2008-03-08 19:35 --------- d-----w C:\Program Files\MSN Messenger
2008-03-05 03:22 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\Azureus
2008-03-04 20:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-01 20:19 --------- d-----w C:\Program Files\TightVNC
2008-02-28 20:32 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\Nokia
2008-02-23 14:12 --------- d-----w C:\Program Files\SSC Service Utility
2008-02-19 13:11 1,661,952 ----a-w C:\WINDOWS\Internet Logs\xDBBA.tmp
2008-01-26 20:36 3 ----a-w C:\winptfd.dat
2008-01-23 14:26 --------- d-----w C:\Documents and Settings\Chris fullick\Application Data\cs
2008-01-21 19:25 --------- d-----w C:\Program Files\iTunes
2008-01-21 19:25 --------- d-----w C:\Program Files\iPod
2008-01-21 19:18 --------- d-----w C:\Program Files\Bonjour
2008-01-21 19:17 --------- d-----w C:\Program Files\QuickTime
2008-01-20 16:27 --------- d-----w C:\Program Files\Auction Sentry
2008-01-17 23:46 --------- d-----w C:\Program Files\PishTech
2008-01-04 01:52 1,110,016 ----a-w C:\WINDOWS\Internet Logs\xDBB9.tmp
2007-12-10 00:16 2,171,392 ----a-w C:\WINDOWS\Internet Logs\xDBB7.tmp
2007-12-10 00:16 1,346,048 ----a-w C:\WINDOWS\Internet Logs\xDBB8.tmp
2007-12-04 03:24 1,338,880 ----a-w C:\WINDOWS\Internet Logs\xDBB6.tmp
2007-11-18 15:36 2,626,560 ----a-w C:\WINDOWS\Internet Logs\xDBB4.tmp
2007-11-18 15:35 2,626,560 ----a-w C:\WINDOWS\Internet Logs\xDBB5.tmp
2007-11-09 17:43 2,616,320 ----a-w C:\WINDOWS\Internet Logs\xDBB3.tmp
2007-10-15 22:41 33,452,045 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-09-21 19:39 2,528,768 ----a-w C:\WINDOWS\Internet Logs\xDBB2.tmp
2007-09-03 18:59 2,464,768 ----a-w C:\WINDOWS\Internet Logs\xDBB1.tmp
2007-08-21 19:57 214,528 ----a-w C:\WINDOWS\Internet Logs\xDBB0.tmp
2007-08-20 11:07 2,417,664 ----a-w C:\WINDOWS\Internet Logs\xDBAF.tmp
2007-08-19 16:15 2,416,640 ----a-w C:\WINDOWS\Internet Logs\xDBFD.tmp
2007-08-17 16:37 2,419,200 ----a-w C:\WINDOWS\Internet Logs\xDBAE.tmp
2007-08-11 09:30 2,402,304 ----a-w C:\WINDOWS\Internet Logs\xDBAD.tmp
2007-08-05 20:21 2,400,256 ----a-w C:\WINDOWS\Internet Logs\xDBAC.tmp
2007-08-03 22:53 2,399,232 ----a-w C:\WINDOWS\Internet Logs\xDBAB.tmp
2007-07-31 15:11 2,391,040 ----a-w C:\WINDOWS\Internet Logs\xDBAA.tmp
2007-07-30 14:44 2,383,360 ----a-w C:\WINDOWS\Internet Logs\xDBA8.tmp
2007-07-12 21:04 2,357,248 ----a-w C:\WINDOWS\Internet Logs\xDBA7.tmp
2007-07-10 19:09 94,720 ----a-w C:\WINDOWS\Internet Logs\xDBA6.tmp
2007-06-29 23:17 1,083,904 ----a-w C:\WINDOWS\Internet Logs\xDBA5.tmp
2007-06-27 20:43 2,310,656 ----a-w C:\WINDOWS\Internet Logs\xDBA4.tmp
2007-06-10 00:13 2,285,568 ----a-w C:\WINDOWS\Internet Logs\xDBA3.tmp
2007-06-02 00:55 2,278,912 ----a-w C:\WINDOWS\Internet Logs\xDBA2.tmp
2007-04-04 22:44 1,920,000 ----a-w C:\WINDOWS\Internet Logs\xDBA1.tmp
2006-09-19 23:39 1,865,216 ----a-w C:\WINDOWS\Internet Logs\xDBA0.tmp
2006-09-09 09:10 2,811,392 ----a-w C:\WINDOWS\Internet Logs\xDB9E.tmp
2006-09-09 09:10 1,841,152 ----a-w C:\WINDOWS\Internet Logs\xDB9F.tmp
2006-08-27 08:49 1,824,256 ----a-w C:\WINDOWS\Internet Logs\xDBA9.tmp
2006-08-26 23:15 1,823,744 ----a-w C:\WINDOWS\Internet Logs\xDB9D.tmp
2006-08-20 21:04 1,842,176 ----a-w C:\WINDOWS\Internet Logs\xDB9C.tmp
2006-04-21 23:42 795,136 ----a-w C:\WINDOWS\Internet Logs\xDB9B.tmp
2006-04-11 10:53 2,648,064 ----a-w C:\WINDOWS\Internet Logs\xDB9A.tmp
2005-11-12 01:46 839,168 ----a-w C:\WINDOWS\Internet Logs\xDB99.tmp
2005-10-02 08:58 12,283,581 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_10_02_09_46_38.dmp.zip
2005-10-02 08:49 2,738,176 ----a-w C:\WINDOWS\Internet Logs\xDB94.tmp
2005-10-02 08:49 17,920 ----a-w C:\WINDOWS\Internet Logs\xDB96.tmp
2005-10-01 23:56 83,456 ----a-w C:\WINDOWS\Internet Logs\xDB95.tmp
2005-10-01 23:55 2,738,176 ----a-w C:\WINDOWS\Internet Logs\xDB93.tmp
2005-09-09 01:54 2,740,736 ----a-w C:\WINDOWS\Internet Logs\xDB97.tmp
2005-09-09 01:54 183,296 ----a-w C:\WINDOWS\Internet Logs\xDB98.tmp
2005-08-29 00:17 17,920 ----a-w C:\WINDOWS\Internet Logs\xDB92.tmp
2005-08-29 00:07 2,738,176 ----a-w C:\WINDOWS\Internet Logs\xDB91.tmp
2005-08-28 23:18 54,272 ----a-w C:\WINDOWS\Internet Logs\xDB90.tmp
2005-08-28 23:18 2,738,176 ----a-w C:\WINDOWS\Internet Logs\xDB8F.tmp
2005-08-26 13:59 424,960 ----a-w C:\WINDOWS\Internet Logs\xDB8E.tmp
2005-08-26 13:59 2,740,224 ----a-w C:\WINDOWS\Internet Logs\xDB8D.tmp
2005-08-05 16:38 2,746,880 ----a-w C:\WINDOWS\Internet Logs\xDB8B.tmp
2005-08-05 16:32 43,520 ----a-w C:\WINDOWS\Internet Logs\xDB8C.tmp
2005-08-03 01:58 249,344 ----a-w C:\WINDOWS\Internet Logs\xDB8A.tmp
2005-08-03 01:58 2,712,576 ----a-w C:\WINDOWS\Internet Logs\xDB89.tmp
2005-07-24 04:40 83,456 ----a-w C:\WINDOWS\Internet Logs\xDB88.tmp
2005-07-24 04:40 2,568,704 ----a-w C:\WINDOWS\Internet Logs\xDB86.tmp
2005-07-15 16:40 2,565,120 ----a-w C:\WINDOWS\Internet Logs\xDB85.tmp
2005-07-15 12:20 187,392 ----a-w C:\WINDOWS\Internet Logs\xDB87.tmp
2005-07-04 13:17 2,512,896 ----a-w C:\WINDOWS\Internet Logs\xDB82.tmp
2005-07-02 20:37 160,768 ----a-w C:\WINDOWS\Internet Logs\xDB81.tmp
2005-07-02 20:36 2,512,896 ----a-w C:\WINDOWS\Internet Logs\xDB80.tmp
2005-06-23 17:06 124,928 ----a-w C:\WINDOWS\Internet Logs\xDB7F.tmp
2005-06-23 16:54 2,493,952 ----a-w C:\WINDOWS\Internet Logs\xDB7E.tmp
2005-06-17 00:38 2,488,832 ----a-w C:\WINDOWS\Internet Logs\xDB7C.tmp
2005-06-17 00:38 175,616 ----a-w C:\WINDOWS\Internet Logs\xDB7D.tmp
2005-06-10 16:24 2,496,000 ----a-w C:\WINDOWS\Internet Logs\xDB79.tmp
2005-06-10 16:24 130,048 ----a-w C:\WINDOWS\Internet Logs\xDB7A.tmp
2005-06-04 13:25 2,496,000 ----a-w C:\WINDOWS\Internet Logs\xDB77.tmp
2005-06-04 13:25 162,816 ----a-w C:\WINDOWS\Internet Logs\xDB78.tmp
2005-06-01 19:19 2,488,832 ----a-w C:\WINDOWS\Internet Logs\xDB7B.tmp
2005-05-29 12:16 854,016 ----a-w C:\WINDOWS\Internet Logs\xDB76.tmp
2005-05-29 11:44 2,481,152 ----a-w C:\WINDOWS\Internet Logs\xDB75.tmp
2005-04-25 23:26 175,616 ----a-w C:\WINDOWS\Internet Logs\xDB74.tmp
2005-04-25 23:23 2,409,472 ----a-w C:\WINDOWS\Internet Logs\xDB73.tmp
2005-04-20 11:49 625,664 ----a-w C:\WINDOWS\Internet Logs\xDB72.tmp
2005-04-20 11:45 2,409,472 ----a-w C:\WINDOWS\Internet Logs\xDB71.tmp
2005-04-09 16:09 77,312 ----a-w C:\WINDOWS\Internet Logs\xDB70.tmp
2005-04-09 16:09 2,381,824 ----a-w C:\WINDOWS\Internet Logs\xDB6F.tmp
2005-04-08 14:51 6,866,815 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_04_08_15_47_14.dmp.zip
2005-04-08 14:46 25,088 ----a-w C:\WINDOWS\Internet Logs\xDB6D.tmp
.

((((((((((((((((((((((((((((( snapshot@2008-03-07_18.01.41.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-16 19:53:50 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2008-03-08 19:35:43 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2005-05-24 12:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-07-27 14:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 14:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-05 19:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 12:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-02-11 09:39:26 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2008-02-11 09:39:18 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2008-02-08 13:53:46 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2008-02-05 08:48:04 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
+ 2004-12-07 10:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
+ 2008-03-11 22:14:35 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_6e4.dat
- 2006-06-05 13:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 14:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
- 2006-06-05 13:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 14:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
- 2006-06-05 13:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
+ 2006-06-05 14:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-19 18:20 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-19 18:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-19 18:20 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-09-26 21:13 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-20 20:01 49152]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [2003-07-29 04:31 61440]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 09:29 40960]
"OWS Setup CmdLine"="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" [2004-08-03 23:56 188480]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 07:24 579072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 21:21 53248 C:\WINDOWS\system32\BtUsrBdg.exe]
"BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 09:48 36864 C:\WINDOWS\system32\BTSetBootKey.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 20:01 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=interceptor.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\syste

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 3.0 SE Calendar Checker.lnk]
backup=C:\WINDOWS\pss\Ulead Photo Express 3.0 SE Calendar Checker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Gary Fullick^Start Menu^Programs^Startup^Launch K9.lnk]
backup=C:\WINDOWS\pss\Launch K9.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-04-26 07:29 237568 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-04-11 16:52 1409024 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-21 14:19 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 20:00:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-11 19:15:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.1.30.7.sxt _RegistrationOffer@16
"2008-03-10 22:00:06 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-12 03:30:01 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
"2005-12-30 01:57:46 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-03-12 17:00:00 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-11 20:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 20:40:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-12 20:48:06
ComboFix-quarantined-files.txt 2008-03-12 20:47:59
ComboFix2.txt 2008-03-11 22:10:37
ComboFix3.txt 2008-03-10 19:56:20
ComboFix4.txt 2008-03-09 12:09:31
ComboFix5.txt 2008-03-09 11:42:07
.
2008-03-12 18:33:36 --- E O F ---


Cheers
Gary
tracemate
Regular Member
 
Posts: 18
Joined: March 4th, 2008, 7:20 pm

Re: Hijacked, Extra web pages opening on their own.

Unread postby km2357 » March 12th, 2008, 5:59 pm

Hmmm..that line is still there. Let me ask the developer of ComboFix to see what he thinks.

I'll be back with you as soon as I can.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijacked, Extra web pages opening on their own.

Unread postby km2357 » March 12th, 2008, 7:31 pm

Step # 1: Run Batchfile
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the codebox to Notepad. Save it as "All Files" and name it look.bat Please save it on your desktop.

Code: Select all
 @echo off
if exist log.txt del log.txt
set key=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
@(
swreg acl %key%
echo.
swreg query %key% | FindStr.exe -i Packages
echo.
swreg acl %key% /reset /q
swreg add %key% /v "Notification Packages" /t reg_multi_sz /d scecli
swreg acl %key% /ra:f /ro:f /q
swreg acl %key%
echo.
swreg query %key% | FindStr.exe -i Packages
)>log.txt
Start Notepad Log.txt
del %0


Double click look.bat. A window will open and close. This is normal.

Paste the results of the batch file in your next reply/post
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 24 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware