Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Pop Ups and Redirects

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Pop Ups and Redirects

Unread postby jdd18vm » January 4th, 2009, 3:03 pm

I am getting a tremendous number of pop ups and re-directs. I am using Firefox but it happens on IE as well. Tried S&D, it keeps finding the same stuff (virtumonde?). Ran vundu fix but it didnt find anything. I since unistalled S&D McAfee isnt finding anything. Here is the log, thanks for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:42 PM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=4070816
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=4070816
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: (no name) - {571bb8ac-4b15-4549-bc6c-7268f03d7991} - C:\WINDOWS\system32\yuhituka.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {aecd346c-de2e-4de6-8ac3-03cc96ab4e24} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {C921C80C-BE8F-4CE2-9FB8-E62B2A518583} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKLM\..\Run: [DLCQCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [CPM2b76c1f9] Rundll32.exe "C:\WINDOWS\system32\kivizazu.dll",a
O4 - HKLM\..\Run: [sohokaketo] Rundll32.exe "C:\WINDOWS\system32\viyiyini.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5967] command /c del "c:\windows\system32\zukidudu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1026] cmd /c del "c:\windows\system32\zukidudu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5639] command /c del "c:\windows\system32\zarowoma.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9580] cmd /c del "c:\windows\system32\zarowoma.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7679] command /c del "c:\windows\system32\fuweyuni.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7679] cmd /c del "c:\windows\system32\fuweyuni.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7828] cmd /c del "c:\windows\system32\batujuko.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5295] command /c del "c:\windows\system32\husovetu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5046] cmd /c del "c:\windows\system32\husovetu.dll_old"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-19\..\Run: [sohokaketo] Rundll32.exe "C:\WINDOWS\system32\viyiyini.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [sohokaketo] Rundll32.exe "C:\WINDOWS\system32\viyiyini.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} (Cisco Systems WebVPN Relay Loader) - https://216.230.101.210/+CSCOL+/relayp.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.14/ttinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL hieyay.dll c:\windows\system32\bepesata.dll c:\windows\system32\reveneko.dll C:\WINDOWS\system32\foburune.dll c:\windows\system32\husovetu.dll c:\windows\system32\ c:\windows\system32\batujuko.dll c:\windows\system32\lewowesa.dll c:\windows\system32\ c:\windows\system32\fuweyuni.dll c:\windows\system32\ c:\windows\system32\vafisefa.dll c:\windows\system32\gagavosu.dll c:\windows\system32\ c:\windows\system32\hipofahi.dll c:\windows\system32\zukidudu.dll c:\windows\system32\kivizazu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kivizazu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kivizazu.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 15982 bytes
jdd18vm
Active Member
 
Posts: 5
Joined: January 1st, 2009, 4:59 pm
Advertisement
Register to Remove

Re: Pop Ups and Redirects

Unread postby Bob4 » January 5th, 2009, 8:51 pm

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant.
Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear.
So lets do this to the end!



  • Save and quit any work your doing before beginning the fix.
  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.
  • DO NOT be installing new programs while you run Hijackthis.
  • If I do not hear from you in 5 days from my last post this topic will be closed.


Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!






________________________________________________________
Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Pop Ups and Redirects

Unread postby jdd18vm » January 6th, 2009, 12:21 am

Thank you I will run the Combofix and do as you say. I committed a cardinal sin and did install (try) to install IE Beta version 8?. Now instead of pop ups I get a MS Data Execution Prevention message, which when closed pops up a MS Error Report message.
jdd18vm
Active Member
 
Posts: 5
Joined: January 1st, 2009, 4:59 pm

Re: Pop Ups and Redirects

Unread postby Bob4 » January 6th, 2009, 8:02 am

Please don't install anything until we have you Malware free.
Here is some info on uninstalling Internet explorer 8.

http://support.microsoft.com/kb/957700/
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Pop Ups and Redirects

Unread postby jdd18vm » January 6th, 2009, 8:22 pm

Thanks for the help....John

Combo Fix Log

ComboFix 09-01-05.05 - Me 2009-01-06 19:05:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1484 [GMT -5:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Me\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\GetModule
c:\windows\system32\~.exe
c:\windows\system32\akowomer.ini
c:\windows\system32\anidoyod.ini
c:\windows\system32\anowidoj.ini
c:\windows\system32\azirezay.ini
c:\windows\system32\bupodaze.dll
c:\windows\system32\dazefagu.dll
c:\windows\system32\doluwuhi.dll
c:\windows\system32\dubuwemo.dll
c:\windows\system32\duzirasa.dll
c:\windows\system32\egegidom.ini
c:\windows\system32\epejavuw.ini
c:\windows\system32\epujubak.ini
c:\windows\system32\ewapizem.ini
c:\windows\system32\gavuzeyi.dll
c:\windows\system32\hulenoli.dll
c:\windows\system32\ibokatuk.ini
c:\windows\system32\idogotok.ini
c:\windows\system32\igefuluk.ini
c:\windows\system32\ilahajop.ini
c:\windows\system32\iloneluh.ini
c:\windows\system32\ipetepiz.ini
c:\windows\system32\iyezuvag.ini
c:\windows\system32\jasoreje.dll
c:\windows\system32\jeruvote.dll
c:\windows\system32\kutakobi.dll
c:\windows\system32\ladobenu.dll
c:\windows\system32\laninejo.dll
c:\windows\system32\lelajoge.dll
c:\windows\system32\nunoruzo.dll
c:\windows\system32\ofayupub.ini
c:\windows\system32\omewubud.ini
c:\windows\system32\opunisin.ini
c:\windows\system32\ovakupap.ini
c:\windows\system32\ovozepor.ini
c:\windows\system32\patafudi.dll
c:\windows\system32\teruvobi.dll
c:\windows\system32\tumalewu.dll
c:\windows\system32\ufepokev.ini
c:\windows\system32\uhivufeg.ini
c:\windows\system32\uniboyil.ini
c:\windows\system32\unitison.ini
c:\windows\system32\uwelamut.ini
c:\windows\system32\vativise.dll
c:\windows\system32\yuhodose.dll
c:\windows\system32\zejidipe.dll
c:\windows\system32\zelayago.dll
c:\windows\system32\zoripiwo.dll
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-05 15:30 . 2009-01-05 15:30 <DIR> d--hs---- c:\documents and settings\Amanda\PrivacIE
2009-01-05 14:50 . 2009-01-05 14:50 <DIR> d-------- c:\program files\AskBarDis
2009-01-04 19:31 . 2008-04-13 19:11 81,920 --a------ c:\windows\system32\ieencode.dll
2009-01-04 19:31 . 2007-08-13 18:45 78,336 --a------ c:\windows\system32\dllcache\ieencode.dll
2009-01-04 13:31 . 2009-01-04 13:31 <DIR> d-------- C:\VundoFix Backups
2009-01-04 09:57 . 2009-01-04 09:57 <DIR> d-------- c:\documents and settings\Me\Application Data\McAfee
2009-01-01 14:22 . 2009-01-01 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-01-01 14:21 . 2009-01-01 14:21 <DIR> d-------- c:\program files\Common Files\iS3
2009-01-01 14:21 . 2009-01-01 16:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-01-01 14:02 . 2009-01-01 14:02 <DIR> d-------- c:\program files\Trend Micro
2008-12-29 11:11 . 2008-12-29 11:11 736 --a------ c:\windows\SamsungMaster.INI
2008-12-29 11:03 . 2006-11-01 15:52 765,952 --a------ c:\windows\system32\xvidcore.dll
2008-12-29 11:03 . 2003-02-21 15:42 348,160 --a------ c:\windows\system32\msvcbf24.rra
2008-12-29 11:03 . 2006-11-01 15:54 180,224 --a------ c:\windows\system32\xvidvfw.dll
2008-12-29 11:03 . 2006-11-01 16:26 77,824 --a------ c:\windows\system32\xvid.ax
2008-12-29 11:03 . 2004-03-09 11:39 8,704 --a------ c:\windows\system32\vidccleaner.exe
2008-12-26 12:40 . 2008-12-26 12:40 <DIR> d-------- c:\program files\Free Audio Pack
2008-12-26 11:29 . 2005-01-13 16:28 6,832 --a------ c:\windows\system32\PulseSoundTouchForVB.tlb
2008-12-25 09:51 . 2008-12-25 09:51 <DIR> d-------- c:\program files\Line6
2008-12-25 09:51 . 2008-12-25 10:14 <DIR> d-------- c:\documents and settings\Me\Application Data\Line 6
2008-12-25 09:51 . 2008-12-25 11:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Line 6
2008-12-24 09:56 . 2009-01-04 13:31 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-24 09:56 . 2009-01-04 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-24 00:09 . 2008-12-24 00:08 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-24 00:08 . 2009-01-04 13:44 <DIR> d-------- c:\documents and settings\Me\.housecall6.6
2008-12-11 18:33 . 2008-12-11 18:33 827,392 --a------ c:\windows\system32\L6DriverControlPanel.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 00:12 --------- d-----w c:\program files\dl_cats
2009-01-06 23:09 --------- d-----w c:\program files\McAfee
2009-01-06 22:45 --------- d-----w c:\documents and settings\Amanda\Application Data\FrostWire
2009-01-06 22:25 --------- d-----w c:\program files\FrostWire
2009-01-06 01:31 168 ----a-w c:\documents and settings\Me\Application Data\wklnhst.dat
2009-01-04 14:57 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-01 15:08 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-30 18:41 --------- d-----w c:\documents and settings\Amanda\Application Data\LimeWire
2008-12-30 18:38 --------- d-----w c:\program files\LimeWire
2008-12-29 16:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 20:51 --------- d-----w c:\program files\AskSBar
2008-12-13 03:31 --------- d-----w c:\documents and settings\Me\Application Data\Skype
2008-12-13 03:18 --------- d-----w c:\program files\Java
2008-12-11 23:33 530,560 ----a-w c:\windows\system32\drivers\GPWADrv.sys
2008-12-11 23:33 29,312 ----a-w c:\windows\system32\drivers\l6dp.sys
2008-12-07 19:33 --------- d-----w c:\program files\Norton Security Scan
2008-12-06 15:43 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-28 23:01 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-25 04:13 --------- d-----w c:\documents and settings\Amanda\Application Data\U3
2008-11-18 02:45 --------- d-----w c:\program files\PokerStars.NET
2008-11-16 15:34 --------- d-----w c:\program files\AIM6
2008-11-16 15:34 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 15:34 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-16 15:33 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-13 00:00 --------- d-----w c:\program files\MSXML 4.0
2007-08-23 22:45 60,968 ----a-w c:\documents and settings\Me\GoToAssistDownloadHelper.exe
2006-06-16 00:33 233,472 ----a-w c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 22:43 204,895 ----a-w c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 18:41 77,824 ----a-w c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 17:10 426,081 ----a-w c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 16:19 458,752 ----a-w c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 22:35 139,264 ----a-w c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 15:10 204,800 ----a-w c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 15:42 106,496 ----a-w c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 15:22 212,992 ----a-w c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 15:21 167,936 ----a-w c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2007-08-26 23:27 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-05-29 20:36 75 --sh--r c:\windows\CT4CET.bin
1601-01-01 00:12 6,144 --sha-w c:\windows\system32\miwajiho.dll
2008-09-28 18:06 81,920 --sha-w c:\windows\system32\pasaruwe.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-02-27 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-08 22:08 279944 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-26 1838592]
"dlcqmon.exe"="c:\program files\Dell Photo AIO Printer 966\dlcqmon.exe" [2007-01-12 292336]
"DLCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-10-16 106496]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-08-25 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-08-16 24576]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-06-03 66864]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dlcqcoms.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Roxio\\Drag-to-Disc\\DrgToDsc.exe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LQCVFX\\COCIManager.exe"=
"c:\\Program Files\\Intel\\Intel Matrix Storage Manager\\IAANTmon.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LVMVFM\\LVPrcSrv.exe"=
"c:\\Program Files\\Common Files\\Roxio Shared\\9.0\\SharedCOM\\RoxWatch9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2006-09-29 530560]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2006-09-29 29312]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2008-05-29 31616]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-06 206096]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-08 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9b7fb2e-804d-11dd-ab50-0019d19100d9}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2007-08-16 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-04 c:\windows\Tasks\Norton Security Scan for Amanda.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]

2009-01-07 c:\windows\Tasks\qdbrzwfk.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
BHO-{571bb8ac-4b15-4549-bc6c-7268f03d7991} - c:\windows\system32\jeruvote.dll
BHO-{aecd346c-de2e-4de6-8ac3-03cc96ab4e24} - (no file)
BHO-{C921C80C-BE8F-4CE2-9FB8-E62B2A518583} - (no file)
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&cli ... bd=4070816
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: *.internet
Trusted Zone: *.line6.net
Trusted Zone: *.mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

c:\windows\Downloaded Program Files\Relay.dll - c:\windows\Downloaded Program Files\RelayP.ocx
O16 -: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409}
hxxps://216.230.101.210/+CSCOL+/relayp.cab
c:\windows\Downloaded Program Files\RelayP.inf
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\uvi9mwf1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?inv ... ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?inv ... sab&query=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 19:11:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCQCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlcqcoms.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-06 19:15:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 00:15:03

Pre-Run: 274,985,951,232 bytes free
Post-Run: 275,635,937,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

348 --- E O F --- 2008-12-18 03:13:31



HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:57 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=4070816
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKLM\..\Run: [DLCQCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} (Cisco Systems WebVPN Relay Loader) - https://216.230.101.210/+CSCOL+/relayp.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.14/ttinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13923 bytes
jdd18vm
Active Member
 
Posts: 5
Joined: January 1st, 2009, 4:59 pm

Re: Pop Ups and Redirects

Unread postby Bob4 » January 6th, 2009, 9:34 pm

Hya John,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Frostwire
Limewire


We have noticed that most people seeking help from us are coming with infections contracted from the use of P2P programmes.

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).



____________________________________
While your in add/remove programs you may want to uninstall Ask Bar.
AskSBar (ASKSBAR.DLL, Ask Jeeves Toolbar) is a program that most likely was installed by you at some point since this would not have arrived preinstalled on your computer.
Be sure to verify the exact hard drive location shown below. For more information, please read Ask Jeeves Toolbar.
This ASKSBAR.DLL file will run as a BHO in your browser every time you browse the internet. This is also found with one or more other Askbar files on your computer, if you did not install this intentionally on
your computer, I recommend removing this as soon as possible or disabling your browser BHOs. This has been reported as spyware or adware by many. This goes by the name "Ask Bar" or search
assistant, and may lead to advertisements or popups. If you wish to remove them, you can do so using Add or Remove Programs in Control Panel.
To uninstall the AskSBar (ASKSBAR.DLL, Ask Jeeves Toolbar) folder.
  1. Click Start > Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight AskSBar (ASKSBAR.DLL, Ask Jeeves Toolbar)[/b], click Remove.
  4. Close the Add or Remove Programs and the Control Panel windows.
  5. Using Windows Explorer (Windows key+e), search for the AskSBar (ASKSBAR.DLL, Ask Jeeves Toolbar) folder. If the program folder is still there, select/highlight the AskSBar Toolbar (ASKSBAR.DLL, Ask Jeeves Toolbar) folder[/b]. DELETE it. (File > Delete.) If Windows is not installed on the C drive, replace C:\ with the appropriate drive letter.
  6. Close Windows Explorer.
There is a Video showing how to uninstall a program (Grinler) detailing how to add or remove program in Windows for those who find a visual aid appealing.
It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis :


R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll





________________________________________
Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
 
File:: 
c:\windows\system32\miwajiho.dll
c:\windows\system32\pasaruwe.dll
c:\windows\Tasks\qdbrzwfk.job



NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.










_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste this filepath in there.
If theres is more than one file to scan, insert them 1 at a time.


c:\windows\system32\msvcbf24.rra


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

You may recieve a message stating "
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

Just let me know if that is what you saw.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html










___________________________________________
Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the contents of that log.

    If you accidently close it you may find it here.
    Start -> All Programs -> Malwarebytes' Anti-Malware -> Logs






_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Combofix
  • The report from Jottis / Virus total
  • The report from Malwarebytes anti malware
  • How are things running now ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Pop Ups and Redirects

Unread postby jdd18vm » January 7th, 2009, 12:43 am

The pop ups and problems seemed to improve just by the first running of combo fix. But seems things are still here per MB Scan, see below.

Uninstalled Frostwire, didnt see Limewire in A/R Programs list?

Uninstalled Ask so only R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL was left and "fixed"

Thought Jotti would generate log? But here is the Copy/Paste. All Found Nothing (no error messages)

File: msvcbf24.rra
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 86f1895ae8c5e8b17d99ece768a70732
Packers detected:
-
Scanner results
Scan taken on 07 Jan 2009 02:28:36 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


New Combo Fix Log

ComboFix 09-01-05.05 - Me 2009-01-06 21:22:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1519 [GMT -5:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Me\Desktop\CFScript.lnk
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-05 15:30 . 2009-01-05 15:30 <DIR> d--hs---- c:\documents and settings\Amanda\PrivacIE
2009-01-04 19:31 . 2008-04-13 19:11 81,920 --a------ c:\windows\system32\ieencode.dll
2009-01-04 19:31 . 2007-08-13 18:45 78,336 --a------ c:\windows\system32\dllcache\ieencode.dll
2009-01-04 13:31 . 2009-01-04 13:31 <DIR> d-------- C:\VundoFix Backups
2009-01-04 09:57 . 2009-01-04 09:57 <DIR> d-------- c:\documents and settings\Me\Application Data\McAfee
2009-01-01 14:22 . 2009-01-01 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-01-01 14:21 . 2009-01-01 14:21 <DIR> d-------- c:\program files\Common Files\iS3
2009-01-01 14:21 . 2009-01-01 16:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-01-01 14:02 . 2009-01-01 14:02 <DIR> d-------- c:\program files\Trend Micro
2008-12-29 11:11 . 2008-12-29 11:11 736 --a------ c:\windows\SamsungMaster.INI
2008-12-29 11:03 . 2006-11-01 15:52 765,952 --a------ c:\windows\system32\xvidcore.dll
2008-12-29 11:03 . 2003-02-21 15:42 348,160 --a------ c:\windows\system32\msvcbf24.rra
2008-12-29 11:03 . 2006-11-01 15:54 180,224 --a------ c:\windows\system32\xvidvfw.dll
2008-12-29 11:03 . 2006-11-01 16:26 77,824 --a------ c:\windows\system32\xvid.ax
2008-12-29 11:03 . 2004-03-09 11:39 8,704 --a------ c:\windows\system32\vidccleaner.exe
2008-12-26 12:40 . 2008-12-26 12:40 <DIR> d-------- c:\program files\Free Audio Pack
2008-12-26 11:29 . 2005-01-13 16:28 6,832 --a------ c:\windows\system32\PulseSoundTouchForVB.tlb
2008-12-25 09:51 . 2008-12-25 09:51 <DIR> d-------- c:\program files\Line6
2008-12-25 09:51 . 2008-12-25 10:14 <DIR> d-------- c:\documents and settings\Me\Application Data\Line 6
2008-12-25 09:51 . 2008-12-25 11:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Line 6
2008-12-24 09:56 . 2009-01-04 13:31 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-24 09:56 . 2009-01-04 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-24 00:09 . 2008-12-24 00:08 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-24 00:08 . 2009-01-04 13:44 <DIR> d-------- c:\documents and settings\Me\.housecall6.6
2008-12-11 18:33 . 2008-12-11 18:33 827,392 --a------ c:\windows\system32\L6DriverControlPanel.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 00:46 --------- d-----w c:\program files\dl_cats
2009-01-06 23:09 --------- d-----w c:\program files\McAfee
2009-01-06 22:45 --------- d-----w c:\documents and settings\Amanda\Application Data\FrostWire
2009-01-06 01:31 168 ----a-w c:\documents and settings\Me\Application Data\wklnhst.dat
2009-01-05 19:43 98,981 --sha-w c:\windows\system32\gumizoju.dll
2009-01-05 19:43 86,212 --sha-w c:\windows\system32\yazeriza.dll
2009-01-04 20:26 97,396 --sha-w c:\windows\system32\yonugese.dll
2009-01-04 20:26 83,566 --sha-w c:\windows\system32\remowoka.dll
2009-01-04 17:24 83,721 --sha-w c:\windows\system32\vekopefu.dll
2009-01-04 17:24 101,182 --sha-w c:\windows\system32\kivizazu.dll
2009-01-04 14:57 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-04 05:42 83,618 --sha-w c:\windows\system32\kotogodi.dll
2009-01-04 04:34 83,672 ------w c:\windows\system32\gefuvihu.dll
2009-01-04 04:12 97,452 --sha-w c:\windows\system32\luwakefi.dll
2009-01-04 04:12 86,219 ------w c:\windows\system32\jodiwona.dll
2009-01-04 03:49 86,218 ------w c:\windows\system32\doyodina.dll
2009-01-03 15:30 96,954 --sha-w c:\windows\system32\rafaweti.dll
2009-01-03 15:30 86,185 ------w c:\windows\system32\bupuyafo.dll
2009-01-03 05:15 97,477 --sha-w c:\windows\system32\vitirunu.dll
2009-01-03 05:15 86,240 --sha-w c:\windows\system32\zipetepi.dll
2009-01-02 05:10 86,253 --sha-w c:\windows\system32\pojahali.dll
2009-01-02 04:48 100,618 --sha-w c:\windows\system32\nonegetu.dll
2009-01-02 04:25 83,605 ------w c:\windows\system32\modigege.dll
2009-01-02 04:03 83,530 ------w c:\windows\system32\mezipawe.dll
2009-01-02 03:40 86,269 ------w c:\windows\system32\papukavo.dll
2009-01-02 03:40 100,590 --sha-w c:\windows\system32\fezahoyu.dll
2009-01-02 03:18 97,370 --sha-w c:\windows\system32\sugazeri.dll
2009-01-02 03:18 86,170 ------w c:\windows\system32\nisinupo.dll
2009-01-01 15:08 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-01-01 14:57 97,375 --sha-w c:\windows\system32\sazukojo.dll
2009-01-01 14:57 83,540 --sha-w c:\windows\system32\liyobinu.dll
2008-12-30 18:41 --------- d-----w c:\documents and settings\Amanda\Application Data\LimeWire
2008-12-30 18:38 --------- d-----w c:\program files\LimeWire
2008-12-29 16:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 20:51 --------- d-----w c:\program files\AskSBar
2008-12-13 03:31 --------- d-----w c:\documents and settings\Me\Application Data\Skype
2008-12-13 03:18 --------- d-----w c:\program files\Java
2008-12-11 23:33 530,560 ----a-w c:\windows\system32\drivers\GPWADrv.sys
2008-12-11 23:33 29,312 ----a-w c:\windows\system32\drivers\l6dp.sys
2008-12-11 23:33 167,936 ----a-w c:\windows\system32\L6GPAsio.dll
2008-12-07 19:33 --------- d-----w c:\program files\Norton Security Scan
2008-12-06 15:43 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-28 23:01 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-25 04:13 --------- d-----w c:\documents and settings\Amanda\Application Data\U3
2008-11-18 02:45 --------- d-----w c:\program files\PokerStars.NET
2008-11-16 15:34 --------- d-----w c:\program files\AIM6
2008-11-16 15:34 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 15:34 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-16 15:33 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-13 00:00 --------- d-----w c:\program files\MSXML 4.0
2008-11-10 10:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2007-08-23 22:45 60,968 ----a-w c:\documents and settings\Me\GoToAssistDownloadHelper.exe
2006-06-16 00:33 233,472 ----a-w c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 22:43 204,895 ----a-w c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 18:41 77,824 ----a-w c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 17:10 426,081 ----a-w c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 16:19 458,752 ----a-w c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 22:35 139,264 ----a-w c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 15:10 204,800 ----a-w c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 15:42 106,496 ----a-w c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 15:22 212,992 ----a-w c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 15:21 167,936 ----a-w c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2007-08-26 23:27 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-05-29 20:36 75 --sh--r c:\windows\CT4CET.bin
1601-01-01 00:12 6,144 --sha-w c:\windows\system32\miwajiho.dll
2008-09-28 18:06 81,920 --sha-w c:\windows\system32\pasaruwe.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-06_19.14.25.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-07 00:45:53 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_104.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-26 1838592]
"dlcqmon.exe"="c:\program files\Dell Photo AIO Printer 966\dlcqmon.exe" [2007-01-12 292336]
"DLCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-10-16 106496]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-08-25 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-08-16 24576]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-06-03 66864]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dlcqcoms.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Roxio\\Drag-to-Disc\\DrgToDsc.exe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LQCVFX\\COCIManager.exe"=
"c:\\Program Files\\Intel\\Intel Matrix Storage Manager\\IAANTmon.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LVMVFM\\LVPrcSrv.exe"=
"c:\\Program Files\\Common Files\\Roxio Shared\\9.0\\SharedCOM\\RoxWatch9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2006-09-29 530560]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2006-09-29 29312]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2008-05-29 31616]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-06 206096]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-08 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9b7fb2e-804d-11dd-ab50-0019d19100d9}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2007-08-16 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-04 c:\windows\Tasks\Norton Security Scan for Amanda.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]

2009-01-07 c:\windows\Tasks\qdbrzwfk.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&cli ... bd=4070816
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: *.internet
Trusted Zone: *.line6.net
Trusted Zone: *.mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

c:\windows\Downloaded Program Files\Relay.dll - c:\windows\Downloaded Program Files\RelayP.ocx
O16 -: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409}
hxxps://216.230.101.210/+CSCOL+/relayp.cab
c:\windows\Downloaded Program Files\RelayP.inf
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\uvi9mwf1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?inv ... ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?inv ... sab&query=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 21:23:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCQCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-06 21:24:50
ComboFix-quarantined-files.txt 2009-01-07 02:24:37
ComboFix2.txt 2009-01-07 00:15:08

Pre-Run: 275,855,036,416 bytes free
Post-Run: 275,848,298,496 bytes free

297 --- E O F --- 2008-12-18 03:13:31


New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:44 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=4070816
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKLM\..\Run: [DLCQCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} (Cisco Systems WebVPN Relay Loader) - https://216.230.101.210/+CSCOL+/relayp.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.14/ttinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12844 bytes


Malwarebytes Log

Malwarebytes' Anti-Malware 1.32
Database version: 1625
Windows 5.1.2600 Service Pack 3

1/6/2009 11:38:47 PM
mbam-log-2009-01-06 (23-38-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 153971
Time elapsed: 1 hour(s), 12 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\hulenoli.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tumalewu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP511\A0058598.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP512\A0058686.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP512\A0058688.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP512\A0058690.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP512\A0058693.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP519\A0059539.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP522\A0059858.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP535\A0062778.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP535\A0062793.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP535\A0062815.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pasaruwe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yonugese.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\miwajiho.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\remowoka.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nisinupo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gumizoju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
jdd18vm
Active Member
 
Posts: 5
Joined: January 1st, 2009, 4:59 pm

Re: Pop Ups and Redirects

Unread postby Bob4 » January 7th, 2009, 8:53 am

Malwaerbytes did a good job. Alot of what it found was in ComboFix tool and old restore points which we will take care of in a minute.





click Start, >> All Programs, >> Accessories,>> System Tools, >>Scheduled Tasks.
right-click qdbrzwfk.job and then click Delete.


______________________________
RUN HJT

HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked


O4 - Global Startup: Digital Line Detect.lnk = ?



No reason to have these in rusted sites. They will work just fine without being there.
O15 - Trusted Zone: *.line6.net
O15 - Trusted Zone: http://*.mcafee.com



If you no longer play online Poker have HJT fix this line.
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe

Close that.



_____________________________________

If your using the Adobe reader free version you need to update it.

Please go here to download Adobe Acrobat Reader 9...

When you have finished installing the Acrobat Reader, please go to Add/Remove Programs and verify that there are no versions listed other than Acrobat Reader 8. If you find older versions, remove them.

When finished, reboot your computer.


_______________________________________


Great news ! Image

Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!




Open Malwarebytes >>select the Quarintine tab>>delete all



___________________________________
The following will implement some cleanup procedures for the tool we used as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



_______________________________________
A few things to help with possible threats

These are optional . But will help protect you further.
and
Some of these you may already have.





________________________________________
Windows Updates
Be certain automatic updates is turned on for XP. - For Vista Or if you like to do it manually be sure to visit http://update.microsoft.com/ regularly. This requires internet explorer to do so.

This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
___________________________________

SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Browser settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.


______________________________
SiteHound

http://www.firetrust.com/firetrustsitehound.html

This tool bar will help protect you from.

Over 4,000 fake bank and credit sites.
Tens of thousands of pornographic
and adult sites.
The never ending fake phishing sites.
Malicious sites, which can infect you
with spyware and adware if you visit
them.
Sites to download software which
may infect your computer with
spyware, a virus or adware





___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.





___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.



_______________________________________
So many people are point and click crazy either because there naive or their in a rush.

Always watch closely to any software your installing.
If they want to install something more than their program stop right there and investigate what it is they want to place on your computer.
If they give you the option not to install it choose that until you investigate it completely.
The more you install that you don't want or need the more you'll wish you didn't.





Here's a site with great advise on how to AVOID malware. Much easier to do than removing it.


___________________________________
If your anything like me you should be mad these people have done this to you.
Please take the time to tell us what you would like to be done to these idiots!
We can only get something done about this if the people that we help, like you, are prepared to complain.
We have a dedicated forum for collecting these complaints Malware Complaints, you do not have to be registered to post.. just find your country room and register your complaint.

The infections you had was Vundo


Safe and Happy Surfing. :)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Pop Ups and Redirects

Unread postby jdd18vm » January 7th, 2009, 9:50 pm

First and foremost Bob thank you very much for your assistance and thoroughness. I can't get back the time wasted trying to investigate it myself but cant imagine the time and frustration you've saved me. I am grateful to you and this board and will be more than happy to make a contribution.

I hope I am not out of line or breaking any forum rules by asking why did Housecall online scan, my own McAfee, not find; and Vundofix and/or Spybot S&D (which found Vundo many times) not work? Perhaps not a simple answer but I thought I'd ask.

I am obviously a fan of MB, would you suggest upgrading? Ditto Spyblaster?

Best Regards

John
jdd18vm
Active Member
 
Posts: 5
Joined: January 1st, 2009, 4:59 pm

Re: Pop Ups and Redirects

Unread postby Bob4 » January 7th, 2009, 10:23 pm

Hi John,

I hope I am not out of line or breaking any forum rules by asking why did Housecall online scan, my own McAfee, not find; and Vundofix and/or Spybot S&D (which found Vundo many times) not work?


Your not out of line for asking.
Vundo is forever changing it's bad habits. If you don't get it all it will rear it's ugly head again. It takes serious dedication to keep up with it. So it's pretty hard for all programs to keep up with all of it and remove everything that has to be removed. The time required to keep up with it would take away from other things needed to say keep an anti virus up to date .
Luckily there are a few people who make programs fairly dedicated to removing this beast. A vicious circle realy. When they find a way to fix it the writers find another way to change it so said fix won't work.
I am obviously a fan of MB, would you suggest upgrading? Ditto Spyblaster?


Yes use spywareblaster.

Malwarebytes Anti Malware
Yes.But remember that Malwarebytes anti-malware is NOT and anti virus program. It is made to run alongside your anti virus program.
Unfortunately the free version only works if you run it.
The upgraded version adds a real time active monitor, scheduled scans and auto updates not to mention wonderful tech support. Also, you may never have to deal with me again. What a plus !! Image
NO, I do not get anything at all from promoting this product. I just like it.

To find out more
http://www.malwarebytes.org/mbam.php
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Pop Ups and Redirects

Unread postby NonSuch » January 9th, 2009, 7:27 pm

As this issue is resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware