Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google & Yahoo searches are re-directed

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google & Yahoo searches are re-directed

Unread postby kmatt » March 4th, 2009, 1:45 pm

When using yahoo or google my computer starts redirecting the seach to random sites. I've run virus scans, spybot, malwarebytes & lavasoft. Spybot found 48 "Host" entries and 1 program but I can't delete them.

Your help will be greatly appreciated.

I've included the hyjackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:06 PM, on 3/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\DOCSTAR\dsclsv.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {24C9A604-1A15-C515-7522-614E4B23DFED} - C:\WINNT\Cywquyfx.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: (no name) - {FF238A60-4F1C-4C4B-BD6E-C64A2A892767} - C:\WINNT\System32\ibalmcoin_v3619.dll (file missing)
O3 - Toolbar: (no name) - {9D8D4D69-49A5-4456-96B1-5AD7F12AD4A6} - (no file)
O3 - Toolbar: (no name) - {A9DCFD6B-E825-467A-8C35-90DD23D32B44} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINNT\dealhlpr.dll (file missing)
O3 - Toolbar: Search - {DB5A0FC6-BB86-1A93-33B9-C2A588D2A8D0} - C:\WINNT\Cywquyfx.dll (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [CANON DR2580C SVC] rundll32.exe DR25SVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINNT\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Shortcut to docstar.lnk = C:\docstar.bat
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/prof ... itStop.CAB
O16 - DPF: {2D76EB71-F632-75E3-529A-0836E1BCB4D8} (DownloadUL Class) - http://public.searchbarcash.com/cab/352/qpmytsxh.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/client/iftwclix.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {52DCAD2D-D5DD-8EA5-315A-B4FE032A28F9} (DownloadUL Class) - http://public.searchbarcash.com/cab/350/anmqsrho.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0380840171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9376711190
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/seri ... /gwCID.CAB
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Dwf Viewer Control) - http://www.autodesk.com/global/dwfviewe ... rSetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://reports.reged.com/viewer/active ... viewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emoneyadvisor.webex.com/client/ ... eatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DocSTAR Client Service (DSClSvc) - DocSTAR - C:\DOCSTAR\dsclsv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) - http://www.raft.org/pics/amigos/misc/MONKEYS.JPG

--
End of file - 11122 bytes
kmatt
Active Member
 
Posts: 9
Joined: March 4th, 2009, 1:28 pm
Advertisement
Register to Remove

Re: Google & Yahoo searches are re-directed

Unread postby Carolyn » March 12th, 2009, 4:16 pm

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.



Step 1

Image
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Step 2

Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.

Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.

  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

If you receive no notice, click on the Scan button.

  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.

In your next reply, please post:

  1. DDS.txt
  2. Attach.txt
  3. Gmer.txt
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Google & Yahoo searches are re-directed

Unread postby kmatt » March 17th, 2009, 11:30 am

attached please find 2 of the requested files.

I tried to attached the gmer file but got a message that the "extension log" was not allowed.

thanks.

Kmatt
You do not have the required permissions to view the files attached to this post.
kmatt
Active Member
 
Posts: 9
Joined: March 4th, 2009, 1:28 pm

Re: Google & Yahoo searches are re-directed

Unread postby Carolyn » March 18th, 2009, 7:37 am

Hi,

Please post the contents of the GMER log... I prefer that over attachments anyway. ;)
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Google & Yahoo searches are re-directed

Unread postby kmatt » March 18th, 2009, 8:04 am

here you go -

Thanks



GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-17 06:24:30
Windows 5.1.2600 Service Pack 2


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00947D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1684] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [00947CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1948] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{702B63A9-DFCB-3E43-C2B76BFD1C9BA57E}\{DAB6776A-2CC2-16F5-322B07855BE30B9F}\{5F22963C-84D9-05FE-828BE8E6312814FD}
Reg HKLM\SOFTWARE\Classes\CLSID\{702B63A9-DFCB-3E43-C2B76BFD1C9BA57E}\{DAB6776A-2CC2-16F5-322B07855BE30B9F}\{5F22963C-84D9-05FE-828BE8E6312814FD}@MPWYEY1F4ENX6WLDW6UD6LBX5E1 0x01 0x00 0x01 0x00 ...

---- EOF - GMER 1.0.15 ----
kmatt
Active Member
 
Posts: 9
Joined: March 4th, 2009, 1:28 pm

Re: Google & Yahoo searches are re-directed

Unread postby Carolyn » March 18th, 2009, 8:28 pm

Hello kmatt,

Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Please post the ComboFix log and a fresh HijackThis log.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Google & Yahoo searches are re-directed

Unread postby kmatt » March 19th, 2009, 1:07 pm

requested logs:

ComboFix 09-03-18.01 - Owner 2009-03-19 12:40:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.996 [GMT -4:00]
Running from: \\D6jn7yf1\downloads\ComboFix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated)
FW: Windows Live OneCare Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\Downloaded Program Files\Temp
c:\winnt\system32\_006315_.tmp.dll
c:\winnt\system32\_006316_.tmp.dll
c:\winnt\system32\_006317_.tmp.dll
c:\winnt\system32\_006318_.tmp.dll
c:\winnt\system32\_006325_.tmp.dll
c:\winnt\system32\_006326_.tmp.dll
c:\winnt\system32\_006327_.tmp.dll
c:\winnt\system32\_006328_.tmp.dll
c:\winnt\system32\_006330_.tmp.dll
c:\winnt\system32\_006331_.tmp.dll
c:\winnt\system32\_006334_.tmp.dll
c:\winnt\system32\_006335_.tmp.dll
c:\winnt\system32\_006338_.tmp.dll
c:\winnt\system32\_006339_.tmp.dll
c:\winnt\system32\_006341_.tmp.dll
c:\winnt\system32\_006344_.tmp.dll
c:\winnt\system32\_006345_.tmp.dll
c:\winnt\system32\_006350_.tmp.dll
c:\winnt\system32\_006352_.tmp.dll
c:\winnt\system32\_006355_.tmp.dll
c:\winnt\system32\_006357_.tmp.dll
c:\winnt\system32\_006358_.tmp.dll
c:\winnt\system32\_006359_.tmp.dll
c:\winnt\system32\_006360_.tmp.dll
c:\winnt\system32\_006361_.tmp.dll
c:\winnt\system32\_006364_.tmp.dll
c:\winnt\system32\_006365_.tmp.dll
c:\winnt\system32\_006366_.tmp.dll
c:\winnt\system32\_006367_.tmp.dll
c:\winnt\system32\_006368_.tmp.dll
c:\winnt\system32\_006373_.tmp.dll
c:\winnt\system32\_006375_.tmp.dll
c:\winnt\system32\Config.ini
c:\winnt\system32\Memman.vxd
c:\winnt\system32\skinboxer43.dll
c:\winnt\system32\w020t32w.dll
c:\winnt\system32\w021t32w.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
.

2009-03-18 16:03 . 2009-03-18 16:03 4,140 --a------ c:\winnt\system32\OEMINFO.PNF
2009-03-18 09:33 . 2007-11-27 22:56 116,416 --a------ c:\winnt\system32\drivers\msfwhlpr.sys
2009-03-18 09:33 . 2007-11-27 22:56 91,328 --a------ c:\winnt\system32\drivers\msfwdrv.sys
2009-03-18 09:32 . 2008-05-15 16:15 53,168 --a------ c:\winnt\system32\drivers\MpFilter.sys
2009-03-18 09:31 . 2007-03-29 08:56 7,168 --------- c:\winnt\system32\dllcache\bitsprx4.dll
2009-03-18 09:31 . 2007-03-29 08:56 7,168 --------- c:\winnt\system32\bitsprx4.dll
2009-03-18 09:22 . 2009-03-18 19:09 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live
2009-03-11 09:35 . 2009-03-11 09:35 <DIR> d-------- c:\program files\Windows Defender
2009-03-04 12:55 . 2009-03-04 12:55 <DIR> d-------- c:\program files\Trend Micro
2009-03-04 10:47 . 2004-08-04 08:00 28,288 --a------ c:\winnt\system32\dllcache\xjis.nls
2009-03-04 10:40 . 2004-08-04 08:00 83,748 --a------ c:\winnt\system32\dllcache\prcp.nls
2009-03-04 10:40 . 2004-08-04 08:00 83,748 --a------ c:\winnt\system32\dllcache\prc.nls
2009-03-04 10:40 . 2004-08-04 08:00 68,608 --a------ c:\winnt\system32\dllcache\plugin.ocx
2009-03-04 10:37 . 2004-08-04 08:00 47,066 --a------ c:\winnt\system32\dllcache\ksc.nls
2009-03-04 10:31 . 2004-08-04 08:00 82,172 --a------ c:\winnt\system32\dllcache\bopomofo.nls
2009-03-04 10:31 . 2004-08-04 08:00 66,728 --a------ c:\winnt\system32\dllcache\big5.nls
2009-03-04 09:08 . 2009-03-04 09:08 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-03 23:42 . 2009-03-03 23:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 23:42 . 2009-03-03 23:42 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-03 23:42 . 2009-03-03 23:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 23:42 . 2009-02-11 11:19 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-03-03 23:42 . 2009-02-11 11:19 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-03-03 23:32 . 2009-03-03 23:32 <DIR> d-------- c:\documents and settings\Owner\DoctorWeb
2009-03-03 21:27 . 2004-08-04 04:56 116,224 --a------ c:\winnt\system32\dllcache\xrxwiadr.dll
2009-03-03 21:26 . 2004-08-04 02:29 33,599 --a------ c:\winnt\system32\dllcache\watv04nt.sys
2009-03-03 21:26 . 2004-08-04 03:08 31,744 --a------ c:\winnt\system32\dllcache\wceusbsh.sys
2009-03-03 21:26 . 2004-08-04 02:29 23,615 --a------ c:\winnt\system32\dllcache\wch7xxnt.sys
2009-03-03 21:26 . 2004-08-04 02:29 19,551 --a------ c:\winnt\system32\dllcache\watv02nt.sys
2009-03-03 21:26 . 2004-08-04 02:29 19,455 --a------ c:\winnt\system32\dllcache\wvchntxx.sys
2009-03-03 21:26 . 2004-08-04 02:29 12,063 --a------ c:\winnt\system32\dllcache\wsiintxx.sys
2009-03-03 21:26 . 2004-08-04 03:07 8,832 --a------ c:\winnt\system32\dllcache\wmiacpi.sys
2009-03-03 21:26 . 2004-08-04 04:56 8,192 --a------ c:\winnt\system32\dllcache\wshirda.dll
2009-03-03 21:25 . 2004-08-04 04:56 53,760 --a------ c:\winnt\system32\dllcache\vfwwdm32.dll
2009-03-03 21:25 . 2004-08-04 02:29 29,311 --a------ c:\winnt\system32\dllcache\watv01nt.sys
2009-03-03 21:25 . 2004-08-04 03:08 25,600 --a------ c:\winnt\system32\dllcache\usbser.sys
2009-03-03 21:25 . 2004-08-04 03:08 17,024 --a------ c:\winnt\system32\dllcache\usbohci.sys
2009-03-03 21:25 . 2004-08-04 02:29 12,415 --a------ c:\winnt\system32\dllcache\wadv01nt.sys
2009-03-03 21:25 . 2004-08-04 02:29 12,127 --a------ c:\winnt\system32\dllcache\wadv02nt.sys
2009-03-03 21:25 . 2004-08-04 02:29 11,775 --a------ c:\winnt\system32\dllcache\wadv05nt.sys
2009-03-03 21:24 . 2004-08-04 03:00 149,376 --a------ c:\winnt\system32\dllcache\tffsport.sys
2009-03-03 21:24 . 2004-08-04 04:56 82,432 --a------ c:\winnt\system32\dllcache\tp4mon.exe
2009-03-03 21:23 . 2004-08-04 03:07 16,128 --a------ c:\winnt\system32\dllcache\smbbatt.sys
2009-03-03 21:23 . 2004-08-04 03:00 7,552 --a------ c:\winnt\system32\dllcache\sonyait.sys
2009-03-03 21:23 . 2004-08-04 03:07 6,912 --a------ c:\winnt\system32\dllcache\smbclass.sys
2009-03-03 21:22 . 2004-08-04 02:59 43,136 --a------ c:\winnt\system32\dllcache\sbp2port.sys
2009-03-03 21:22 . 2004-08-04 02:31 32,768 --a------ c:\winnt\system32\dllcache\sisnic.sys
2009-03-03 21:21 . 2004-08-04 04:56 159,232 --a------ c:\winnt\system32\dllcache\ptpusd.dll
2009-03-03 21:21 . 2004-08-04 02:59 79,104 --a------ c:\winnt\system32\dllcache\rocket.sys
2009-03-03 21:21 . 2004-08-04 02:31 20,992 --a------ c:\winnt\system32\dllcache\rtl8139.sys
2009-03-03 21:21 . 2004-08-04 03:00 17,664 --a------ c:\winnt\system32\dllcache\ppa3.sys
2009-03-03 21:21 . 2004-08-04 03:00 6,016 --a------ c:\winnt\system32\dllcache\qic157.sys
2009-03-03 21:20 . 2004-08-04 04:56 259,328 --a------ c:\winnt\system32\dllcache\perm3dd.dll
2009-03-03 21:20 . 2004-08-04 04:56 211,712 --a------ c:\winnt\system32\dllcache\perm2dll.dll
2009-03-03 21:20 . 2004-08-04 03:10 61,056 --a------ c:\winnt\system32\dllcache\ohci1394.sys
2009-03-03 21:20 . 2004-08-04 02:31 29,502 --a------ c:\winnt\system32\dllcache\pca200e.sys
2009-03-03 21:20 . 2004-08-04 03:06 28,032 --a------ c:\winnt\system32\dllcache\perm3.sys
2009-03-03 21:20 . 2004-08-04 03:06 27,904 --a------ c:\winnt\system32\dllcache\perm2.sys
2009-03-03 21:19 . 2004-08-04 03:09 49,024 --a------ c:\winnt\system32\dllcache\mstape.sys
2009-03-03 21:19 . 2004-08-04 03:00 28,672 --a------ c:\winnt\system32\dllcache\nscirda.sys
2009-03-03 21:18 . 2004-08-04 03:00 26,112 --a------ c:\winnt\system32\dllcache\memstpci.sys
2009-03-03 21:18 . 2004-08-04 03:00 22,016 --a------ c:\winnt\system32\dllcache\msircomm.sys
2009-03-03 21:18 . 2004-08-04 03:00 7,040 --a------ c:\winnt\system32\dllcache\ltotape.sys
2009-03-03 21:17 . 2004-08-04 02:41 606,684 --a------ c:\winnt\system32\dllcache\ltmdmnt.sys
2009-03-03 21:17 . 2004-08-04 02:59 34,688 --a------ c:\winnt\system32\dllcache\lbrtfdc.sys
2009-03-03 21:15 . 2004-08-04 04:56 152,576 --a------ c:\winnt\system32\dllcache\irftp.exe
2009-03-03 21:15 . 2004-08-04 03:00 87,424 --a------ c:\winnt\system32\dllcache\irda.sys
2009-03-03 21:15 . 2004-08-04 04:56 27,136 --a------ c:\winnt\system32\dllcache\irmon.dll
2009-03-03 21:14 . 2004-08-04 04:56 702,845 --a------ c:\winnt\system32\dllcache\i81xdnt5.dll
2009-03-03 21:14 . 2004-08-04 02:29 161,020 --a------ c:\winnt\system32\dllcache\i81xnt5.sys
2009-03-03 21:14 . 2004-08-04 03:00 18,560 --a------ c:\winnt\system32\dllcache\i2omp.sys
2009-03-03 21:14 . 2004-08-04 03:00 8,192 --a------ c:\winnt\system32\dllcache\i2omgmt.sys
2009-03-03 21:13 . 2004-08-04 03:08 59,136 --a------ c:\winnt\system32\dllcache\gckernel.sys
2009-03-03 21:13 . 2004-08-04 02:59 28,288 --a------ c:\winnt\system32\dllcache\grserial.sys
2009-03-03 21:13 . 2004-08-04 03:08 10,624 --a------ c:\winnt\system32\dllcache\gameenum.sys
2009-03-03 21:12 . 2004-08-04 02:31 34,173 --a------ c:\winnt\system32\dllcache\forehe.sys
2009-03-03 21:11 . 2004-08-04 04:56 20,992 --a------ c:\winnt\system32\dllcache\dshowext.ax
2009-03-03 21:10 . 2004-08-04 04:56 249,856 --a------ c:\winnt\system32\dllcache\ctmasetp.dll
2009-03-03 21:10 . 2004-08-04 02:32 48,640 --a------ c:\winnt\system32\dllcache\cwrwdm.sys
2009-03-03 21:10 . 2004-08-04 03:00 8,320 --a------ c:\winnt\system32\dllcache\dlttape.sys
2009-03-03 21:09 . 2004-08-04 03:07 14,080 --a------ c:\winnt\system32\dllcache\cmbatt.sys
2009-03-03 21:09 . 2004-08-04 03:00 8,192 --a------ c:\winnt\system32\dllcache\changer.sys
2009-03-03 21:05 . 2004-08-04 03:10 38,912 --a------ c:\winnt\system32\dllcache\avc.sys
2009-03-03 21:05 . 2004-08-04 03:09 13,696 --a------ c:\winnt\system32\dllcache\avcstrm.sys
2009-03-03 21:03 . 2001-08-17 23:36 462,848 --a------ c:\winnt\system32\dllcache\a3dapi.dll
2009-03-03 21:03 . 2004-08-04 03:10 53,248 --a------ c:\winnt\system32\dllcache\1394bus.sys
2009-03-03 21:03 . 2004-08-04 03:10 48,128 --a------ c:\winnt\system32\dllcache\61883.sys
2009-03-03 21:03 . 2004-08-04 03:00 12,288 --a------ c:\winnt\system32\dllcache\4mmdat.sys
2009-03-02 20:21 . 2009-03-02 20:21 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\0392271

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-19 11:59 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-19 07:06 --------- d-----w c:\program files\LogMeIn
2009-03-18 13:15 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-18 13:04 --------- d-----w c:\program files\AOL Toolbar
2009-03-18 13:04 --------- d-----w c:\program files\AOL Deskbar
2009-03-18 06:01 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-13 20:00 --------- d-----w c:\program files\Common Files\Adobe
2009-03-11 13:35 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-03-04 20:40 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-04 01:30 --------- d-----w c:\program files\Lavasoft Ad-Aware
2009-02-09 10:19 1,846,272 ----a-w c:\winnt\system32\win32k.sys
2009-02-09 10:19 1,846,272 ----a-w c:\winnt\system32\dllcache\win32k.sys
2009-02-03 01:12 101,568 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2009-01-21 18:50 --------- d-----w c:\program files\Google
2009-01-17 02:35 3,594,752 ----a-w c:\winnt\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 ----a-w c:\winnt\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\winnt\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ----a-w c:\winnt\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\winnt\system32\dllcache\ieakui.dll
1998-04-27 04:00 570,128 ----a-w c:\program files\Common Files\DAO350.DLL
1991-12-09 18:40 352 ----a-w c:\documents and settings\Owner\SIMPSONS.BAT
1991-12-09 18:39 370 ----a-w c:\documents and settings\Owner\CONFIG.BAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-02-12 65240]
"CANON DR2580C SVC"="DR25SVC.dll" [2005-02-15 c:\winnt\system32\DR25SVC.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NSSInstallation"="c:\winnt\system32\Adobe\Shockwave 11\nssstub.exe" [2009-02-17 181624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="c:\program files\Common Files\MySoftware\regdll.dll" [2004-06-18 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-03-28 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-03-28 784912]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2002-12-12 83360]
Shortcut to docstar.lnk - C:\docstar.bat [2006-10-23 54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 10:10 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\winnt\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"VIDC.I263"= i263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\winnt\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\winnt\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\winnt\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\winnt\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Newsflash.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Newsflash.lnk
backup=c:\winnt\pss\Newsflash.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Principia Online Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Principia Online Update.lnk
backup=c:\winnt\pss\Principia Online Update.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Push Client.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Push Client.LNK
backup=c:\winnt\pss\Push Client.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\winnt\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker]
wjview [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFavorites]
c:\program files\winfavorites\WinFavorites.exe1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Accelerate]
--a------ 2003-01-30 15:40 2231296 c:\program files\Webroot\Accelerate\accelerate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-10-03 20:50 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ajyjewxo]
--a------ 2003-11-18 13:22 24576 c:\winnt\system32\ajyjewxo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2005-01-20 20:47 79448 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-10-20 10:40 34904 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 c:\winnt\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
--a------ 2002-08-06 17:24 53248 c:\winnt\GWMDMpi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2004-11-03 17:03 125528 c:\program files\Common Files\AOL\1111251263\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-11-18 01:11 118784 c:\winnt\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-11-18 01:24 155648 c:\winnt\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-13 15:19 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Virus Melt]
--a------ 2009-03-02 20:21 1907200 c:\documents and settings\All Users\Application Data\0392271\VMelt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 14:41 33792 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
--a------ 2002-08-06 17:24 90112 c:\winnt\GWMDMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hot Key Kbd 9910 Daemon]
--a------ 2001-01-03 16:50 66048 c:\winnt\system32\SK9910DM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-09-21 03:10 55824 c:\winnt\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=2 (0x2)
"Schedule"=2 (0x2)
"Messenger"=2 (0x2)
"WANMiniportService"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)
"wuauserv"=2 (0x2)
"WebClient"=2 (0x2)
"TrkWks"=2 (0x2)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"WinDefend"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AdsGone\\adsgone.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\1111251263\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINNT\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINNT\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\system32\\sessmgr.exe"=

R2 DSClSvc;DocSTAR Client Service;c:\docstar\dsclsv.exe [2006-10-23 102400]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-06-04 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\winnt\system32\drivers\LMIRfsDriver.sys [2007-06-04 47640]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2009-02-12 26104]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [2002-12-12 6736]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder

2008-10-29 c:\winnt\Tasks\$~$Sys0$.job
- c:\winnt\System32\SchedSvc.dll [2004-08-04 03:56]

2006-12-28 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]

2009-03-19 c:\winnt\Tasks\NSSstub.job
- c:\winnt\system32\Adobe\Shockwave 11\nssstub.exe [2009-02-17 17:53]
.
- - - - ORPHANS REMOVED - - - -

BHO-{24C9A604-1A15-C515-7522-614E4B23DFED} - c:\winnt\Cywquyfx.dll
BHO-{FF238A60-4F1C-4C4B-BD6E-C64A2A892767} - c:\winnt\System32\ibalmcoin_v3619.dll
Toolbar-{9D8D4D69-49A5-4456-96B1-5AD7F12AD4A6} - (no file)
Toolbar-{A9DCFD6B-E825-467A-8C35-90DD23D32B44} - (no file)
Toolbar-{DB5A0FC6-BB86-1A93-33B9-C2A588D2A8D0} - c:\winnt\Cywquyfx.dll
HKLM-Run-Keyboard Preload Check - c:\oemdrvrs\KEYB\Preload.exe
MSConfigStartUp-2SWZKN82R5K47C - c:\winnt\System32\Vurk.exe
MSConfigStartUp-bxxs5 - c:\winnt\bxxs5.dll
MSConfigStartUp-ClockSync - c:\program files\ClockSync\Sync.exe
MSConfigStartUp-DealHelperBrwsr - c:\winnt\dhbrwsr.exe
MSConfigStartUp-DealHelperUpdate - c:\winnt\DHUpdt.exe
MSConfigStartUp-DownloadWare - c:\program files\DownloadWare\dw.exe
MSConfigStartUp-Explkw - c:\winnt\System32\expup.exe
MSConfigStartUp-eZmmod - c:\progra~1\ezula\mmod.exe
MSConfigStartUp-gcasServ - c:\program files\Microsoft AntiSpyware\gcasServ.exe
MSConfigStartUp-IST Service - c:\program files\ISTsvc\istsvc.exe
MSConfigStartUp-KAZAA - c:\program files\Kazaa\Kazaa.exe
MSConfigStartUp-ldfyfyva - c:\winnt\gotaeolf.exe
MSConfigStartUp-MediaLoads Installer - c:\program files\DownloadWare\dw.exe
MSConfigStartUp-Microsoft Tray - c:\program files\Kazaa\My Shared Folder\1.exe
MSConfigStartUp-MyDailyHoroscope - c:\progra~1\MYDAIL~1\MYDAIL~1.EXE
MSConfigStartUp-PromulGate - c:\program files\DelFin\PromulGate\PgMonitr.exe
MSConfigStartUp-RunWindowsUpdate - c:\winnt\uptodate.exe
MSConfigStartUp-SBHC - c:\program files\SuperBar\sbhc.exe
MSConfigStartUp-SQConfigChecker - c:\program files\Sqwire\cc.exe
MSConfigStartUp-SQUpdatesChecker - c:\program files\Sqwire\uc.exe
MSConfigStartUp-TV Media - c:\program files\TV Media\Tvm.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-updater - c:\program files\Common files\updater\wupdater.exe
MSConfigStartUp-UpdateStats - c:\program files\Media\Media\UpdateStats.exe
MSConfigStartUp-WhenUSave - c:\program files\Save\Save.exe
MSConfigStartUp-ynqjktgz - c:\winnt\ynqjktgz.exe
MSConfigStartUp-{2CF0B992-5EEB-4143-99C0-5297EF71F444} - c:\winnt\System32\stlbdist.DLL


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://finance.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: fnbchestercounty.com\www
Trusted Zone: ingdirect.com\home
Trusted Zone: ml.com\www
Trusted Zone: prudential.com\www.annuities
Trusted Zone: v2020-sai.com\oneview
Trusted Zone: v2020-sai.com\www
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021} - c:\progra~1\NETEXC~1.0\FlowHook.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-19 12:45:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1329165125-1587905972-2466944439-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{702B63A9-DFCB-3E43-C2B76BFD1C9BA57E}\{DAB6776A-2CC2-16F5-322B07855BE30B9F}\{5F22963C-84D9-05FE-828BE8E6312814FD}*]
"MPWYEY1F4ENX6WLDW6UD6LBX5E1"=hex:01,00,01,00,00,00,00,00,6a,30,18,7a,bd,d6,c8,
7a,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\winnt\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\winnt\system32\LMIinit.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\winnt\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\ati2evxx.exe
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\winnt\system32\NMSSvc.Exe
c:\winnt\system32\ati2evxx.exe
c:\winnt\system32\HPZipm12.exe
c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\winnt\system32\wscntfy.exe
c:\winnt\system32\rundll32.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-03-19 12:54:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-19 16:54:55

Pre-Run: 42,481,762,304 bytes free
Post-Run: 43,393,867,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

444 --- E O F --- 2009-03-19 07:01:22


hyjackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:42 PM, on 3/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\DOCSTAR\dsclsv.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [CANON DR2580C SVC] rundll32.exe DR25SVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINNT\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Shortcut to docstar.lnk = C:\docstar.bat
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fnbchestercounty.com
O15 - Trusted Zone: http://home.ingdirect.com
O15 - Trusted Zone: http://www.ml.com
O15 - Trusted Zone: http://www.annuities.prudential.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/prof ... itStop.CAB
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/client/iftwclix.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0380840171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9376711190
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/seri ... /gwCID.CAB
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Dwf Viewer Control) - http://www.autodesk.com/global/dwfviewe ... rSetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://reports.reged.com/viewer/active ... viewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emoneyadvisor.webex.com/client/ ... eatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DocSTAR Client Service (DSClSvc) - DocSTAR - C:\DOCSTAR\dsclsv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) - http://www.raft.org/pics/amigos/misc/MONKEYS.JPG

--
End of file - 9691 bytes
kmatt
Active Member
 
Posts: 9
Joined: March 4th, 2009, 1:28 pm

Re: Google & Yahoo searches are re-directed

Unread postby Carolyn » March 19th, 2009, 3:12 pm

Hi,

Run a custom CFScript

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
KILLALL::

File::
c:\winnt\system32\ajyjewxo.exe

Folder::
c:\program files\winfavorites
c:\documents and settings\All Users\Application Data\0392271

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFavorites]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ajyjewxo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Virus Melt]

RegNull::
[HKEY_USERS\S-1-5-21-1329165125-1587905972-2466944439-1003\Software\Microsoft\SystemCertificates\AddressBook*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{702B63A9-DFCB-3E43-C2B76BFD1C9BA57E}\{DAB6776A-2CC2-16F5-322B07855BE30B9F}\{5F22963C-84D9-05FE-828BE8E6312814FD}*]


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


==================================

Download CCleaner from here and save it to your desktop.

Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the Internet Explorer section except Cookies
      • Clean all the entries in the Windows Explorer section
      • Clean all entries in the System section
      • Clean all entries in the Advanced section
      • Clean any others that you choose
    • In the Applications Tab:
      • Clean all except cookies in the Firefox/Mozilla section if you use it
      • Clean all in the Opera section if you use it
      • Clean Sun Java in the Internet Section
      • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO
CCleaner should be run with the above settings for each User Account!

==================================

Install Java and Run a Kaspersky Online Scan

Please make sure that all programs are closed when installing Java.

  1. Click here to visit Java's website.
  2. Scroll down to Java Runtime Environment (JRE) 6 Update 12. Click on Download.
  3. Select Windows from the drop-down list for Platform.
  4. Select Multi-language from the drop-down list for Language.
  5. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  6. Click on jre-6u12-windows-i586-p.exe link to download it and save this to a convenient location.
  7. Double click on jre-6u12-windows-i586-p.exe to install Java.
  8. After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
  9. Read through the requirements and privacy statement and click on Accept button.
  10. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  11. When the downloads have finished, click on Settings.
  12. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  13. Click on My Computer under Scan.
  14. Once the scan is complete, it will display the results. Click on View Scan Report.
  15. You will see a list of infected items there. Click on Save Report As....
  16. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  17. Please post this log in your next reply.

==================================

Please post the following in your next reply:
  • The ComboFix log
  • The Kaspersky log
  • A fresh HijackThis log
  • A description of how your computer is behaving
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Google & Yahoo searches are re-directed

Unread postby kmatt » March 20th, 2009, 10:34 am

here are the logs - computer still acting the same - hyjackthis had an error when it started - couldn't write to the "hosts" file

thanks



ComboFix 09-03-18.01 - Owner 2009-03-19 18:35:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.951 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning disabled* (Updated)
FW: Windows Live OneCare Firewall *enabled*
* Created a new restore point

FILE ::
c:\winnt\system32\ajyjewxo.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\0392271
c:\documents and settings\All Users\Application Data\0392271\BackUp\Logitech Desktop Messenger.lnk
c:\documents and settings\All Users\Application Data\0392271\BackUp\Logitech SetPoint.lnk
c:\documents and settings\All Users\Application Data\0392271\BackUp\Shortcut to docstar.lnk
c:\documents and settings\All Users\Application Data\0392271\System Data\vd952342.bd
c:\documents and settings\All Users\Application Data\0392271\VMelt.exe
c:\winnt\system32\ajyjewxo.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
.

2009-03-18 16:03 . 2009-03-18 16:03 4,140 --a------ c:\winnt\system32\OEMINFO.PNF
2009-03-18 09:33 . 2007-11-27 22:56 116,416 --a------ c:\winnt\system32\drivers\msfwhlpr.sys
2009-03-18 09:33 . 2007-11-27 22:56 91,328 --a------ c:\winnt\system32\drivers\msfwdrv.sys
2009-03-18 09:32 . 2008-05-15 16:15 53,168 --a------ c:\winnt\system32\drivers\MpFilter.sys
2009-03-18 09:31 . 2007-03-29 08:56 7,168 --------- c:\winnt\system32\dllcache\bitsprx4.dll
2009-03-18 09:31 . 2007-03-29 08:56 7,168 --------- c:\winnt\system32\bitsprx4.dll
2009-03-18 09:22 . 2009-03-18 19:09 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live
2009-03-11 09:35 . 2009-03-11 09:35 <DIR> d-------- c:\program files\Windows Defender
2009-03-04 12:55 . 2009-03-04 12:55 <DIR> d-------- c:\program files\Trend Micro
2009-03-04 10:47 . 2004-08-04 08:00 28,288 --a------ c:\winnt\system32\dllcache\xjis.nls
2009-03-04 10:40 . 2004-08-04 08:00 83,748 --a------ c:\winnt\system32\dllcache\prcp.nls
2009-03-04 10:40 . 2004-08-04 08:00 83,748 --a------ c:\winnt\system32\dllcache\prc.nls
2009-03-04 10:40 . 2004-08-04 08:00 68,608 --a------ c:\winnt\system32\dllcache\plugin.ocx
2009-03-04 10:37 . 2004-08-04 08:00 47,066 --a------ c:\winnt\system32\dllcache\ksc.nls
2009-03-04 10:31 . 2004-08-04 08:00 82,172 --a------ c:\winnt\system32\dllcache\bopomofo.nls
2009-03-04 10:31 . 2004-08-04 08:00 66,728 --a------ c:\winnt\system32\dllcache\big5.nls
2009-03-04 09:08 . 2009-03-04 09:08 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-03 23:42 . 2009-03-03 23:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 23:42 . 2009-03-03 23:42 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-03 23:42 . 2009-03-03 23:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 23:42 . 2009-02-11 11:19 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-03-03 23:42 . 2009-02-11 11:19 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-03-03 23:32 . 2009-03-03 23:32 <DIR> d-------- c:\documents and settings\Owner\DoctorWeb
2009-03-03 21:27 . 2004-08-04 04:56 116,224 --a------ c:\winnt\system32\dllcache\xrxwiadr.dll
2009-03-03 21:26 . 2004-08-04 02:29 33,599 --a------ c:\winnt\system32\dllcache\watv04nt.sys
2009-03-03 21:26 . 2004-08-04 03:08 31,744 --a------ c:\winnt\system32\dllcache\wceusbsh.sys
2009-03-03 21:26 . 2004-08-04 02:29 23,615 --a------ c:\winnt\system32\dllcache\wch7xxnt.sys
2009-03-03 21:26 . 2004-08-04 02:29 19,551 --a------ c:\winnt\system32\dllcache\watv02nt.sys
2009-03-03 21:26 . 2004-08-04 02:29 19,455 --a------ c:\winnt\system32\dllcache\wvchntxx.sys
2009-03-03 21:26 . 2004-08-04 02:29 12,063 --a------ c:\winnt\system32\dllcache\wsiintxx.sys
2009-03-03 21:26 . 2004-08-04 03:07 8,832 --a------ c:\winnt\system32\dllcache\wmiacpi.sys
2009-03-03 21:26 . 2004-08-04 04:56 8,192 --a------ c:\winnt\system32\dllcache\wshirda.dll
2009-03-03 21:25 . 2004-08-04 04:56 53,760 --a------ c:\winnt\system32\dllcache\vfwwdm32.dll
2009-03-03 21:25 . 2004-08-04 02:29 29,311 --a------ c:\winnt\system32\dllcache\watv01nt.sys
2009-03-03 21:25 . 2004-08-04 03:08 25,600 --a------ c:\winnt\system32\dllcache\usbser.sys
2009-03-03 21:25 . 2004-08-04 03:08 17,024 --a------ c:\winnt\system32\dllcache\usbohci.sys
2009-03-03 21:25 . 2004-08-04 02:29 12,415 --a------ c:\winnt\system32\dllcache\wadv01nt.sys
2009-03-03 21:25 . 2004-08-04 02:29 12,127 --a------ c:\winnt\system32\dllcache\wadv02nt.sys
2009-03-03 21:25 . 2004-08-04 02:29 11,775 --a------ c:\winnt\system32\dllcache\wadv05nt.sys
2009-03-03 21:24 . 2004-08-04 03:00 149,376 --a------ c:\winnt\system32\dllcache\tffsport.sys
2009-03-03 21:24 . 2004-08-04 04:56 82,432 --a------ c:\winnt\system32\dllcache\tp4mon.exe
2009-03-03 21:23 . 2004-08-04 03:07 16,128 --a------ c:\winnt\system32\dllcache\smbbatt.sys
2009-03-03 21:23 . 2004-08-04 03:00 7,552 --a------ c:\winnt\system32\dllcache\sonyait.sys
2009-03-03 21:23 . 2004-08-04 03:07 6,912 --a------ c:\winnt\system32\dllcache\smbclass.sys
2009-03-03 21:22 . 2004-08-04 02:59 43,136 --a------ c:\winnt\system32\dllcache\sbp2port.sys
2009-03-03 21:22 . 2004-08-04 02:31 32,768 --a------ c:\winnt\system32\dllcache\sisnic.sys
2009-03-03 21:21 . 2004-08-04 04:56 159,232 --a------ c:\winnt\system32\dllcache\ptpusd.dll
2009-03-03 21:21 . 2004-08-04 02:59 79,104 --a------ c:\winnt\system32\dllcache\rocket.sys
2009-03-03 21:21 . 2004-08-04 02:31 20,992 --a------ c:\winnt\system32\dllcache\rtl8139.sys
2009-03-03 21:21 . 2004-08-04 03:00 17,664 --a------ c:\winnt\system32\dllcache\ppa3.sys
2009-03-03 21:21 . 2004-08-04 03:00 6,016 --a------ c:\winnt\system32\dllcache\qic157.sys
2009-03-03 21:20 . 2004-08-04 04:56 259,328 --a------ c:\winnt\system32\dllcache\perm3dd.dll
2009-03-03 21:20 . 2004-08-04 04:56 211,712 --a------ c:\winnt\system32\dllcache\perm2dll.dll
2009-03-03 21:20 . 2004-08-04 03:10 61,056 --a------ c:\winnt\system32\dllcache\ohci1394.sys
2009-03-03 21:20 . 2004-08-04 02:31 29,502 --a------ c:\winnt\system32\dllcache\pca200e.sys
2009-03-03 21:20 . 2004-08-04 03:06 28,032 --a------ c:\winnt\system32\dllcache\perm3.sys
2009-03-03 21:20 . 2004-08-04 03:06 27,904 --a------ c:\winnt\system32\dllcache\perm2.sys
2009-03-03 21:19 . 2004-08-04 03:09 49,024 --a------ c:\winnt\system32\dllcache\mstape.sys
2009-03-03 21:19 . 2004-08-04 03:00 28,672 --a------ c:\winnt\system32\dllcache\nscirda.sys
2009-03-03 21:18 . 2004-08-04 03:00 26,112 --a------ c:\winnt\system32\dllcache\memstpci.sys
2009-03-03 21:18 . 2004-08-04 03:00 22,016 --a------ c:\winnt\system32\dllcache\msircomm.sys
2009-03-03 21:18 . 2004-08-04 03:00 7,040 --a------ c:\winnt\system32\dllcache\ltotape.sys
2009-03-03 21:17 . 2004-08-04 02:41 606,684 --a------ c:\winnt\system32\dllcache\ltmdmnt.sys
2009-03-03 21:17 . 2004-08-04 02:59 34,688 --a------ c:\winnt\system32\dllcache\lbrtfdc.sys
2009-03-03 21:15 . 2004-08-04 04:56 152,576 --a------ c:\winnt\system32\dllcache\irftp.exe
2009-03-03 21:15 . 2004-08-04 03:00 87,424 --a------ c:\winnt\system32\dllcache\irda.sys
2009-03-03 21:15 . 2004-08-04 04:56 27,136 --a------ c:\winnt\system32\dllcache\irmon.dll
2009-03-03 21:14 . 2004-08-04 04:56 702,845 --a------ c:\winnt\system32\dllcache\i81xdnt5.dll
2009-03-03 21:14 . 2004-08-04 02:29 161,020 --a------ c:\winnt\system32\dllcache\i81xnt5.sys
2009-03-03 21:14 . 2004-08-04 03:00 18,560 --a------ c:\winnt\system32\dllcache\i2omp.sys
2009-03-03 21:14 . 2004-08-04 03:00 8,192 --a------ c:\winnt\system32\dllcache\i2omgmt.sys
2009-03-03 21:13 . 2004-08-04 03:08 59,136 --a------ c:\winnt\system32\dllcache\gckernel.sys
2009-03-03 21:13 . 2004-08-04 02:59 28,288 --a------ c:\winnt\system32\dllcache\grserial.sys
2009-03-03 21:13 . 2004-08-04 03:08 10,624 --a------ c:\winnt\system32\dllcache\gameenum.sys
2009-03-03 21:12 . 2004-08-04 02:31 34,173 --a------ c:\winnt\system32\dllcache\forehe.sys
2009-03-03 21:11 . 2004-08-04 04:56 20,992 --a------ c:\winnt\system32\dllcache\dshowext.ax
2009-03-03 21:10 . 2004-08-04 04:56 249,856 --a------ c:\winnt\system32\dllcache\ctmasetp.dll
2009-03-03 21:10 . 2004-08-04 02:32 48,640 --a------ c:\winnt\system32\dllcache\cwrwdm.sys
2009-03-03 21:10 . 2004-08-04 03:00 8,320 --a------ c:\winnt\system32\dllcache\dlttape.sys
2009-03-03 21:09 . 2004-08-04 03:07 14,080 --a------ c:\winnt\system32\dllcache\cmbatt.sys
2009-03-03 21:09 . 2004-08-04 03:00 8,192 --a------ c:\winnt\system32\dllcache\changer.sys
2009-03-03 21:05 . 2004-08-04 03:10 38,912 --a------ c:\winnt\system32\dllcache\avc.sys
2009-03-03 21:05 . 2004-08-04 03:09 13,696 --a------ c:\winnt\system32\dllcache\avcstrm.sys
2009-03-03 21:03 . 2001-08-17 23:36 462,848 --a------ c:\winnt\system32\dllcache\a3dapi.dll
2009-03-03 21:03 . 2004-08-04 03:10 53,248 --a------ c:\winnt\system32\dllcache\1394bus.sys
2009-03-03 21:03 . 2004-08-04 03:10 48,128 --a------ c:\winnt\system32\dllcache\61883.sys
2009-03-03 21:03 . 2004-08-04 03:00 12,288 --a------ c:\winnt\system32\dllcache\4mmdat.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-19 17:03 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-19 07:06 --------- d-----w c:\program files\LogMeIn
2009-03-18 13:15 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-18 13:04 --------- d-----w c:\program files\AOL Toolbar
2009-03-18 13:04 --------- d-----w c:\program files\AOL Deskbar
2009-03-18 06:01 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-13 20:00 --------- d-----w c:\program files\Common Files\Adobe
2009-03-11 13:35 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-03-04 20:40 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-04 01:30 --------- d-----w c:\program files\Lavasoft Ad-Aware
2009-02-09 10:19 1,846,272 ----a-w c:\winnt\system32\win32k.sys
2009-02-09 10:19 1,846,272 ----a-w c:\winnt\system32\dllcache\win32k.sys
2009-02-03 01:12 101,568 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2009-01-21 18:50 --------- d-----w c:\program files\Google
2009-01-17 02:35 3,594,752 ----a-w c:\winnt\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 ----a-w c:\winnt\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\winnt\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ----a-w c:\winnt\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\winnt\system32\dllcache\ieakui.dll
1998-04-27 04:00 570,128 ----a-w c:\program files\Common Files\DAO350.DLL
1991-12-09 18:40 352 ----a-w c:\documents and settings\Owner\SIMPSONS.BAT
1991-12-09 18:39 370 ----a-w c:\documents and settings\Owner\CONFIG.BAT
.

((((((((((((((((((((((((((((( SnapShot@2009-03-19_12.53.44.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-19 16:43:13 3,872 ----a-w c:\winnt\SoftwareDistribution\EventCache\{8964C430-20D9-4ACF-99AE-D38974B69DA1}.bin
+ 2009-03-19 16:57:35 1,526 ----a-w c:\winnt\SoftwareDistribution\EventCache\{8964C430-20D9-4ACF-99AE-D38974B69DA1}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-02-12 65240]
"CANON DR2580C SVC"="DR25SVC.dll" [2005-02-15 c:\winnt\system32\DR25SVC.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NSSInstallation"="c:\winnt\system32\Adobe\Shockwave 11\nssstub.exe" [2009-02-17 181624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="c:\program files\Common Files\MySoftware\regdll.dll" [2004-06-18 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-03-28 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-03-28 784912]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2002-12-12 83360]
Shortcut to docstar.lnk - C:\docstar.bat [2006-10-23 54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 10:10 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\winnt\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"VIDC.I263"= i263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\winnt\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\winnt\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\winnt\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\winnt\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Newsflash.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Newsflash.lnk
backup=c:\winnt\pss\Newsflash.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Principia Online Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Principia Online Update.lnk
backup=c:\winnt\pss\Principia Online Update.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Push Client.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Push Client.LNK
backup=c:\winnt\pss\Push Client.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\winnt\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Accelerate]
--a------ 2003-01-30 15:40 2231296 c:\program files\Webroot\Accelerate\accelerate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-10-03 20:50 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2005-01-20 20:47 79448 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-10-20 10:40 34904 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 c:\winnt\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
--a------ 2002-08-06 17:24 53248 c:\winnt\GWMDMpi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2004-11-03 17:03 125528 c:\program files\Common Files\AOL\1111251263\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-11-18 01:11 118784 c:\winnt\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-11-18 01:24 155648 c:\winnt\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-13 15:19 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 14:41 33792 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
--a------ 2002-08-06 17:24 90112 c:\winnt\GWMDMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hot Key Kbd 9910 Daemon]
--a------ 2001-01-03 16:50 66048 c:\winnt\system32\SK9910DM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-09-21 03:10 55824 c:\winnt\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=2 (0x2)
"Schedule"=2 (0x2)
"Messenger"=2 (0x2)
"WANMiniportService"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)
"wuauserv"=2 (0x2)
"WebClient"=2 (0x2)
"TrkWks"=2 (0x2)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"WinDefend"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AdsGone\\adsgone.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\1111251263\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINNT\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINNT\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\system32\\sessmgr.exe"=

R2 DSClSvc;DocSTAR Client Service;c:\docstar\dsclsv.exe [2006-10-23 102400]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-06-04 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\winnt\system32\drivers\LMIRfsDriver.sys [2007-06-04 47640]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2009-02-12 26104]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [2002-12-12 6736]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
*NewlyCreated* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder

2008-10-29 c:\winnt\Tasks\$~$Sys0$.job
- c:\winnt\System32\SchedSvc.dll [2004-08-04 03:56]

2006-12-28 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]

2009-03-19 c:\winnt\Tasks\NSSstub.job
- c:\winnt\system32\Adobe\Shockwave 11\nssstub.exe [2009-02-17 17:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://finance.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: fnbchestercounty.com\www
Trusted Zone: ingdirect.com\home
Trusted Zone: ml.com\www
Trusted Zone: prudential.com\www.annuities
Trusted Zone: v2020-sai.com\oneview
Trusted Zone: v2020-sai.com\www
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021} - c:\progra~1\NETEXC~1.0\FlowHook.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-19 18:42:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1329165125-1587905972-2466944439-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\winnt\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\winnt\system32\LMIinit.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\winnt\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\ati2evxx.exe
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\winnt\system32\NMSSvc.Exe
c:\winnt\system32\ati2evxx.exe
c:\winnt\system32\HPZipm12.exe
c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\winnt\system32\wscntfy.exe
c:\winnt\system32\rundll32.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-03-19 18:51:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-19 22:51:05

Pre-Run: 43,391,393,792 bytes free
Post-Run: 43,356,831,744 bytes free

369 --- E O F --- 2009-03-19 07:01:22


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:19 AM, on 3/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\DOCSTAR\dsclsv.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [CANON DR2580C SVC] rundll32.exe DR25SVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINNT\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Shortcut to docstar.lnk = C:\docstar.bat
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fnbchestercounty.com
O15 - Trusted Zone: http://home.ingdirect.com
O15 - Trusted Zone: http://www.ml.com
O15 - Trusted Zone: http://www.annuities.prudential.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/prof ... itStop.CAB
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/client/iftwclix.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0380840171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9376711190
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/seri ... /gwCID.CAB
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Dwf Viewer Control) - http://www.autodesk.com/global/dwfviewe ... rSetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://reports.reged.com/viewer/active ... viewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emoneyadvisor.webex.com/client/ ... eatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DocSTAR Client Service (DSClSvc) - DocSTAR - C:\DOCSTAR\dsclsv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) - http://www.raft.org/pics/amigos/misc/MONKEYS.JPG

--
End of file - 10237 bytes


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 20, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 20, 2009 14:11:48
Records in database: 1938528
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
T:\

Scan statistics:
Files scanned: 130955
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:31:08


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{69CDB8FA-8ABF-391E-B801-2C7AADE2EC14}-bjkomxt.dll Infected: Trojan-Downloader.Win32.Lemmy.u 1

The selected area was scanned.
kmatt
Active Member
 
Posts: 9
Joined: March 4th, 2009, 1:28 pm

Re: Google & Yahoo searches are re-directed

Unread postby Carolyn » March 20th, 2009, 3:18 pm

Download HostsXpert and unzip it to your desktop.

Open HostsXpert that you earlier unzipped on your desktop

  • Click "Make Hosts Writable?" upper right corner (if available)
  • Click "Restore Microsoft's Original Hosts File" and then click OK
  • Close HostsXpert
Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually

Please post a fresh HijackThis log and let me know if the problem of being redirected on the web is resolved.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Google & Yahoo searches are re-directed

Unread postby kmatt » March 24th, 2009, 3:01 pm

Still acting the same - Can't write to hosts file - tried to change in spybot but no luck. Below is a new hyjackthis log.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:11 PM, on 3/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\DOCSTAR\dsclsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CANON DR2580C SVC] rundll32.exe DR25SVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Shortcut to docstar.lnk = C:\docstar.bat
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fnbchestercounty.com
O15 - Trusted Zone: http://home.ingdirect.com
O15 - Trusted Zone: http://www.ml.com
O15 - Trusted Zone: http://www.annuities.prudential.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/prof ... itStop.CAB
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/client/iftwclix.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0380840171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9376711190
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/seri ... /gwCID.CAB
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Dwf Viewer Control) - http://www.autodesk.com/global/dwfviewe ... rSetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://reports.reged.com/viewer/active ... viewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emoneyadvisor.webex.com/client/ ... eatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: DocSTAR Client Service (DSClSvc) - DocSTAR - C:\DOCSTAR\dsclsv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.raft.org/pics/amigos/misc/MONKEYS.JPG

--
End of file - 9189 bytes
kmatt
Active Member
 
Posts: 9
Joined: March 4th, 2009, 1:28 pm

Re: Google & Yahoo searches are re-directed

Unread postby Carolyn » March 25th, 2009, 7:54 am

Hi,

Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
    :Files
    C:\WINDOWS\system32\drivers\etc\hosts
    

  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3


Run HostXpert

Double click on HostsXpert.exe to launch it.

* You will get a prompt that you do not have a Hosts file and asked if you want to create one.
* Answer Yes.
* Click on the Make Read Only button.
* Exit out of HostsXpert.


Please post a fresh HijackThis log and a description of how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Google & Yahoo searches are re-directed

Unread postby kmatt » March 25th, 2009, 10:04 am

requested logs below.

Everything seems to be working OK now - Thanks for all your help!!!



========== FILES ==========
c:\winnt\system32\drivers\etc\hosts moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03252009_084129



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:10 AM, on 3/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\DOCSTAR\dsclsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CANON DR2580C SVC] rundll32.exe DR25SVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Shortcut to docstar.lnk = C:\docstar.bat
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fnbchestercounty.com
O15 - Trusted Zone: http://home.ingdirect.com
O15 - Trusted Zone: http://www.ml.com
O15 - Trusted Zone: http://www.annuities.prudential.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/prof ... itStop.CAB
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/client/iftwclix.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0380840171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9376711190
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/seri ... /gwCID.CAB
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Dwf Viewer Control) - http://www.autodesk.com/global/dwfviewe ... rSetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://reports.reged.com/viewer/active ... viewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emoneyadvisor.webex.com/client/ ... eatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: DocSTAR Client Service (DSClSvc) - DocSTAR - C:\DOCSTAR\dsclsv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.raft.org/pics/amigos/misc/MONKEYS.JPG

--
End of file - 9128 bytes
kmatt
Active Member
 
Posts: 9
Joined: March 4th, 2009, 1:28 pm

Re: Google & Yahoo searches are re-directed

Unread postby Carolyn » March 26th, 2009, 1:10 pm

This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are

Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:
  • Please delete DDS.exe from your computer
  • Go to Start --> Run and copy/paste C:\WINDOWS\gmer_uninstall.cmd into the run window, click Okay. When that process completes, please reboot your computer.

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

    Delete ComboFix
    Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
    Image
    Please advise if this step is missed for any reason as it performs some important actions.

    CleanUp! with OTMoveIt
    • Double click OTMoveIt3.exe to launch the programme.
    • Click on the CleanUp! button.
    • OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • When finished exit out of OTMoveIt
    • The tool will delete itself once it finishes, if not delete it by yourself.


    Protection Programs
    Don't forget to re-enable any protection programs we disabled during your fix.

    General Security and Computer Health
    Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

    • Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under Hidden files and folders if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check Display content of system folders
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

    • Make sure that you keep your antivirus updated
      New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
      Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

    • Install and use a firewall with outbound protection
      The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
      Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

    • Security Updates for Windows, Internet Explorer & Microsoft Office
      Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
      Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

    • Update Non-Microsoft Programs
      Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

    • Make Internet Explorer More Secure
      You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE


    Recommended Programs

    I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

    • WinPatrol
      As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

    • SpywareBlaster
      SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.

    • Malwarebytes' Anti-Malware or SuperAntiSpyware
      These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
      You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
      You can download SuperAntiSpyware from HERE.

    • Hosts File
      For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

      Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
      If this isn't done first, the next reboot may take a VERY LONG TIME.
      This is how to do it. First be sure you are signed in as a user with administrative privileges:
      Stop and Disable the DNS Client Service
      Go to Start, Run and type Services.msc and click OK.
      Under the Extended Tab, Scroll down and find this service.
      DNS Client
      Right-Click on the DNS Client Service. Choose Properties
      Select the General tab. Click on the Stop button.
      Click the Arrow-down tab on the right-hand side at the Start-up Type box.
      From the drop-down menu, click on Manual
      Click the Apply tab, then click OK


    • Use an alternative Internet Browser
      Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
      Firefox
      Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Google & Yahoo searches are re-directed

Unread postby kmatt » March 26th, 2009, 1:29 pm

Thank you so much for your help - you've been great.

I've read you post an couldn't agree more - my bosses computer if the one that got infected so it was delegated to me to get fixed.

Again, Thanks.
kmatt
Active Member
 
Posts: 9
Joined: March 4th, 2009, 1:28 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 279 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware