Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible Spyware Hijack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible Spyware Hijack

Unread postby Dave » June 10th, 2009, 1:16 pm

Hi
Not sure if I have a problem or not

Spyware Doctor has found 2 infections as follows.
Spyware.Possible_Website_Hijack
Hosts 127.0.0.1, hxxp://www.spywareifo.com
127.0.0.1 spywareinfo.com

It says it can clean them but then fails to do this successfully.
Spybot and A squared do not detect these threats at all.

Also IE is really slow when opening up, but fine once opened.

HiJack This Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:10:56, on 10/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\V0220Mon.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Blacklock\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {B744ED6D-2CA3-44DF-83BB-75A8BE1EE631} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Blacklock\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.runaware.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9504580593
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwar ... /CTPID.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: McAfee Application Installer Cleanup (0236581237916216) (0236581237916216mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\023658~1.EXE (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c996c2fdc82446) (gupdate1c996c2fdc82446) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 14221 bytes

Please Help
Thanks Dave
Dave
Regular Member
 
Posts: 19
Joined: February 17th, 2008, 5:32 pm
Advertisement
Register to Remove

Re: Possible Spyware Hijack

Unread postby jmw3 » June 13th, 2009, 4:26 am

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is postedis ticked on the POST A REPLY page.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
Gmer
Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Possible Spyware Hijack

Unread postby Dave » June 13th, 2009, 6:44 pm

OK
Here are the Logs you requested


DDS (Ver_09-05-14.01) - NTFSx86
Run by Blacklock at 16:43:58.51 on 13/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.326 [GMT 1:00]

AV: avast! antivirus 4.8.1335 [VPS 090612-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\V0220Mon.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Documents and Settings\Blacklock\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Documents and Settings\Blacklock\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {b744ed6d-2ca3-44df-83bb-75a8be1ee631} - c:\windows\system32\mljgh.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\blacklock\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [V0220Mon.exe] c:\windows\V0220Mon.exe
mRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
mRun: [AVFX Engine] c:\program files\creative\creative live! cam\videofx\StartFX.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [LyraHD2TrayApp] "c:\program files\thomson\lyra jukebox\lyrahdtrayapp\LYRAHD2TrayApp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{f128ba10-362e-11d3-81ab-00c04fb932ba}\4EBD23F5.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: runaware.com\www
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partne ... nicode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/sh ... tor/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windows ... 9504580593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwar ... /CTPID.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\common files\microsoft shared\information retrieval\itss51.dll
Handler: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - c:\progra~1\common~1\micros~1\refere~1\msref.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\mljgh.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-9-15 40840]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-11 130936]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-3 114768]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-9-15 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-9-15 81288]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2008-2-17 718880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-3 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-9-15 138680]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-7-25 210216]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-2-6 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-2-6 1095560]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-9-15 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-9-15 352920]
R3 V0220Dev;Live! Cam Video IM;c:\windows\system32\drivers\V0220Dev.sys [2007-10-8 146112]
R3 V0220Vfx;V0220VFX;c:\windows\system32\drivers\V0220Vfx.sys [2007-10-8 6272]
S2 0236581237916216mcinstcleanup;McAfee Application Installer Cleanup (0236581237916216);c:\windows\temp\023658~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\023658~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c996c2fdc82446;Google Update Service (gupdate1c996c2fdc82446);c:\program files\google\update\GoogleUpdate.exe [2009-2-24 133104]

=============== Created Last 30 ================

2009-06-11 22:41 <DIR> --d----- c:\docume~1\blackl~1\applic~1\Malwarebytes
2009-06-11 22:40 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 22:40 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-11 22:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 22:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-11 22:16 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-11 22:16 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-11 22:16 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-11 22:16 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-11 22:16 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-06-11 22:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-06-08 22:38 <DIR> --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-08 22:25 3,366,912 a------- c:\windows\system32\GPhotos.scr
2008-08-07 22:15 87,608 a------- c:\docume~1\blackl~1\applic~1\inst.exe
2008-08-07 22:15 47,360 a------- c:\docume~1\blackl~1\applic~1\pcouffin.sys
2007-11-28 20:49 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-08-29 17:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat
2008-08-30 22:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 16:45:03.34 ===============

Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/09/2007 10:20:40
System Uptime: 13/06/2009 16:31:23 (0 hours ago)

Motherboard: ELITEGROUP COMPUTER SYSTEM CO.,LTD. | | NFORCE6M-A
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4000+ | Socket AM2 | 2109/201mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 69.106 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP601: 15/03/2009 19:23:58 - Software Distribution Service 3.0
RP602: 16/03/2009 15:54:48 - Software Distribution Service 3.0
RP603: 17/03/2009 16:54:17 - System Checkpoint
RP604: 18/03/2009 19:24:58 - System Checkpoint
RP605: 19/03/2009 20:42:26 - Software Distribution Service 3.0
RP606: 20/03/2009 21:34:30 - System Checkpoint
RP607: 22/03/2009 11:32:50 - System Checkpoint
RP608: 22/03/2009 13:08:00 - Installed Windows XP Creativity Fun Packs - Windows Movie Maker 2 - Titles
RP609: 23/03/2009 14:54:24 - Software Distribution Service 3.0
RP610: 24/03/2009 17:43:51 - System Checkpoint
RP611: 25/03/2009 19:29:20 - System Checkpoint
RP612: 26/03/2009 20:25:57 - Software Distribution Service 3.0
RP613: 28/03/2009 09:06:41 - System Checkpoint
RP614: 29/03/2009 22:05:23 - System Checkpoint
RP615: 30/03/2009 20:08:40 - Software Distribution Service 3.0
RP616: 31/03/2009 18:37:13 - Installed Java(TM) 6 Update 13
RP617: 01/04/2009 22:25:19 - System Checkpoint
RP618: 02/04/2009 19:36:15 - Software Distribution Service 3.0
RP619: 03/04/2009 22:44:39 - System Checkpoint
RP620: 06/04/2009 19:32:21 - Software Distribution Service 3.0
RP621: 07/04/2009 22:10:15 - System Checkpoint
RP622: 09/04/2009 19:22:46 - System Checkpoint
RP623: 11/04/2009 19:44:49 - System Checkpoint
RP624: 13/04/2009 08:49:11 - System Checkpoint
RP625: 13/04/2009 21:25:08 - Software Distribution Service 3.0
RP626: 14/04/2009 20:00:58 - Software Distribution Service 3.0
RP627: 15/04/2009 20:41:00 - System Checkpoint
RP628: 17/04/2009 20:23:28 - System Checkpoint
RP629: 19/04/2009 22:17:24 - System Checkpoint
RP630: 20/04/2009 20:00:20 - Software Distribution Service 3.0
RP631: 21/04/2009 22:51:35 - System Checkpoint
RP632: 23/04/2009 21:13:29 - Software Distribution Service 3.0
RP633: 24/04/2009 21:55:00 - System Checkpoint
RP634: 26/04/2009 18:27:36 - System Checkpoint
RP635: 27/04/2009 18:20:19 - Software Distribution Service 3.0
RP636: 28/04/2009 19:08:31 - System Checkpoint
RP637: 29/04/2009 20:07:11 - System Checkpoint
RP638: 30/04/2009 21:13:42 - Software Distribution Service 3.0
RP639: 01/05/2009 21:18:44 - System Checkpoint
RP640: 04/05/2009 19:39:10 - Software Distribution Service 3.0
RP641: 05/05/2009 19:58:44 - System Checkpoint
RP642: 07/05/2009 19:52:24 - Software Distribution Service 3.0
RP643: 08/05/2009 22:41:30 - System Checkpoint
RP644: 10/05/2009 12:10:12 - System Checkpoint
RP645: 11/05/2009 17:57:42 - Software Distribution Service 3.0
RP646: 12/05/2009 18:50:26 - System Checkpoint
RP647: 13/05/2009 20:00:39 - System Checkpoint
RP648: 13/05/2009 20:01:17 - Software Distribution Service 3.0
RP649: 14/05/2009 20:00:27 - Software Distribution Service 3.0
RP650: 15/05/2009 20:21:58 - System Checkpoint
RP651: 17/05/2009 18:38:44 - System Checkpoint
RP652: 18/05/2009 20:18:04 - Software Distribution Service 3.0
RP653: 19/05/2009 20:59:23 - System Checkpoint
RP654: 20/05/2009 21:05:25 - System Checkpoint
RP655: 21/05/2009 20:00:47 - Software Distribution Service 3.0
RP656: 22/05/2009 20:26:50 - System Checkpoint
RP657: 23/05/2009 21:27:38 - System Checkpoint
RP658: 25/05/2009 12:28:42 - System Checkpoint
RP659: 25/05/2009 20:00:23 - Software Distribution Service 3.0
RP660: 27/05/2009 15:41:09 - System Checkpoint
RP661: 28/05/2009 15:49:55 - System Checkpoint
RP662: 28/05/2009 20:00:26 - Software Distribution Service 3.0
RP663: 31/05/2009 20:51:15 - System Checkpoint
RP664: 01/06/2009 22:10:13 - Software Distribution Service 3.0
RP665: 03/06/2009 18:37:17 - System Checkpoint
RP666: 04/06/2009 20:47:26 - Software Distribution Service 3.0
RP667: 05/06/2009 22:49:59 - System Checkpoint
RP668: 07/06/2009 20:37:04 - System Checkpoint
RP669: 08/06/2009 16:53:03 - Software Distribution Service 3.0
RP670: 08/06/2009 21:34:50 - Restore Operation
RP671: 08/06/2009 21:40:49 - Software Distribution Service 3.0
RP672: 08/06/2009 22:33:00 - Restore Operation
RP673: 08/06/2009 22:33:52 - Restore Operation
RP674: 08/06/2009 22:53:02 - Software Distribution Service 3.0
RP675: 09/06/2009 11:19:27 - Unsigned driver install
RP676: 10/06/2009 18:04:47 - Installed Java(TM) 6 Update 14
RP677: 11/06/2009 19:43:20 - System Checkpoint
RP678: 11/06/2009 20:00:40 - Software Distribution Service 3.0
RP679: 12/06/2009 21:00:54 - System Checkpoint

==== Installed Programs ======================

a-squared Free 3.1
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.4
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advanced Video FX Engine
AiO_Scan_CDA
AiOSoftwareNPI
Apple Mobile Device Support
Apple Software Update
AutoUpdate
avast! Antivirus
Barbie ® Riding Club
BitComet 1.02
Bonjour
BTBusinessHub
BufferChm
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
Creative Live! Cam Center
Creative Live! Cam Doodling
Creative Live! Cam Manager
Creative Live! Cam Video IM Driver (1.01.01.00)
Creative Live! Cam Video IM User's Guide (English)
Creative Photo Calendar
Creative Photo Manager
Creative Software AutoUpdate
Creative System Information
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CustomerResearchQFolder
CutePDF Writer 2.7
Destinations
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DocProc
DocProcQFolder
DocumentViewer
DocumentViewerQFolder
DVD Shrink 3.2
DVDFab Platinum 3.1.8.0
Electronic Arts Product Registration
Encarta Research Organizer World English
eSupportQFolder
Fax_CDA
Fugawi UK Digital Maps version 2
FugawiUK-2v2 - N. England and Central Scotland
FullDPAppQFolder
Google Chrome
Google Earth
Google Photos Screensaver
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Harry Potter and the Goblet of Fire™
Harry Potter and the Prisoner of Azkaban(TM)
Harry Potter II
Harry Potter TM
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
HPSSupply
IBM ViaVoice Command and Control Runtime 5.3 - UK English
IBM ViaVoice Outloud Runtime - UK English
InstantShareDevices
InstantShareDevicesMFC
iTunes
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 14
Java(TM) 6 Update 7
Kaspersky Online Scanner
Logitech Gaming Software
Lyra Jukebox Applications
Malwarebytes' Anti-Malware
MarketResearch
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft AutoRoute Express Europe 2000
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Interactive World Atlas 2000
Microsoft Home Publishing 2000
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2000 Standard
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 2000
Microsoft Works 2000 Setup Launcher
MobileMe Control Panel
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
My pet Hotel
NCH Toolbox
Nero 7 Essentials
neroxml
NewCopy_CDA
NVIDIA Drivers
OCR Software by I.R.I.S 7.0
OpenOffice.org 3.0
PanoStandAlone
PDF Settings
Petz 4 (remove only)
PhotoGallery
Picasa 3
Pony Luv v1.3
PowerDVD
ProductContextNPI
QuickTime
RandMap
Readme
Scan
ScannerCopy
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Shop for HP Supplies
SigmaTel Audio
SkinsHP1
Skype™ 4.0
SlideShow
SolutionCenter
Sonic_PrimoSDK
SopCast 3.0.3
Spybot - Search & Destroy
Spyware Doctor 6.0
SpywareBlaster 4.2
Status
Switch Sound File Converter
TestDrive Client
TomTom HOME 2.5.2.60
Toolbox
TrayApp
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC_MergeModuleToMSI
WebFldrs XP
WebReg
WIDCOMM Bluetooth Software
Wildlife Park Gold
Win AVI HelixSDK
WinAVI Video Converter 9.0
Windows Defender
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Creativity Fun Packs - Windows Movie Maker 2 - Titles
Windows XP Service Pack 3
WinPatrol 2009
WinRAR archiver

==== Event Viewer Messages From Past Week ========

13/06/2009 16:33:43, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
13/06/2009 16:33:43, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/06/2009 18:36:24, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
11/06/2009 22:15:52, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
10/06/2009 18:02:28, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
09/06/2009 12:06:34, error: Service Control Manager [7031] - The a-squared Free Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
08/06/2009 22:48:02, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
08/06/2009 22:48:02, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_decbdf0c\MFC80.DLL. Reference error message: The operation completed successfully. .
08/06/2009 22:48:02, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
08/06/2009 22:39:55, error: WinDefend [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.59.789.0 Loading engine version: 1.1.4602.0
08/06/2009 21:38:08, error: WinDefend [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.59.789.0 Loading engine version: 1.1.4701.0
08/06/2009 18:50:58, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
08/06/2009 16:52:21, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the avast! Web Scanner service to connect.
08/06/2009 16:52:21, error: Service Control Manager [7000] - The avast! Web Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
07/06/2009 19:38:37, error: Service Control Manager [7034] - The HP Port Resolver service terminated unexpectedly. It has done this 1 time(s).
07/06/2009 08:54:06, error: Service Control Manager [7034] - The avast! Web Scanner service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-13 21:37:16
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF36896B8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF72B9514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF72A8282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF72A8474]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF72B9D00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF72B9FB8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF368914C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF72B83FA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF368908C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF36890F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF368976E]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF72BA422]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF368972E]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF72B97D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF72A7F32]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xF387B384]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----
Dave
Regular Member
 
Posts: 19
Joined: February 17th, 2008, 5:32 pm

Re: Possible Spyware Hijack

Unread postby jmw3 » June 13th, 2009, 9:05 pm

Hi
MRU P2P Policy
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitComet 1.02

I'd like you to read the MRU policy for P2P Programs.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) & any other P2P programs.

Remove Programs
Click Start > Control Panel > Add/Remove Programs
Remove these programs by clicking Remove

Java(TM) 6 Update 7
MarketResearch


If some programs listed are not present, please do not panic

TFC (Temp File Cleaner)
Download TFC (Temp File Cleaner) by Old Timer Here & save it to your desktop.
  • Save any unsaved work. TFC Cleaner will close all open application windows
  • Double-click TFC.exe to run the program, your desktop will temporarily disappear
  • If prompted, click Yes to reboot
Note: Save your work.. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take any longer than a couple of minutes & may only take a few seconds. Only if needed will you be prompted to reboot.

Combofix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2
Link 3

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
Combofix log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Possible Spyware Hijack

Unread postby Dave » June 14th, 2009, 4:24 pm

Ok
Done as asked.

Couldn't see Market Research in Add/Remove Progs but removed Bitcomet and Java(TM) 6 Update 7.

There was another Java entry - Java (TM) 6 Update 14. Should I remove this aswell?

IE seems to be running much faster now. However when I open it or chenge pages I get a warning "You are about to leave a secure connection. It will be possible for others to view information you send."

I also now have IE installed on the desktop (not a shortcut). This happened after Combofix had rebooted the system.

I havent restarted Spyware Doctor, Windows Defender or S & D Tea Timer yet. Winpatrol and Avast have restarted after reboot.

Combofix log
ComboFix 09-06-13.09 - Blacklock 14/06/2009 19:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.501 [GMT 1:00]
Running from: c:\documents and settings\Blacklock\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090614-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Blacklock\Application Data\inst.exe
c:\windows\system32\agfluifa.ini
c:\windows\system32\bgxsihek.ini
c:\windows\system32\hgjlm.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.

2009-06-11 21:41 . 2009-06-11 21:41 -------- d-----w- c:\documents and settings\Blacklock\Application Data\Malwarebytes
2009-06-11 21:40 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 21:40 . 2009-06-11 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 21:40 . 2009-06-11 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-11 21:40 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 21:16 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-11 21:16 . 2009-04-03 10:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-11 21:16 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-11 21:16 . 2009-06-11 21:17 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-11 21:16 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-11 21:15 . 2009-06-11 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-10 17:01 . 2009-06-10 17:01 152576 ----a-w- c:\documents and settings\Blacklock\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-08 21:38 . 2009-06-08 21:38 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 18:58 . 2007-10-04 22:02 -------- d-----w- c:\documents and settings\Blacklock\Application Data\Skype
2009-06-14 18:10 . 2007-11-28 19:49 -------- d-----w- c:\documents and settings\Blacklock\Application Data\skypePM
2009-06-14 17:54 . 2007-10-21 20:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-14 17:34 . 2007-09-15 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-14 09:52 . 2008-11-26 19:19 -------- d-----w- c:\program files\Java
2009-06-14 09:42 . 2008-06-08 19:35 -------- d-----w- c:\program files\BitComet
2009-06-12 20:58 . 2008-11-24 19:12 -------- d-----w- c:\documents and settings\Blacklock\Application Data\U3
2009-06-12 17:54 . 2007-09-15 18:35 -------- d-----w- c:\program files\Spyware Doctor
2009-06-11 21:17 . 2007-11-18 21:39 -------- d-----w- c:\program files\TomTom HOME 2
2009-06-11 19:29 . 2007-09-15 18:34 -------- d-----w- c:\program files\Google
2009-06-09 11:06 . 2008-02-17 15:09 -------- d-----w- c:\program files\a-squared Free
2009-06-08 21:36 . 2008-07-26 07:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-08 20:25 . 2008-06-15 16:16 -------- d-----w- c:\program files\SpywareBlaster
2009-05-21 10:33 . 2008-11-28 22:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 20:03 . 2007-09-16 01:15 -------- d-----w- c:\program files\Microsoft Works
2009-04-26 19:07 . 2007-09-16 01:24 -------- d-----w- c:\program files\Microsoft Home Publishing 2000
2009-04-20 15:22 . 2008-11-26 19:38 1 ----a-w- c:\documents and settings\Blacklock\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-11 21:23 . 2009-04-11 21:23 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-08 21:25 . 2009-04-08 21:25 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-03-31 17:19 . 2009-03-31 17:19 152576 ----a-w- c:\documents and settings\Blacklock\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 15:32 . 2008-01-29 11:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-12-09 234856]
"Google Update"="c:\documents and settings\Blacklock\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-18 133104]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-03-11 24095528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"V0220Mon.exe"="c:\windows\V0220Mon.exe" [2006-06-28 32768]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-09 53340]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-10-19 20480]
"LyraHD2TrayApp"="c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" [2004-05-13 286720]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-07 337216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-11 68592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-05-06 405504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Microsoft Works Calendar Reminders.lnk - c:\windows\Installer\{F128BA10-362E-11D3-81AB-00C04FB932BA}\4EBD23F5.exe [2007-9-16 29184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10808:TCP"= 10808:TCP:BitComet 10808 TCP
"10808:UDP"= 10808:UDP:BitComet 10808 UDP
"8164:TCP"= 8164:TCP:BitComet 8164 TCP
"8164:UDP"= 8164:UDP:BitComet 8164 UDP
"65533:TCP"= 65533:TCP:BitComet 65533 TCP
"65533:UDP"= 65533:UDP:BitComet 65533 UDP

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/06/2009 22:16 130936]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [03/04/2008 21:11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03/04/2008 21:11 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [25/07/2008 21:16 210216]
R3 V0220Dev;Live! Cam Video IM;c:\windows\system32\drivers\V0220Dev.sys [08/10/2007 18:39 146112]
R3 V0220Vfx;V0220VFX;c:\windows\system32\drivers\V0220Vfx.sys [08/10/2007 18:39 6272]
S2 0236581237916216mcinstcleanup;McAfee Application Installer Cleanup (0236581237916216);c:\windows\TEMP\023658~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\023658~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c996c2fdc82446;Google Update Service (gupdate1c996c2fdc82446);c:\program files\Google\Update\GoogleUpdate.exe [24/02/2009 22:00 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [06/02/2008 22:55 348752]
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-15 17:35]

2009-06-14 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 21:00]

2009-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1844823847-725345543-1004.job
- c:\documents and settings\Blacklock\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-18 23:15]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B744ED6D-2CA3-44DF-83BB-75A8BE1EE631} - c:\windows\system32\mljgh.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: runaware.com\www
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-14 19:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(156)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Google\Quick Search Box\bin\1.1.1038.9122\qsb.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\CF3329.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2009-06-14 20:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-14 19:07

Pre-Run: 75,231,420,416 bytes free
Post-Run: 75,043,115,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

234 --- E O F --- 2009-06-14 19:04
Dave
Regular Member
 
Posts: 19
Joined: February 17th, 2008, 5:32 pm

Re: Possible Spyware Hijack

Unread postby jmw3 » June 14th, 2009, 5:53 pm

Hi
There was another Java entry - Java (TM) 6 Update 14. Should I remove this aswell?
No, leave that one. It's the current version of Java.

ComboFix resets a lot of Windows features back to the default settings, that's why you now have the Internet Explorer icon on the desktop. I'm pretty sure that IE would not have been moved there. It's default location is C:\Program Files\Internet Explorer. Right click on the IE icon, then choose Properties. Under the General tab look to see what is listed in the Type of file:. Under the Shortcut tab have look to see what is listed in the Target: box.

I havent restarted Spyware Doctor, Windows Defender or S & D Tea Timer yet. Winpatrol and Avast have restarted after reboot.
OK... no worries. Leave Spyware Doctor, Defender & TeaTimer disabled for the time being. You may need to disable WinPatrol & Avast again for ComboFix.

View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

Upload Files for Scanning
Go to VirSCAN & upload the following File/s for scanning.
  • Copy & paste the following File & Path in the text box next to the Browse button.
    Code: Select all
    c:\windows\system32\CF3329.exe
  • Click Upload.
  • Wait for scans to finish then copy & paste the results into your next reply.
CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
Folder::
c:\program files\BitComet
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10808:TCP"=-
"10808:UDP"=-
"8164:TCP"=-
"8164:UDP"=-
"65533:TCP"=-
"65533:UDP"=-
DDS::
Trusted Zone: runaware.com\www

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
To post in next reply:
VirSCAN results log
ComboFix log
Kaspersky Scan log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Possible Spyware Hijack

Unread postby Dave » June 15th, 2009, 4:07 pm

Ok
Here are the logs

Couple of points to note
My email account settings have been wiped from Outlook Express. Can I restore them?

I can't get Kaspersky scanner to run.
I clicked accept and then run when the box opened, but it sits there at
"Downloading and installing the program .....0%"
Left it for 30 mins but no change.

Here are the other Logs
VirSCAN.org Scanned Report :
Scanned time : 2009/06/05 05:31:50 (BST)
Scanner results: 79% Scanner(30/38) found malware!
File Name : 1.html
File Size : 4037 byte
File Type : Sendmail frozen configuration - version body bgcolor=
MD5 : 4a2514195555a43458b4e087d29124be
SHA1 : e96f20c01c95b12a6cf9992b1e16deaac5ca025c
Online report : http://virscan.org/report/e8541b64f8b1b ... fd4d2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090604013225 2009-06-04 2.05 Virus.Win32.Killmbr.D!IK
AhnLab V3 2009.06.05.00 2009.06.05 2009-06-05 0.74 Win-Trojan/Dialer.712704.B
AntiVir 8.2.0.180 7.1.4.59 2009-06-04 0.55 KIT/GhostDial.1
Antiy 2.0.18 20090604.2498051 2009-06-04 0.15 Trojan/Win32.Dialer.gvg
Arcavir 2009 200906041608 2009-06-04 0.39 Dialer.Bib
Authentium 5.1.1 200906041652 2009-06-04 1.18 W32/Trojan2.DOJN (Exact)
AVAST! 4.7.4 090604-0 2009-06-04 0.05 Win32:Dialer-1314 [Trj]
AVG 8.5.286 270.12.53/2155 2009-06-05 0.37 Dialer.KNV
BitDefender 7.81008.3335505 7.25811 2009-06-05 0.75 Trojan.Generic.1004008
CA (VET) 9.0.0.143 31.6.6539 2009-06-05 9.17 -
ClamAV 0.95.1 9421 2009-06-05 0.18 Dialer-3765
Comodo 3.9 1259 2009-06-04 0.74 ApplicUnwnt.Win32.PornTool.Agent.fi
CP Secure 1.1.0.715 2009.06.03 2009-06-03 9.97 -
Dr.Web 4.44.0.9170 2009.06.05 2009-06-05 4.85 BackDoor.Pigeon.12989
F-Prot 4.4.4.56 20090604 2009-06-04 1.15 W32/Trojan2.DOJN (exact)
F-Secure 5.51.6100 2009.06.05.03 2009-06-05 5.79 -
Fortinet 2.81-3.117 10.466 2009-06-04 0.35 Suspicious
GData 19.5615/19.353 20090605 2009-06-05 4.39 Win32:Dialer-1313 [Trj] [Engine:B]
ViRobot 20090604 2009.06.04 2009-06-04 0.42 -
Ikarus T3.1.01.57 2009.06.03.72814 2009-06-03 3.11 Virus.Win32.Killmbr.D
JiangMin 11.0.706 2009.06.03 2009-06-03 2.07 Trojan/Dialer.gnc
Kaspersky 5.5.10 2009.06.05 2009-06-05 0.08 not-a-virus:Porn-Dialer.Win32.Agent.fi
KingSoft 2009.2.5.15 2009.6.4.21 2009-06-04 0.51 Win32.Hack.ReSSDT.c.716800
McAfee 5.3.00 5636 2009-06-04 2.97 BackDoor-DSQ
Microsoft 1.4701 2009.06.04 2009-06-04 4.29 Backdoor:Win32/Farfli.J
mks_vir 2.01 2009.06.05 2009-06-05 3.35 -
Norman 6.01.05 6.01.00 2009-06-02 4.01 W32/Dialer.DHRP
Panda 9.05.01 2009.06.04 2009-06-04 1.86 -
Trend Micro 8.700-1004 6.170.08 2009-06-04 0.06 TROJ_DIAL.RHB
Quick Heal 10.00 2009.06.05 2009-06-05 1.37 -
Rising 20.0 21.32.34.00 2009-06-04 0.99 Backdoor.Win32.Drwolf.axh
Sophos 2.87.1 4.42 2009-06-05 2.44 Mal/Whybo-A
Sunbelt 5170 5170 2009-06-04 0.94 Porn-Dialer.Win32.Agent.fi
Symantec 1.3.0.24 20090604.002 2009-06-04 0.06 -
nProtect 20090604.01 4070376 2009-06-04 5.23 Trojan/W32.Dialer.712704
The Hacker 6.3.4.3 v00340 2009-06-04 0.63 Trojan/Dialer.Agent.fi
VBA32 3.12.10.6 20090604.1412 2009-06-04 1.96 Porn-Dialer.Win32.Agent.fi
VirusBuster 4.5.11.10 10.107.2/1575686 2009-06-04 1.90 Dialer.Agent.IFEU


ComboFix 09-06-13.09 - Blacklock 15/06/2009 20:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.474 [GMT 1:00]
Running from: c:\documents and settings\Blacklock\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Blacklock\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090615-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BitComet
c:\program files\BitComet\BitComet.xml
c:\program files\BitComet\Downloads.xml
c:\program files\BitComet\Favourite.xml
c:\program files\BitComet\rules\dhtnodes.dat
c:\program files\BitComet\share\my_shares.xml
c:\program files\BitComet\torrents\2008 - David Cook.torrent
c:\program files\BitComet\torrents\2008 - David Cook.xml
c:\program files\BitComet\torrents\Coldplay - Viva La Vida 2008.torrent
c:\program files\BitComet\torrents\Coldplay - Viva La Vida 2008.xml
c:\program files\BitComet\torrents\Counting_Crows-Saturday_Nights_And_Sunday_Mornings-2008-COLORBLiND.torrent
c:\program files\BitComet\torrents\Counting_Crows-Saturday_Nights_And_Sunday_Mornings-2008-COLORBLiND.xml
c:\program files\BitComet\torrents\David Cook.torrent
c:\program files\BitComet\torrents\David Cook.xml
c:\program files\BitComet\torrents\HIDE IP NG v1.12 with serial key.torrent
c:\program files\BitComet\torrents\HIDE IP NG v1.12 with serial key.xml
c:\program files\BitComet\torrents\The Kooks-Konk Special Limited Edition 2CD (with covers) a DHZ.Inc Release.torrent
c:\program files\BitComet\torrents\The Kooks-Konk Special Limited Edition 2CD (with covers) a DHZ.Inc Release.xml
c:\program files\BitComet\torrents\The_Killers_Day_and_Age_2008-TL.torrent
c:\program files\BitComet\torrents\The_Killers_Day_and_Age_2008-TL.xml
c:\program files\BitComet\torrents\WinAVI Video Converter 9.0+ Serial.torrent
c:\program files\BitComet\torrents\WinAVI Video Converter 9.0+ Serial.xml

.
((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-11 21:41 . 2009-06-11 21:41 -------- d-----w- c:\documents and settings\Blacklock\Application Data\Malwarebytes
2009-06-11 21:40 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 21:40 . 2009-06-11 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 21:40 . 2009-06-11 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-11 21:40 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 21:16 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-11 21:16 . 2009-04-03 10:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-11 21:16 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-11 21:16 . 2009-06-11 21:17 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-11 21:16 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-11 21:15 . 2009-06-11 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-10 17:01 . 2009-06-10 17:01 152576 ----a-w- c:\documents and settings\Blacklock\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-08 21:38 . 2009-06-08 21:38 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 19:25 . 2007-10-04 22:02 -------- d-----w- c:\documents and settings\Blacklock\Application Data\Skype
2009-06-15 18:35 . 2007-09-15 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-15 17:13 . 2007-11-28 19:49 -------- d-----w- c:\documents and settings\Blacklock\Application Data\skypePM
2009-06-14 17:54 . 2007-10-21 20:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-14 09:52 . 2008-11-26 19:19 -------- d-----w- c:\program files\Java
2009-06-12 20:58 . 2008-11-24 19:12 -------- d-----w- c:\documents and settings\Blacklock\Application Data\U3
2009-06-12 17:54 . 2007-09-15 18:35 -------- d-----w- c:\program files\Spyware Doctor
2009-06-11 21:17 . 2007-11-18 21:39 -------- d-----w- c:\program files\TomTom HOME 2
2009-06-11 19:29 . 2007-09-15 18:34 -------- d-----w- c:\program files\Google
2009-06-09 11:06 . 2008-02-17 15:09 -------- d-----w- c:\program files\a-squared Free
2009-06-08 21:36 . 2008-07-26 07:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-08 20:25 . 2008-06-15 16:16 -------- d-----w- c:\program files\SpywareBlaster
2009-05-21 10:33 . 2008-11-28 22:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 20:03 . 2007-09-16 01:15 -------- d-----w- c:\program files\Microsoft Works
2009-04-26 19:07 . 2007-09-16 01:24 -------- d-----w- c:\program files\Microsoft Home Publishing 2000
2009-04-20 15:22 . 2008-11-26 19:38 1 ----a-w- c:\documents and settings\Blacklock\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-11 21:23 . 2009-04-11 21:23 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-08 21:25 . 2009-04-08 21:25 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-03-31 17:19 . 2009-03-31 17:19 152576 ----a-w- c:\documents and settings\Blacklock\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 15:32 . 2008-01-29 11:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-14_18.59.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-15 17:11 . 2009-06-15 17:11 16384 c:\windows\Temp\Perflib_Perfdata_a98.dat
+ 2009-06-15 17:11 . 2009-06-15 17:11 16384 c:\windows\Temp\Perflib_Perfdata_5b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-12-09 234856]
"Google Update"="c:\documents and settings\Blacklock\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-18 133104]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-03-11 24095528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"V0220Mon.exe"="c:\windows\V0220Mon.exe" [2006-06-28 32768]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-09 53340]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-10-19 20480]
"LyraHD2TrayApp"="c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" [2004-05-13 286720]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-07 337216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-11 68592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-05-06 405504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Microsoft Works Calendar Reminders.lnk - c:\windows\Installer\{F128BA10-362E-11D3-81AB-00C04FB932BA}\4EBD23F5.exe [2007-9-16 29184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/06/2009 22:16 130936]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [03/04/2008 21:11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03/04/2008 21:11 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [25/07/2008 21:16 210216]
R3 V0220Dev;Live! Cam Video IM;c:\windows\system32\drivers\V0220Dev.sys [08/10/2007 18:39 146112]
R3 V0220Vfx;V0220VFX;c:\windows\system32\drivers\V0220Vfx.sys [08/10/2007 18:39 6272]
S2 0236581237916216mcinstcleanup;McAfee Application Installer Cleanup (0236581237916216);c:\windows\TEMP\023658~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\023658~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c996c2fdc82446;Google Update Service (gupdate1c996c2fdc82446);c:\program files\Google\Update\GoogleUpdate.exe [24/02/2009 22:00 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [06/02/2008 22:55 348752]
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-15 17:35]

2009-06-15 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 21:00]

2009-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1844823847-725345543-1004.job
- c:\documents and settings\Blacklock\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-18 23:15]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B744ED6D-2CA3-44DF-83BB-75A8BE1EE631} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 20:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-15 20:29
ComboFix-quarantined-files.txt 2009-06-15 19:29

Pre-Run: 75,084,152,832 bytes free
Post-Run: 75,105,648,640 bytes free

203 --- E O F --- 2009-06-14 19:04
Dave
Regular Member
 
Posts: 19
Joined: February 17th, 2008, 5:32 pm

Re: Possible Spyware Hijack

Unread postby jmw3 » June 15th, 2009, 8:52 pm

My email account settings have been wiped from Outlook Express. Can I restore them?
Download/run this file - http://download.bleepingcomputer.com/sUBs/MiniFixes/RestoreOEAccMgr.exe
It shouldn't take more than a few moments to complete running. When finished, it shall produce such a log called Before_and_After.txt
Then launch OE to check if it's okay now. Post the log the tool produces.

OTM
Download OTM by OldTimer Here & save it to your desktop.
  • Double click on OTM.exe to run it
  • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error
Code: Select all
:Files
c:\windows\system32\CF3329.exe
:Commands
[Purity]
[EmptyTemp]
[Reboot]

  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

See if you have more luck with this online scan:

ESET Online Scanner:
Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic
To post in next reply:
OTM log
ESET log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Possible Spyware Hijack

Unread postby Dave » June 16th, 2009, 3:32 pm

Ok
E mail settings restored.
Here are the logs

Before and After##

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\internet account manager]
"Server ID"=dword:00000004
"Default LDAP Account"="Active Directory GC"

[HKEY_CURRENT_USER\software\microsoft\internet account manager\Accounts]
"AssociatedID"=hex:ec,fe,ca,c9,43,6e,f2,45,94,86,b3,3d,86,dc,52,16
"PreConfigVer"=dword:00000004
"PreConfigVerNTDS"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet account manager\Accounts\Active Directory GC]
"LDAP Server ID"=dword:00000000
"Account Name"="Active Directory"
"LDAP Server"="NULL"
"LDAP Search Return"=dword:00000064
"LDAP Timeout"=dword:0000003c
"LDAP Authentication"=dword:00000002
"LDAP Simple Search"=dword:00000000
"LDAP Bind DN"=dword:00000000
"LDAP Port"=dword:00000cc4
"LDAP Resolve Flag"=dword:00000001
"LDAP Secure Connection"=dword:00000000
"LDAP User Name"="NULL"
"LDAP Search Base"="NULL"

[HKEY_CURRENT_USER\software\microsoft\internet account manager\Accounts\Bigfoot]
"LDAP Server ID"=dword:00000001
"Account Name"="Bigfoot Internet Directory Service"
"LDAP Server"="ldap.bigfoot.com"
"LDAP URL"="http://www.bigfoot.com"
"LDAP Search Return"=dword:00000064
"LDAP Timeout"=dword:0000003c
"LDAP Authentication"=dword:00000000
"LDAP Simple Search"=dword:00000001
"LDAP Logo"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,\
6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,62,69,67,66,6f,6f,74,2e,\
62,6d,70,00

[HKEY_CURRENT_USER\software\microsoft\internet account manager\Accounts\VeriSign]
"LDAP Server ID"=dword:00000002
"Account Name"="VeriSign Internet Directory Service"
"LDAP Server"="directory.verisign.com"
"LDAP URL"="http://www.verisign.com"
"LDAP Search Return"=dword:00000064
"LDAP Timeout"=dword:0000003c
"LDAP Authentication"=dword:00000000
"LDAP Search Base"="NULL"
"LDAP Simple Search"=dword:00000001
"LDAP Logo"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,\
6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,76,65,72,69,73,69,67,6e,\
2e,62,6d,70,00

[HKEY_CURRENT_USER\software\microsoft\internet account manager\Accounts\WhoWhere]
"LDAP Server ID"=dword:00000003
"Account Name"="WhoWhere Internet Directory Service"
"LDAP Server"="ldap.whowhere.com"
"LDAP URL"="http://www.whowhere.com"
"LDAP Search Return"=dword:00000064
"LDAP Timeout"=dword:0000003c
"LDAP Authentication"=dword:00000000
"LDAP Simple Search"=dword:00000001
"LDAP Logo"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,\
6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,77,68,6f,77,68,65,72,65,\
2e,62,6d,70,00


-------------- AFTER -----------

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\internet account manager]
"Server ID"=dword:00000004
"Default LDAP Account"="Active Directory GC"
"Account Name"=dword:00000005
"Default Mail Account"="00000004"

[HKEY_CURRENT_USER\software\microsoft\internet account manager\Accounts]
"AssociatedID"=hex:ec,fe,ca,c9,43,6e,f2,45,94,86,b3,3d,86,dc,52,16
"PreConfigVer"=dword:00000004
"PreConfigVerNTDS"=dword:00000001
"ConnectionSettingsMigrated"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet account manager\Accounts\00000004]
"Account Name"="pop.googlemail.com"
"Connection Type"=dword:00000000
"POP3 Server"="pop.googlemail.com"
"POP3 User Name"="d.d.blacklock@googlemail.com"
"POP3 Password2"=hex:01,02,70,00,6f,00,70,00,2e,00,67,00,6f,00,6f,00,67,00,6c,\
00,65,00,6d,00,61,00,69,00,6c,00,2e,00,63,00,6f,00,6d,00,46,00,37,00,35,00,\
35,00,37,00,31,00,46,00,30,00,00,00
"POP3 Prompt for Password"=dword:00000000
"SMTP Server"="smtp.googlemail.com"
"SMTP Display Name"="David Blacklock"
"SMTP Email Address"="d.d.blacklock@googlemail.com"
"POP3 Skip Account"=dword:00000000
"POP3 Port"=dword:000003e3
"POP3 Secure Connection"=dword:00000001
"POP3 Timeout"=dword:0000003c
"Leave Mail On Server"=dword:00000000
"SMTP User Name"="d.d.blacklock@googlemail.com"
"SMTP Password2"=hex:01,02,70,00,6f,00,70,00,2e,00,67,00,6f,00,6f,00,67,00,6c,\
00,65,00,6d,00,61,00,69,00,6c,00,2e,00,63,00,6f,00,6d,00,38,00,43,00,36,00,\
34,00,35,00,31,00,44,00,30,00,00,00
"SMTP Use Sicily"=dword:00000003
"SMTP Port"=dword:000001d1
"SMTP Secure Connection"=dword:00000001
"SMTP Timeout"=dword:0000003c
"SMTP Split Messages"=dword:00000000
"SMTP Prompt for Password"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet account manager\Accounts\Active Directory GC]
"LDAP Server ID"=dword:00000000
"Account Name"="Active Directory"
"LDAP Server"="NULL"
"LDAP Search Return"=dword:00000064
"LDAP Timeout"=dword:0000003c
"LDAP Authentication"=dword:00000002
"LDAP Simple Search"=dword:00000000
"LDAP Bind DN"=dword:00000000
"LDAP Port"=dword:00000cc4
"LDAP Resolve Flag"=dword:00000001
"LDAP Secure Connection"=dword:00000000
"LDAP User Name"="NULL"
"LDAP Search Base"="NULL"

[HKEY_CURRENT_USER\software\microsoft\internet account manager\Accounts\Bigfoot]
"LDAP Server ID"=dword:00000001
"Account Name"="Bigfoot Internet Directory Service"
"LDAP Server"="ldap.bigfoot.com"
"LDAP URL"="http://www.bigfoot.com"
"LDAP Search Return"=dword:00000064
"LDAP Timeout"=dword:0000003c
"LDAP Authentication"=dword:00000000
"LDAP Simple Search"=dword:00000001
"LDAP Logo"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,\
6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,62,69,67,66,6f,6f,74,2e,\
62,6d,70,00

[HKEY_CURRENT_USER\software\microsoft\internet account manager\Accounts\VeriSign]
"LDAP Server ID"=dword:00000002
"Account Name"="VeriSign Internet Directory Service"
"LDAP Server"="directory.verisign.com"
"LDAP URL"="http://www.verisign.com"
"LDAP Search Return"=dword:00000064
"LDAP Timeout"=dword:0000003c
"LDAP Authentication"=dword:00000000
"LDAP Search Base"="NULL"
"LDAP Simple Search"=dword:00000001
"LDAP Logo"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,\
6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,76,65,72,69,73,69,67,6e,\
2e,62,6d,70,00

[HKEY_CURRENT_USER\software\microsoft\internet account manager\Accounts\WhoWhere]
"LDAP Server ID"=dword:00000003
"Account Name"="WhoWhere Internet Directory Service"
"LDAP Server"="ldap.whowhere.com"
"LDAP URL"="http://www.whowhere.com"
"LDAP Search Return"=dword:00000064
"LDAP Timeout"=dword:0000003c
"LDAP Authentication"=dword:00000000
"LDAP Simple Search"=dword:00000001
"LDAP Logo"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,\
6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,77,68,6f,77,68,65,72,65,\
2e,62,6d,70,00

OTM##

========== FILES ==========
File/Folder c:\windows\system32\CF3329.exe not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\Google Toolbar\gtbF.tmp.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\etilqs_dxt6os2gYbue9BUknh0n scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\etilqs_wtPNVmBeZkyGJwJykYAT scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\GoogleQuickSearchBox.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\~DF3CCC.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\~DF3CF1.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\~DF40A9.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\~DFB5D1.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Blacklock\Local Settings\Temporary Internet Files\Content.IE5\3QOA123A\viewtopic[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Blacklock\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Blacklock\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Google Toolbar\gtm10.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\GoogleToolbarInstaller2.log scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5b8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b38.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_JgLcRfGpULKwuU2 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_nhOjQ68OLmf0bop scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_RZod1Nv9e4iqblr scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTM by OldTimer - Version 2.1.0.1 log created on 06162009_190641

Files moved on Reboot...
File C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\Google Toolbar\gtbF.tmp.exe not found!
File C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\etilqs_dxt6os2gYbue9BUknh0n not found!
File C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\etilqs_wtPNVmBeZkyGJwJykYAT not found!
C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\GoogleQuickSearchBox.log moved successfully.
C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\hpodvd09.log moved successfully.
File C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\~DF3CCC.tmp not found!
File C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\~DF3CF1.tmp not found!
C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\~DF40A9.tmp moved successfully.
File C:\DOCUME~1\BLACKL~1\LOCALS~1\Temp\~DFB5D1.tmp not found!
C:\Documents and Settings\Blacklock\Local Settings\Temporary Internet Files\Content.IE5\3QOA123A\viewtopic[2].htm moved successfully.
C:\Documents and Settings\Blacklock\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File C:\WINDOWS\temp\Google Toolbar\gtm10.tmp not found!
C:\WINDOWS\temp\GoogleToolbarInstaller2.log moved successfully.
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_5b8.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_b38.dat not found!
C:\WINDOWS\temp\sqlite_JgLcRfGpULKwuU2 moved successfully.
C:\WINDOWS\temp\sqlite_nhOjQ68OLmf0bop moved successfully.
C:\WINDOWS\temp\sqlite_RZod1Nv9e4iqblr moved successfully.

Registry entries deleted on Reboot...

Eset Log##

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=201532881d63b041b0eaf0ae80ce6a11
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-06-16 07:25:28
# local_time=2009-06-16 08:25:28 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=769 37 100 100 44533593750
# compatibility_mode=5889 61 66 100 696343386718750
# scanned=98641
# found=6
# cleaned=0
# scan_time=4063
C:\Documents and Settings\Blacklock\My Documents\Downloads\Hide IP Platinum 2006 2.9 + key gen.rar multiple threats 00000000000000000000000000000000
C:\Documents and Settings\Blacklock\My Documents\Downloads\Nero-7.10.1.0_eng_update.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000
C:\Documents and Settings\Blacklock\My Documents\Downloads\WinAVI.Video.Converter.7.7\keygen.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\agfluifa.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\bgxsihek.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\hgjlm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
Dave
Regular Member
 
Posts: 19
Joined: February 17th, 2008, 5:32 pm

Re: Possible Spyware Hijack

Unread postby jmw3 » June 16th, 2009, 8:06 pm

Hide IP Platinum | WinAVI Video Converter

This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Before posting for help, uninstall any such applications.

Referring to the Forum Rules which you should have read at the time of Registering at this forum, Malware Rremoval does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine.

In 2006, a study revealed that 59% of keygens and crack tools downloaded from peer-to-peer networks contained malicious or "unwanted" software.

More information:
Illegal Copies of Software

If you still want me to help you I suggest you purchase a legal copy of the software or remove ALL cracked software from your computer.
NOTE: If you give me advice that the software has been removed & I find it has not (the tools we use can & will detect it) then I will have no choice but to have this thread closed.
Please decide what you are going to do & let me know.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Possible Spyware Hijack

Unread postby Dave » June 17th, 2009, 3:27 pm

Ok
As far as I can tell I have removed Win AVI. Please let me know if there is anything else I need to do as I could not find Hide IP as an installed program it was omly present in the folder listed in the Eset report and is now deleted.

After looking at the log I notice Nero is mentioned with these two programs above. Nero is legitimate and was downloaded via a link from Nero support after the OEM version developed a fault.

I believe there are no more of these programs installed, and would appreciate your further assistance.

Thanks
Dave
Regular Member
 
Posts: 19
Joined: February 17th, 2008, 5:32 pm

Re: Possible Spyware Hijack

Unread postby jmw3 » June 17th, 2009, 7:59 pm

Hi
That file appears to be a setup file for an update to Nero. The reason it was flagged was not due to it being cracked but because Nero now apparently has the option to install the Ask Toolbar. The Ask Toolbar is considered by many to be Adware. Some information:
http://msmvps.com/blogs/donna/archive/2 ... lware.aspx
http://www.calendarofupdates.com/update ... 6253&st=50
http://www.vitalsecurity.org/2009/05/wh ... foxit.html

Malwarebytes' Anti-Malware
  • Open Malwarebytes Anti-Malware, click the Update tab then Check for Updates
  • If an update is found, it will download and install the latest version & data base version
  • Once the program has updated click the Scanner tab, select Perform full scan then click Scan
  • When the scan is complete, click OK, then Show Results to view the results
  • Be sure that everything is checked, and click Remove Selected
  • When completed, a log will open in Notepad. Please copy & paste the log back into your next reply
    Note:
  • The log is automatically saved by Malwarebytes' Anti-Malware & can be viewed by clicking the Logs tab
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either & let Malwarebytes' Anti-Malware proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.
If you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once & does not need to be reported unless it returns on future reboots.


Rooter.exe
Download Rooter.exe from Here & save it to your desktop.
SCAN
  • Double-click on Rooter.exe on your desktop, to run the tool
  • The Rooter interface will appear, with a variety of options displayed
  • Click on Scan
  • Once the scan has finished a log will open called "Rooter#.txt. The log can also be found at %systemdrive%\Rooter$\Rooter#.txt (# is the number assigned to the report)
  • Click Close to exit the program
  • Copy/paste the contents of Rooter#.txt in your next reply
To post in next reply:
Malwarebytes log
Rooter log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Possible Spyware Hijack

Unread postby Dave » June 18th, 2009, 4:13 pm

OK
Here are the Logs

Think I can see some more Keygens in the Rooter Scan and have deleted them at once.

Malwarebytes' Anti-Malware 1.38
Database version: 2304
Windows 5.1.2600 Service Pack 3

18/06/2009 20:53:03
mbam-log-2009-06-18 (20-53-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 181270
Time elapsed: 1 hour(s), 58 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\blacklock\my documents\downloads\SopCast\Setup-SopCast-3.0.3-2008-4-30.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Rooter.exe (v1.0.1) by Eric_71
¨
Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3
32_bits - x86 Family 15 Model 107 Stepping 1, AuthenticAMD
¨
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:149 Go - Free:70 Go )
D:\ [CD_Rom]
Z:\ [Network] .. ( Total:0 Go - Free:0 Go )
¨
Scan : 21:00.44
Path : C:\Documents and Settings\Blacklock\Desktop\Rooter.exe
User : Blacklock ( Administrator -> YES )
¨
----------------------\\ Processes
¨
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (608)
______ \??\C:\WINDOWS\system32\csrss.exe (656)
______ \??\C:\WINDOWS\system32\winlogon.exe (680)
______ C:\WINDOWS\system32\services.exe (724)
______ C:\WINDOWS\system32\lsass.exe (736)
______ C:\WINDOWS\system32\svchost.exe (900)
______ C:\WINDOWS\system32\svchost.exe (980)
______ C:\WINDOWS\System32\svchost.exe (1120)
______ C:\WINDOWS\system32\svchost.exe (1228)
______ C:\WINDOWS\system32\svchost.exe (1320)
______ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (1360)
______ C:\Program Files\Alwil Software\Avast4\ashServ.exe (1408)
______ C:\WINDOWS\Explorer.EXE (1660)
______ C:\WINDOWS\system32\spoolsv.exe (1904)
______ C:\Program Files\Google\Update\GoogleUpdate.exe (1964)
______ C:\WINDOWS\sttray.exe (880)
______ C:\WINDOWS\system32\RUNDLL32.EXE (916)
______ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (924)
______ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (1016)
______ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (1028)
______ C:\WINDOWS\V0220Mon.exe (1088)
______ C:\Program Files\Creative\Shared Files\CTSched.exe (1184)
______ C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe (1200)
______ C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe (1248)
______ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (1336)
______ C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (1460)
______ C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (1600)
______ C:\Program Files\Java\jre6\bin\jusched.exe (1604)
______ C:\WINDOWS\system32\ctfmon.exe (1652)
______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (1716)
______ C:\Program Files\Messenger\msmsgs.exe (1956)
______ C:\Program Files\TomTom HOME 2\HOMERunner.exe (1984)
______ C:\Documents and Settings\Blacklock\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (136)
______ C:\Program Files\Skype\Phone\Skype.exe (228)
______ C:\WINDOWS\system32\svchost.exe (216)
______ C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (464)
______ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (492)
______ C:\Program Files\a-squared Free\a2service.exe (792)
______ C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe (1024)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1344)
______ C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (1568)
______ C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE (2008)
______ C:\Program Files\Java\jre6\bin\jqs.exe (2168)
______ C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (2272)
______ C:\WINDOWS\system32\nvsvc32.exe (2432)
______ C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe (2440)
______ C:\WINDOWS\system32\HPZipm12.exe (2548)
______ C:\Program Files\CyberLink\Shared files\RichVideo.exe (2596)
______ C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe (2760)
______ C:\WINDOWS\system32\svchost.exe (2808)
______ C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe (2900)
______ C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (3236)
______ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (3384)
______ C:\WINDOWS\System32\alg.exe (3936)
______ C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe (624)
______ C:\Program Files\Skype\Plugin Manager\skypePM.exe (2492)
______ C:\WINDOWS\system32\HPZinw12.exe (804)
______ C:\Program Files\Internet Explorer\iexplore.exe (1076)
______ C:\WINDOWS\system32\wuauclt.exe (3548)
______ C:\Documents and Settings\Blacklock\Desktop\Rooter.exe (1412)
¨
----------------------\\ Device\Harddisk0\
¨
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
¨
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:160031015424)
¨
----------------------\\ Scheduled Tasks
¨
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Google Software Updater.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachine.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1844823847-725345543-1004.job
C:\WINDOWS\Tasks\SA.DAT
¨
----------------------\\ Registry
¨
¨
----------------------\\ Files & Folders
¨
C:\DOCUME~1\BLACKL~1\My Documents\TomTom\D Brown\TOMTOM\Easyusetools\Progs\keygen6.exe
C:\DOCUME~1\BLACKL~1\My Documents\TomTom\D Brown\TOMTOM\Easyusetools\Progs\tt7_keygen.exe
C:\DOCUME~1\BLACKL~1\My Documents\TomTom\D Brown\TOMTOM\Easyusetools\Progs\tt8_keygen.exe
==> Cracks & Keygens <==
¨
----------------------\\ Scan completed at 21:01.25
¨
C:\Rooter$\Rooter_1.txt - (18/06/2009 | 21:01.25).c
Dave
Regular Member
 
Posts: 19
Joined: February 17th, 2008, 5:32 pm

Re: Possible Spyware Hijack

Unread postby jmw3 » June 18th, 2009, 4:53 pm

Logs look good. Any problems?
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Possible Spyware Hijack

Unread postby Dave » June 18th, 2009, 6:06 pm

Everything seems to be running OK

Haven't restarted S&D Tea Timer, Spyware Doctor or Windows Defender yet.

Do you have any advice on which spyware/malware programs I should use, as I feel like I have lots of different ones running in the background slowing things up. Some of them never seem to report anything unless running a scan.

Winpatrol is the only one that seems to notify me of potential changes.

I currently have-
Avast Anti Virus
Windows Defender
Spybot S & D
Spyware Doctor
Winpatrol
Spyware Blaster
A - Squared
Malwarebytes

Should I now also delete all apps and logs from my desktop used during this process eg Old Timer Combofix etc

Thanks for your help it is much appreciated.
Dave
Regular Member
 
Posts: 19
Joined: February 17th, 2008, 5:32 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 71 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware