Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

I think my browser's been hijacked.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: I think my browser's been hijacked.

Unread postby dan12 » March 12th, 2009, 9:00 am

BlackLight
  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box
    Code: Select all
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic together with a new HijackThis log.






Download and Run Gmer

Download Gmer to your Desktop and unzip it to your Desktop.
http://www.gmer.net/gmer.zip

Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the Rootkit/Malware tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Click the >>> tab. This will open up all available tabs for you.
Click the Autostart tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document to your desktop please.


post above reports
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top
Advertisement
Register to Remove

Re: I think my browser's been hijacked.

Unread postby rabidmaiden » March 12th, 2009, 8:03 pm

03/12/09 16:41:22 [Info]: BlackLight Engine 2.2.1092 initialized
03/12/09 16:41:22 [Info]: OS: 5.1 build 2600 (Service Pack 3)
03/12/09 16:41:23 [Note]: 7019 4
03/12/09 16:41:23 [Note]: 7005 0
03/12/09 16:41:25 [Error]: 6024 1
03/12/09 16:41:25 [Error]: 6024 1
03/12/09 16:41:25 [Error]: 6024 1
03/12/09 16:41:25 [Error]: 6024 1
03/12/09 16:41:25 [Note]: 7006 0
03/12/09 16:41:25 [Note]: 7022 0
03/12/09 16:41:25 [Note]: 7011 4016
03/12/09 16:41:25 [Note]: 7035 0
03/12/09 16:41:25 [Note]: 7026 0
03/12/09 16:41:25 [Note]: 7026 0
03/12/09 16:41:25 [Error]: 6024 1
03/12/09 16:41:25 [Error]: 6024 1
03/12/09 16:41:25 [Note]: FSRAW library version 1.7.1024
03/12/09 16:53:46 [Note]: 4013 38901
03/12/09 16:53:46 [Note]: 4020 385 655360
03/12/09 16:53:46 [Note]: 4018 385 655360
03/12/09 16:53:46 [Note]: 4013 38901
03/12/09 16:53:46 [Note]: 4020 385 655360
03/12/09 16:53:46 [Note]: 4018 385 655360
03/12/09 20:00:30 [Note]: 7007 0


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:47 PM, on 3/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [AutoTBar] C:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Custo ... anager.CAB
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7920276656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0288599140
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: SUNY Oswego VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10207 bytes
rabidmaiden
Regular Member
 
Posts: 25
Joined: March 8th, 2009, 3:30 pm
Top

Re: I think my browser's been hijacked.

Unread postby rabidmaiden » March 12th, 2009, 10:03 pm

GMER 1.0.15.14878 - http://www.gmer.net
Rootkit scan 2009-03-12 21:57:52
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAAB61F20]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[148] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[148] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[148] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[148] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[148] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[228] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[228] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[228] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[228] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[228] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100331F8
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[388] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10033140
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[388] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10032BA4
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[388] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10032404
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[388] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10032388
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[388] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100330F4
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\System32\svchost.exe[416] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\svchost.exe[416] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\svchost.exe[416] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\svchost.exe[416] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\svchost.exe[416] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[560] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100131F8
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[560] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10013140
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[560] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10012BA4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[560] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10012404
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[560] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10012388
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[560] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100130F4
.text C:\WINDOWS\system32\spoolsv.exe[676] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\system32\spoolsv.exe[676] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\spoolsv.exe[676] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\spoolsv.exe[676] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\spoolsv.exe[676] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\spoolsv.exe[676] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\system32\winlogon.exe[1252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\system32\winlogon.exe[1252] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\winlogon.exe[1252] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\winlogon.exe[1252] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\winlogon.exe[1252] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\winlogon.exe[1252] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\system32\lsass.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\system32\lsass.exe[1308] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\lsass.exe[1308] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\lsass.exe[1308] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\lsass.exe[1308] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\lsass.exe[1308] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\system32\svchost.exe[1472] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\svchost.exe[1472] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\svchost.exe[1472] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\svchost.exe[1472] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\svchost.exe[1472] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\system32\svchost.exe[1536] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\svchost.exe[1536] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\svchost.exe[1536] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\svchost.exe[1536] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\svchost.exe[1536] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\System32\svchost.exe[1740] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\svchost.exe[1740] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\svchost.exe[1740] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\svchost.exe[1740] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\svchost.exe[1740] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\system32\svchost.exe[1784] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\svchost.exe[1784] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\svchost.exe[1784] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\svchost.exe[1784] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\svchost.exe[1784] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\System32\svchost.exe[1816] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\svchost.exe[1816] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\svchost.exe[1816] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\svchost.exe[1816] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\svchost.exe[1816] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\System32\svchost.exe[1916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\System32\svchost.exe[1916] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\svchost.exe[1916] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\svchost.exe[1916] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\svchost.exe[1916] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\svchost.exe[1916] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2484] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2484] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2484] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2484] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2484] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\System32\alg.exe[2520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\System32\alg.exe[2520] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\alg.exe[2520] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\alg.exe[2520] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\alg.exe[2520] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\alg.exe[2520] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\system32\ctfmon.exe[2844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\system32\ctfmon.exe[2844] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\ctfmon.exe[2844] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\ctfmon.exe[2844] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\ctfmon.exe[2844] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\ctfmon.exe[2844] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\System32\svchost.exe[3248] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\System32\svchost.exe[3248] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\System32\svchost.exe[3248] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\System32\svchost.exe[3248] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\System32\svchost.exe[3248] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4
.text C:\WINDOWS\system32\notepad.exe[3824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100031F8
.text C:\WINDOWS\system32\notepad.exe[3824] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003140
.text C:\WINDOWS\system32\notepad.exe[3824] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002BA4
.text C:\WINDOWS\system32\notepad.exe[3824] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002404
.text C:\WINDOWS\system32\notepad.exe[3824] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002388
.text C:\WINDOWS\system32\notepad.exe[3824] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 100030F4

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[388] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [01022C13] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[388] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!UnhandledExceptionFilter] [01022D34] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[388] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] [01022D03] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----


GMER 1.0.15.14878 - http://www.gmer.net
Autostart scan 2009-03-12 21:59:02
Windows 5.1.2600 Service Pack 3


HKLM\SYSTEM\CurrentControlSet\Control\Session

Manager\SubSystems@Windows = %SystemRoot%

\system32\csrss.exe ObjectDirectory=\Windows

SharedSection=1024,3072,512 Windows=On

SubSystemType=Windows ServerDll=basesrv,1

ServerDll=winsrv:UserServerDllInitialization,3

ServerDll=winsrv:ConServerDllInitialization,2

ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon@Userinit =

C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ >>>
!SASWinLogon@DLLName = C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
avgrsstarter@DLLName = avgrsstx.dll
dimsntfy@DLLName = %SystemRoot%\System32

\dimsntfy.dll
igfxcui@DLLName = igfxsrvc.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AOL ACS@ = C:\PROGRA~1\COMMON~1

\AOL\ACS\AOLacsd.exe /*file not found*/
Apple Mobile Device@ = "C:\Program Files\Common

Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe"
avg8emc@ = C:\PROGRA~1\AVG\AVG8\avgemc.exe
avg8wd@ = C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
Bonjour Service@ = "C:\Program

Files\Bonjour\mDNSResponder.exe"
btwdins@ = C:\Program Files\WIDCOMM\Bluetooth

Software\bin\btwdins.exe
CVPND@ = "C:\Program Files\Cisco Systems\VPN

Client\cvpnd.exe"
LightScribeService@ = "C:\Program Files\Common

Files\LightScribe\LSSrvc.exe"
McAfeeFramework@ = "C:\Program Files\Network

Associates\Common Framework\FrameworkService.exe"

/ServiceStart
Pml Driver HPZ12@ = C:\WINDOWS\system32

\HPZipm12.exe
ScsiPort@ = %SystemRoot%\system32

\drivers\scsiport.sys
SNMP@ = %SystemRoot%\System32\snmp.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

>>>
@IgfxTrayC:\WINDOWS\system32\igfxtray.exe =

C:\WINDOWS\system32\igfxtray.exe
@HotKeysCmdsC:\WINDOWS\system32\hkcmd.exe =

C:\WINDOWS\system32\hkcmd.exe
@SynTPLprC:\Program

Files\Synaptics\SynTP\SynTPLpr.exe = C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
@SynTPEnhC:\Program

Files\Synaptics\SynTP\SynTPEnh.exe = C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
@eabconfg.cplC:\Program Files\HPQ\Quick Launch

Buttons\EabServr.exe /Start /*file not found*/ =

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

/Start /*file not found*/
@CpqsetC:\Program Files\HPQ\Default

Settings\cpqset.exe ??? 3 2 9 2 ???? ,?B ? ??hLC

???? = C:\Program Files\HPQ\Default

Settings\cpqset.exe ??? 3 2 9 2 ???? ,?B ? ??hLC

????
@LSBWatcherc:\hp\drivers\hplsbwatcher\lsburnwatcher.e

xe = c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
@hpWirelessAssistant"%ProgramFiles%\HPQ\HP Wireless

Assistant\HP Wireless Assistant.exe" = "%ProgramFiles%

\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
@Home Theater SchSvr"C:\Program Files\Common

Files\InterVideo\SchSvr\SchSvr.exe" = "C:\Program

Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
@WINREMOTE"C:\Program

Files\InterVideo\Common\Bin\WinRemote.exe" =

"C:\Program

Files\InterVideo\Common\Bin\WinRemote.exe"
@AOLDialerC:\Program Files\Common

Files\AOL\ACS\AOLDial.exe /*file not found*/ =

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

/*file not found*/
@Creative WebCam TrayC:\Program

Files\Creative\Shared Files\CAMTRAY.EXE /*file not

found*/ = C:\Program Files\Creative\Shared

Files\CAMTRAY.EXE /*file not found*/
@McAfeeUpdaterUI"C:\Program Files\Network

Associates\Common Framework\UdaterUI.exe"

/StartedFromRunKey = "C:\Program Files\Network

Associates\Common Framework\UdaterUI.exe"

/StartedFromRunKey
@ShStatEXE"C:\Program Files\McAfee\VirusScan

Enterprise\SHSTAT.EXE" /STANDALONE /*file not found*/

= "C:\Program Files\McAfee\VirusScan

Enterprise\SHSTAT.EXE" /STANDALONE /*file not found*/
@AutoTBarC:\Program Files\HP\Digital

Imaging\bin\AUTOTBAR.EXE /*file not found*/ =

C:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

/*file not found*/
@HP Software UpdateC:\Program Files\HP\HP Software

Update\HPWuSchd2.exe = C:\Program Files\HP\HP

Software Update\HPWuSchd2.exe
@SynTPStartC:\Program

Files\Synaptics\SynTP\SynTPStart.exe = C:\Program

Files\Synaptics\SynTP\SynTPStart.exe
@TkBellExe"C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot =

"C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
@AVG8_TRAYC:\PROGRA~1\AVG\AVG8\avgtray.exe =

C:\PROGRA~1\AVG\AVG8\avgtray.exe
@AppleSyncNotifierC:\Program Files\Common

Files\Apple\Mobile Device

Support\bin\AppleSyncNotifier.exe = C:\Program

Files\Common Files\Apple\Mobile Device

Support\bin\AppleSyncNotifier.exe
@QuickTime Task"C:\Program

Files\QuickTime\QTTask.exe" -atboottime = "C:\Program

Files\QuickTime\QTTask.exe" -atboottime
@iTunesHelper"C:\Program

Files\iTunes\iTunesHelper.exe" = "C:\Program

Files\iTunes\iTunesHelper.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

>>>
@MsnMsgr"C:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background /*file not found*/

= "C:\Program Files\MSN Messenger\MsnMsgr.Exe"

/background /*file not found*/
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe =

C:\WINDOWS\system32\ctfmon.exe
@SpybotSD TeaTimerC:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe = C:\Program Files\Spybot -

Search & Destroy\TeaTimer.exe
@DW6"C:\Program Files\The Weather Channel

FW\Desktop\DesktopWeather.exe" /*file not found*/ =

"C:\Program Files\The Weather Channel

FW\Desktop\DesktopWeather.exe" /*file not found*/
@Aim6"C:\Program Files\AIM6\aim6.exe" /d locale=en-

US ee://aol/imApp = "C:\Program Files\AIM6\aim6.exe"

/d locale=en-US ee://aol/imApp
@SUPERAntiSpywareC:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe =

C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellS

erviceObjectDelayLoad@WPDShServiceObj =

C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explor

er\ShellExecuteHooks@{5AE067D3-9AFB-48E0-853A-

EBB7F4A000DA} = C:\Program

Files\SUPERAntiSpyware\SASSEH.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display

Panning CPL Extension*/deskpan.dll /*file not found*/ =

deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153}

/*Previous Versions Property

Page*/C:\WINDOWS\system32\twext.dll =

C:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783}

/*Previous Versions*/C:\WINDOWS\system32\twext.dll =

C:\WINDOWS\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE

Search Band*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell

DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8}

/*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll

= C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE}

/*Microsoft Url History Service*/C:\WINDOWS\system32

\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000}

/*History*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933}

/*Temporary Internet Files*/C:\WINDOWS\system32

\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933}

/*Temporary Internet Files*/C:\WINDOWS\system32

\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

/*Microsoft Url Search Hook*/C:\WINDOWS\system32

\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The

Internet*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet

Name Space*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay

for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87}

/*Extensions Manager Folder*/C:\WINDOWS\system32

\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{2F603045-309F-11CF-9774-0020AFD0CFF6}

/*Synaptics Control Panel*/C:\Program

Files\Synaptics\SynTP\SynTPCpl.dll = C:\Program

Files\Synaptics\SynTP\SynTPCpl.dll
@(null) =
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My

Bluetooth Places*/C:\WINDOWS\system32

\btneighborhood.dll = C:\WINDOWS\system32

\btneighborhood.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web

Folders*/C:\PROGRA~1\COMMON~1\MICROS~1

\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1

\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046}

/*Microsoft Outlook Custom Icon Handler*/C:\Program

Files\Microsoft Office\Office10\OLKFSTUB.DLL =

C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597}

/*Microsoft Office HTML Icon Handler*/C:\Program

Files\Microsoft Office\Office10\msohev.dll = C:\Program

Files\Microsoft Office\Office10\msohev.dll
@{A1A07B07-F70D-482e-B0E8-B6178E73B094} /*hkshlex

extension*/C:\PROGRA~1\hkSFV\hkshlex.dll =

C:\PROGRA~1\hkSFV\hkshlex.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell

Extensions for RealOne Player*/C:\Program

Files\Real\RealPlayer\rpshell.dll = C:\Program

Files\Real\RealPlayer\rpshell.dll
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell

Extension for Malware scanning*/(null) =
@{35786D3C-B075-49b9-88DD-029876E11C01}

/*Portable Devices*/%SystemRoot%\system32

\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable

Devices Menu*/%SystemRoot%\system32\wpdshext.dll =

%SystemRoot%\system32\wpdshext.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA}

/*WinRAR shell extension*/C:\Program

Files\WinRAR\rarext.dll = C:\Program

Files\WinRAR\rarext.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink

for Application References*/c:\WINDOWS\system32

\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell

Icon Handler for Application

References*/c:\WINDOWS\system32\dfshim.dll =

c:\WINDOWS\system32\dfshim.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media

Band*/(null) =
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}

/*Microsoft Office Metadata Handler*/C:\PROGRA~1

\COMMON~1\MICROS~1\OFFICE12\msoshext.dll =

C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12

\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}

/*Microsoft Office Thumbnail Handler*/C:\PROGRA~1

\COMMON~1\MICROS~1\OFFICE12\msoshext.dll =

C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12

\msoshext.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE

Microsoft BrowserBand*/C:\WINDOWS\system32

\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade

Task*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE

Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE

AutoComplete*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE

Navigation Bar*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu

Site*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu

Band*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE

Microsoft History AutoComplete

List*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE

Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll

= C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE

IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE

BandProxy*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU

AutoComplete List*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS

Feeder Folder*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE

Microsoft Shell Folder AutoComplete

List*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE

Microsoft Multiple AutoComplete List

Container*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409}

/*Microsoft Browser

Architecture*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell

Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell

Band Site Menu*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049}

/*&Links*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE

Registry Tree Options Utility*/C:\WINDOWS\system32

\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User

Assist*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE

Custom MRU AutoCompleted

List*/C:\WINDOWS\system32\ieframe.dll =

C:\WINDOWS\system32\ieframe.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB}

/*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%

\System32\XPSSHHDR.DLL = %SystemRoot%\System32

\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9}

/*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%

\System32\XPSSHHDR.DLL = %SystemRoot%\System32

\XPSSHHDR.DLL
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG8

Shell Extension*/C:\Program Files\AVG\AVG8\avgse.dll =

C:\Program Files\AVG\AVG8\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG8

Find Extension*/(null) =
@{D9872D13-7651-4471-9EEE-F0A00218BEBB}

/*Multiscan*/(null) =
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}

/*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll =

C:\Program Files\iTunes\iTunesMiniPlayer.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

>>>
AVG8 Shell Extension@{9F97547E-4609-42C5-AE0C-

81C61FFAEBC3} = C:\Program Files\AVG\AVG8\avgse.dll
hkshlex@{A1A07B07-F70D-482e-B0E8-B6178E73B094} =

C:\PROGRA~1\hkSFV\hkshlex.dll
VirusScan@{cda2863e-2497-4c49-9b89-06840e070a87}

= C:\Program Files\McAfee\VirusScan Enterprise\shext.dll

/*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} =

C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@

{CA8ACAFA-5FBB-467B-B348-90DD488DE003} =

C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHa

ndlers\ >>>
hkshlex@{A1A07B07-F70D-482e-B0E8-B6178E73B094} =

C:\PROGRA~1\hkSFV\hkshlex.dll
VirusScan@{cda2863e-2497-4c49-9b89-06840e070a87}

= C:\Program Files\McAfee\VirusScan Enterprise\shext.dll

/*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} =

C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHa

ndlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} =

C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandl

ers\ >>>
AVG8 Shell Extension@{9F97547E-4609-42C5-AE0C-

81C61FFAEBC3} = C:\Program Files\AVG\AVG8\avgse.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-

19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-

Malware\mbamext.dll
VirusScan@{cda2863e-2497-4c49-9b89-06840e070a87}

= C:\Program Files\McAfee\VirusScan Enterprise\shext.dll

/*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} =

C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explor

er\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

C:\Program Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll = C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{3049C3E9-B461-4BC5-8870-4C09146192CA}

C:\Program

Files\Real\RealPlayer\rpbrowserrecordplugin.dll =

C:\Program

Files\Real\RealPlayer\rpbrowserrecordplugin.dll
@{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

C:\Program Files\AVG\AVG8\avgssie.dll = C:\Program

Files\AVG\AVG8\avgssie.dll
@{53707962-6F74-2D53-2644-206D7942484F}

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

= C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
@{A057A204-BACC-4D26-9990-79A187E2698E}

C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL =

C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

HKCU\Control Panel\Desktop@SCRNSAVE.EXE =

C:\WINDOWS\DARKAN~1.SCR

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?

LinkId=69157 = http://go.microsoft.com/fwlink/?

LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157

= http://go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %

SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.gmail.com =

http://www.gmail.com
@Local PageC:\WINDOWS\system32\blank.htm =

C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
linkscanner@CLSID = C:\Program Files\AVG\AVG8

\avgpp.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Program Files\Common

Files\Microsoft Shared\Information Retrieval\msitss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1

\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll
widimg@CLSID = C:\WINDOWS\system32\btxppanel.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Paramet

ers\Interfaces\{5BD98BF8-D706-480A-BB8C-

276CFE4FFD4A} /*Local Area Connection 9*/ >>>
@IPAddress192.168.1.1 = 192.168.1.1
@NameServer =
@DefaultGateway =
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2

\Parameters\NameSpace_Catalog5

\Catalog_Entries\000000000005@LibraryPath =

C:\Program Files\Bonjour\mdnsNSP.dll

C:\Documents and Settings\All Users\Start

Menu\Programs\Startup >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Adobe Reader Speed Launch.lnk = Adobe Reader Speed

Launch.lnk
BTTray.lnk = BTTray.lnk
Clean Access Agent.lnk = Clean Access Agent.lnk
HP Digital Imaging Monitor.lnk = HP Digital Imaging

Monitor.lnk
Microsoft Office.lnk = Microsoft Office.lnk
Run Registration Tool.lnk = Run Registration Tool.lnk

---- EOF - GMER 1.0.15 ----
rabidmaiden
Regular Member
 
Posts: 25
Joined: March 8th, 2009, 3:30 pm
Top

Re: I think my browser's been hijacked.

Unread postby dan12 » March 13th, 2009, 6:17 am

Thanks for the returned log which I will look over soon.

If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the Rootkit/Malware tab
did you Click the Rootkit/Malware tab?
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: I think my browser's been hijacked.

Unread postby rabidmaiden » March 14th, 2009, 12:15 am

yes I did.
rabidmaiden
Regular Member
 
Posts: 25
Joined: March 8th, 2009, 3:30 pm
Top

Re: I think my browser's been hijacked.

Unread postby dan12 » March 14th, 2009, 4:18 am

Can you disable all security programs including antimalware programs and try the combofix download again please.
Are you still having these issues?
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: I think my browser's been hijacked.

Unread postby rabidmaiden » March 14th, 2009, 4:35 pm

Tried combofix again, didn't work. I'm still having issues though. Here's a new hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:17 PM, on 3/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [AutoTBar] C:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Custo ... anager.CAB
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7920276656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0288599140
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: SUNY Oswego VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10104 bytes
rabidmaiden
Regular Member
 
Posts: 25
Joined: March 8th, 2009, 3:30 pm
Top

Re: I think my browser's been hijacked.

Unread postby dan12 » March 14th, 2009, 10:28 pm

Can you disable all security programs including antimalware programs

Did you carry this out first?as these can have a big affect on the tool running.
Our problem is the malware isn't letting our tools get at the infection.
I've nearly run out of ideas. :shock:
Trying to avoid a reformat for you but it's against me at present. :x
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: I think my browser's been hijacked.

Unread postby rabidmaiden » March 14th, 2009, 10:47 pm

Yes. I turned off everything I could. I can't even FIND the McAfee on my computer.
rabidmaiden
Regular Member
 
Posts: 25
Joined: March 8th, 2009, 3:30 pm
Top

Re: I think my browser's been hijacked.

Unread postby dan12 » March 14th, 2009, 10:49 pm

how did you disable spybots teatimer?
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: I think my browser's been hijacked.

Unread postby rabidmaiden » March 14th, 2009, 10:59 pm

I went to the advanced settings and unchecked the ticker next to it.
rabidmaiden
Regular Member
 
Posts: 25
Joined: March 8th, 2009, 3:30 pm
Top

Re: I think my browser's been hijacked.

Unread postby dan12 » March 15th, 2009, 4:36 am

The correct way to do Teatimer is here:

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.


Try this and try combofix again for me.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: I think my browser's been hijacked.

Unread postby rabidmaiden » March 15th, 2009, 12:05 pm

Spybot isn't showing up on my system tray. None of my anti-virus/malware is.
rabidmaiden
Regular Member
 
Posts: 25
Joined: March 8th, 2009, 3:30 pm
Top

Re: I think my browser's been hijacked.

Unread postby dan12 » March 15th, 2009, 1:07 pm

Have you tried combofix again?
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: I think my browser's been hijacked.

Unread postby rabidmaiden » March 15th, 2009, 1:25 pm

Yes. It's still not working. The status bar completely loads and it just disappears.
rabidmaiden
Regular Member
 
Posts: 25
Joined: March 8th, 2009, 3:30 pm
Top
Advertisement
Register to Remove
PreviousNext
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 112 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index