[ Done ] Multi threat adware: search redirected

  • 21 Replies
  • 8190 Views
*

Offline scott888

  • Bronze Member
  • 13
[ Done ] Multi threat adware: search redirected
« on: November 20, 2008, 06:01:06 PM »
Its scary when an attach not only damages but also prevents damage repair options.  After one bad web site visit by computer:
(1) redirects all search results to "yellow page" type sites
(2) cannot obtain windows xp updates
(3) cannot access several web sites, including at least seven other computer help forums (i.e. geeks to go, bleeping computer etc). (I wonder how I got through to this one!)
(4) installation programs will not run when downloaded with Firefox (I have to download with IE using the "run" button) In fact, Malwarebites will not run even after installed.

Needless to say, your help will be greatly appreciated!

My HiJack Log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:16 PM, on 11/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TSSchBkpService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\mmlweb.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\WinSSUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mmlweb] C:\WINDOWS\system32\mmlweb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TimeslipsBackup (TSScheduleBackup) - Unknown owner - C:\WINDOWS\system32\TSSchBkpService.exe

--
End of file - 6456 bytes
« Last Edit: December 04, 2008, 02:20:51 PM by bamajim »

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
scott888

1. Go HERE and download File Lister.
  • Save it to your Desktop
  • Rt Click ->> Extract all ->> And extract it to your Desktop
  • Additional help on extracting zip files can be found HERE
  • Open the File Lister Folder.
  • Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
  • As the program runs, it will appear that nothing is happening.
  • When the program is fnished it will produce a log for you C:\Files.txt
Copy and paste the contents of that log in your reply.

2008-2010
Rights cannot exist without morals

*

Offline scott888

  • Bronze Member
  • 13
Re: [In Progress] Multi threat adware: search redirected
« Reply #2 on: November 23, 2008, 05:10:59 PM »
Here you go. (Sorry about the delayed reply.)


+++++++++++++++++++++++++++++++++
+
+ File Lister
+
+ Version 1.0.4
+
+  By bamajim / bamajim.com
+
+++++++++++++++++++++++++++++++++


Report ran on --->>>  11/23/2008 6:17:13 PM

====== Values under HKLM\~\Run ======

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"McAfee Managed Services Tray"="\"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\StartMyagtTry.exe\""
"MVS Splash"="\"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\Splash.exe\""
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"mmlweb"="C:\\WINDOWS\\system32\\mmlweb.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"Easy SpyRemover"="C:\\Program Files\\Easy SpyRemover\\EasySpyRemover.exe /smart"
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


====== Values under HKCU\~\Run ======

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"


====== Folders and Files from "%\" and "%\Windows" Created Last 30 Days ======

11/19/2008 10:09:22 AM    13216345    C:\60001c68e8a683a13d
11/19/2008 10:09:23 AM    329829    C:\60001c68e8a683a13d\de-at
11/19/2008 10:09:23 AM    329746    C:\60001c68e8a683a13d\de-ch
11/19/2008 10:09:23 AM    330644    C:\60001c68e8a683a13d\de-de
11/19/2008 10:09:23 AM    300702    C:\60001c68e8a683a13d\en-au
11/19/2008 10:09:23 AM    301228    C:\60001c68e8a683a13d\en-ca
11/19/2008 10:09:23 AM    245485    C:\60001c68e8a683a13d\en-gb
11/19/2008 10:09:23 AM    301915    C:\60001c68e8a683a13d\en-hk
11/19/2008 10:09:23 AM    301176    C:\60001c68e8a683a13d\en-ie
11/19/2008 10:09:23 AM    302040    C:\60001c68e8a683a13d\en-in
11/19/2008 10:09:23 AM    301061    C:\60001c68e8a683a13d\en-nz
11/19/2008 10:09:23 AM    302099    C:\60001c68e8a683a13d\en-sg
11/19/2008 10:09:23 AM    320573    C:\60001c68e8a683a13d\es-es
11/19/2008 10:09:23 AM    355430    C:\60001c68e8a683a13d\es-mx
11/19/2008 10:09:23 AM    320282    C:\60001c68e8a683a13d\es-us
11/19/2008 10:09:23 AM    319458    C:\60001c68e8a683a13d\fr-be
11/19/2008 10:09:23 AM    350452    C:\60001c68e8a683a13d\fr-ca
11/19/2008 10:09:23 AM    319451    C:\60001c68e8a683a13d\fr-ch
11/19/2008 10:09:23 AM    319026    C:\60001c68e8a683a13d\fr-fr
11/19/2008 10:09:23 AM    326864    C:\60001c68e8a683a13d\it-it
11/19/2008 10:09:23 AM    851180    C:\60001c68e8a683a13d\ja-jp
11/19/2008 10:09:23 AM    261007    C:\60001c68e8a683a13d\ja-jp-psloc
11/19/2008 10:09:23 AM    2236193    C:\60001c68e8a683a13d\ko-kr
11/19/2008 10:09:23 AM    324389    C:\60001c68e8a683a13d\nl-be
11/19/2008 10:09:23 AM    324369    C:\60001c68e8a683a13d\nl-nl
11/19/2008 10:09:23 AM    314992    C:\60001c68e8a683a13d\pt-br
11/19/2008 10:09:54 AM    0    C:\Config.Msi
11/23/2008 6:17:13 PM    1827    32    C:\Files.txt
11/18/2008 10:26:07 AM    1071697920    38    C:\hiberfil.sys
11/13/2008 10:50:48 AM    1929963    C:\WINDOWS\$NtUninstallKB954459$
11/13/2008 10:50:48 AM    623339    C:\WINDOWS\$NtUninstallKB954459$\spuninst
11/13/2008 10:49:52 AM    1728117    C:\WINDOWS\$NtUninstallKB955069$
11/13/2008 10:49:52 AM    623221    C:\WINDOWS\$NtUninstallKB955069$\spuninst
11/13/2008 10:52:01 AM    1080287    C:\WINDOWS\$NtUninstallKB957097$
11/13/2008 10:52:01 AM    623711    C:\WINDOWS\$NtUninstallKB957097$\spuninst
10/24/2008 11:01:22 AM    960586    C:\WINDOWS\$NtUninstallKB958644$
10/24/2008 11:01:22 AM    623178    C:\WINDOWS\$NtUninstallKB958644$\spuninst
11/17/2008 9:26:58 AM    128    C:\WINDOWS\CSC
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d1
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d2
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d3
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d4
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d5
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d6
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d7
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d8
11/14/2008 10:53:30 PM    19016    32    C:\WINDOWS\abesej.pif
11/14/2008 10:53:30 PM    19379    32    C:\WINDOWS\hivym.ban
11/13/2008 10:29:28 AM    12705    32    C:\WINDOWS\KB954459.log
11/13/2008 10:49:01 AM    7884    32    C:\WINDOWS\KB955069.log
11/13/2008 10:51:58 AM    8318    32    C:\WINDOWS\KB957097.log
10/24/2008 11:00:26 AM    7813    32    C:\WINDOWS\KB958644.log
11/13/2008 10:48:30 AM    313904    32    C:\WINDOWS\msxml4-KB954430-enu.LOG
11/17/2008 9:26:46 AM    1322094    32    C:\WINDOWS\ntbtlog.txt
11/14/2008 10:53:30 PM    15576    32    C:\WINDOWS\qogukyw.db
11/14/2008 10:53:30 PM    16334    32    C:\WINDOWS\siposo.bat
11/14/2008 10:53:30 PM    16708    32    C:\WINDOWS\SYSTEM32\agudotel.inf
11/17/2008 10:20:21 AM    414944    32    C:\WINDOWS\SYSTEM32\COMCT332.OCX
11/14/2008 10:42:18 PM    114    32    C:\WINDOWS\SYSTEM32\delself.bat
11/17/2008 10:20:21 AM    446464    33    C:\WINDOWS\SYSTEM32\hhactivex.dll
11/14/2008 10:53:30 PM    11098    32    C:\WINDOWS\SYSTEM32\iqocupyku.db
11/14/2008 10:53:30 PM    19870    32    C:\WINDOWS\SYSTEM32\iropovy.ban
11/17/2008 10:20:21 AM    645616    32    C:\WINDOWS\SYSTEM32\MSCOMCT2.OCX
11/19/2008 10:55:26 AM    2888    32    C:\WINDOWS\SYSTEM32\OEMINFO.PNF
11/17/2008 10:20:21 AM    176128    32    C:\WINDOWS\SYSTEM32\RcdScan.dll
11/17/2008 10:20:21 AM    328480    32    C:\WINDOWS\SYSTEM32\ssa3d30.ocx
11/17/2008 10:20:19 AM    89360    32    C:\WINDOWS\SYSTEM32\VB5DB.DLL

====== Files under "\Administrator\Startup" Last 30 Days======


====== Files under "\All Users\Startup" Last 30 Days======


====== Folders under "\Program Files" Last 30 Days======

11/14/2008 10:52:42 PM    3789509    C:\Program Files\AntivirusPro2009
11/14/2008 10:52:43 PM    1085343    C:\Program Files\AntivirusPro2009\data
11/14/2008 10:52:42 PM    1655306    C:\Program Files\AntivirusPro2009\Microsoft.VC80.CRT
11/17/2008 4:36:38 PM    6069505    C:\Program Files\Easy SpyRemover
11/17/2008 5:36:09 PM    7238286    C:\Program Files\Easy SystemCleaner
11/17/2008 10:27:09 AM    688784    C:\Program Files\Malwarebytes' Anti-Malware
11/19/2008 10:09:25 AM   
====== Files under "\System32\Drivers" Last 30 Days======

11/19/2008 10:22:35 AM    53168    32    C:\WINDOWS\SYSTEM32\DRIVERS\MpFilter.sys
11/19/2008 10:23:45 AM    91328    32    C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys
11/19/2008 10:23:38 AM    116416    32    C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys

====== Files under "\User\Local Settings\Temp" Last 30 Days======

11/17/2008 6:59:17 PM    6966    32    C:\Documents and Settings\sh\Local Settings\Temp\a535_appcompat.txt
11/19/2008 10:19:56 AM    5144    32    C:\Documents and Settings\sh\Local Settings\Temp\ASPNETSetup_00000.log
11/19/2008 4:37:03 PM    11508    32    C:\Documents and Settings\sh\Local Settings\Temp\AUBrowse_WebCheck.log
11/19/2008 10:10:57 AM    1022    32    C:\Documents and Settings\sh\Local Settings\Temp\AUInst.log
11/18/2008 12:15:41 PM    2779    32    C:\Documents and Settings\sh\Local Settings\Temp\ctxC01.tmp
11/19/2008 10:18:20 AM    14342    32    C:\Documents and Settings\sh\Local Settings\Temp\dd_netfx20UI4BB6.txt
11/21/2008 12:08:10 AM    81    32    C:\Documents and Settings\sh\Local Settings\Temp\dw.log
11/23/2008 6:09:58 PM    0    34    C:\Documents and Settings\sh\Local Settings\Temp\etilqs_1sJKHx8sdlNakfMkVfeL
11/18/2008 12:15:27 PM    264109    32    C:\Documents and Settings\sh\Local Settings\Temp\G2MCodec.log
11/19/2008 10:55:18 AM    1708335    32    C:\Documents and Settings\sh\Local Settings\Temp\gdql_oc_GtCC.log
11/20/2008 10:37:16 AM    93600    32    C:\Documents and Settings\sh\Local Settings\Temp\gdql_oc_GtCC_2.log
11/19/2008 10:54:43 AM    270    32    C:\Documents and Settings\sh\Local Settings\Temp\gdql_oc_WinSSUI.log
11/19/2008 10:55:21 AM    3717    32    C:\Documents and Settings\sh\Local Settings\Temp\GND_HTTP.log
11/19/2008 10:55:21 AM    3177    32    C:\Documents and Settings\sh\Local Settings\Temp\GND_UPNP.log
11/19/2008 10:55:20 AM    374943    32    C:\Documents and Settings\sh\Local Settings\Temp\GNetDev.log
11/19/2008 10:10:50 AM    0    32    C:\Documents and Settings\sh\Local Settings\Temp\InC21.tmp
11/19/2008 10:10:50 AM    1445    32    C:\Documents and Settings\sh\Local Settings\Temp\InstallChannel.log
11/18/2008 12:15:04 PM    416    32    C:\Documents and Settings\sh\Local Settings\Temp\java_install_reg.log
11/19/2008 4:27:09 PM    813    32    C:\Documents and Settings\sh\Local Settings\Temp\java_install_sp.log
11/18/2008 9:29:39 AM    2324    32    C:\Documents and Settings\sh\Local Settings\Temp\jusched.log
11/17/2008 6:59:17 PM    0    32    C:\Documents and Settings\sh\Local Settings\Temp\LastHTMLPage.html
11/19/2008 10:15:24 AM    37823    33    C:\Documents and Settings\sh\Local Settings\Temp\mcle-form1.pdf
11/19/2008 10:23:24 AM    5810    32    C:\Documents and Settings\sh\Local Settings\Temp\MpSigStub.log
11/17/2008 6:54:46 PM    533    32    C:\Documents and Settings\sh\Local Settings\Temp\pcf1.tmp
11/19/2008 10:55:18 AM    1040884    32    C:\Documents and Settings\sh\Local Settings\Temp\qdiagoc_GtCC.log
11/20/2008 10:37:16 AM    56590    32    C:\Documents and Settings\sh\Local Settings\Temp\qdiagoc_GtCC_2.log
11/19/2008 10:54:43 AM    270    32    C:\Documents and Settings\sh\Local Settings\Temp\qdiagoc_WinSSUI.log
11/20/2008 11:30:34 PM    0    32    C:\Documents and Settings\sh\Local Settings\Temp\ukqE.tmp
11/18/2008 9:30:32 AM    553340    32    C:\Documents and Settings\sh\Local Settings\Temp\ZunrTZRw.exe.part
11/23/2008 6:12:56 PM    512    32    C:\Documents and Settings\sh\Local Settings\Temp\~DF1549.tmp
11/23/2008 6:12:57 PM    512    32    C:\Documents and Settings\sh\Local Settings\Temp\~DF1E60.tmp
11/23/2008 6:12:58 PM    512    32    C:\Documents and Settings\sh\Local Settings\Temp\~DF37D0.tmp

====== Files and Folders under "All Users\Application Data" Last 30 Days======

11/18/2008 9:59:38 AM    224    C:\Documents and Settings\All Users\Application Data\Lavasoft
11/18/2008 9:59:38 AM    92    C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware
11/18/2008 9:59:38 AM    92    C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\logs
11/18/2008 9:59:53 AM    0    C:\Documents and Settings\All Users\Application Data\Lavasoft\License
11/18/2008 10:00:28 AM    132    C:\Documents and Settings\All Users\Application Data\Lavasoft\MiniMessage
11/14/2008 10:53:30 PM    14040    32    C:\Documents and Settings\All Users\Application Data\acav.bat

 ====== Possible Rootkit Scan (Note: Items listed here are not necessarily bad)======


====== Values under HKLM\Software\microsoft\shared tools\msconfig\startupreg ======

====== BHO's under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects ======

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\


====== Services ( Services that are Whitelisted are not shown) ======

 Apple Mobile Device (Apple Mobile Device) "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"  - Auto

 Canon Driver Information Assist Service (Canon Driver Information Assist Service) C:\Program Files\Canon\DIAS\CnxDIAS.exe  - Auto

 Client Update Service for Novell (cusrvc) C:\WINDOWS\System32\cusrvc.exe  - Manual

 EngineServer (EngineServer) "C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe"  - Auto

 Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"  - Manual

 OneCare Firewall (msfwsvc) "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"  - Auto

 Multi-user Cleanup Service (Multi-user Cleanup Service) "C:\Program Files\lotus\notes\ntmulti.exe"  - Auto

 McAfee Virus and Spyware Protection Service (myAgtSvc) "C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart  - Auto

 Intel NCS NetService (NetSvc) C:\Program Files\Intel\NCS\Sync\NetSvc.exe  - Manual

 Windows Live OneCare Health Monitor (OcHealthMon) "C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe"  - Auto

 OneCare AntiSpyware and AntiVirus (OneCareMP) "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"  - Auto

 TimeslipsBackup (TSScheduleBackup) C:\WINDOWS\system32\TSSchBkpService.exe  - Auto

 Windows Live OneCare (winss) C:\Program Files\Microsoft Windows OneCare Live\winss.exe  - Auto


====== Running Processes ======

System Idle Process   
  •    

System   [4]   
smss.exe   [596]   \SystemRoot\System32\smss.exe
csrss.exe   [644]   
winlogon.exe   [668]   winlogon.exe
services.exe   [716]   C:\WINDOWS\system32\services.exe
lsass.exe   [728]   C:\WINDOWS\system32\lsass.exe
svchost.exe   [920]   C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe   [1036]   
MsMpEng.exe   [1128]   "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
svchost.exe   [1172]   C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe   [1256]   
svchost.exe   [1288]   C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe   [1532]   
svchost.exe   [1552]   C:\WINDOWS\System32\svchost.exe -k dot3svc
spoolsv.exe   [1808]   C:\WINDOWS\system32\spoolsv.exe
AppleMobileDeviceService.exe   [228]   "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
CnxDIAS.exe   [244]   "C:\Program Files\Canon\DIAS\CnxDIAS.exe"
EngineServer.exe   [328]   "C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe"
MDM.EXE   [460]   "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
ntmulti.exe   [732]   "C:\Program Files\lotus\notes\ntmulti.exe"
myAgtSvc.exe   [976]   "C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart
OcHealthMon.exe   [784]   "C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe"
svchost.exe   [1272]   C:\WINDOWS\System32\svchost.exe -k imgsvc
TSSchBkpService.exe   [1376]   C:\WINDOWS\system32\TSSchBkpService.exe
msfwsvc.exe   [1624]   "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
winss.exe   [1668]   "C:\Program Files\Microsoft Windows OneCare Live\winss.exe"
alg.exe   [2296]   
wmiprvse.exe   [2476]   
explorer.exe   [3256]   C:\WINDOWS\Explorer.EXE
svchost.exe   [3488]   C:\WINDOWS\System32\svchost.exe -k HTTPFilter
nwtray.exe   [3524]   "C:\WINDOWS\system32\NWTRAY.EXE"
tfswctrl.exe   [3548]   "C:\WINDOWS\system32\dla\tfswctrl.exe"
hkcmd.exe   [3840]   "C:\WINDOWS\system32\hkcmd.exe"
igfxpers.exe   [3860]   "C:\WINDOWS\system32\igfxpers.exe"
mmlweb.exe   [3884]   "C:\WINDOWS\system32\mmlweb.exe"
jusched.exe   [3892]   "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
winssnotify.exe   [3988]   "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
ctfmon.exe   [468]   "C:\WINDOWS\system32\ctfmon.exe"
acrotray.exe   [756]   "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe"
myAgtTry.exe   [2276]   "C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry"
firefox.exe   [1324]   "C:\Program Files\Mozilla Firefox\firefox.exe"
OUTLOOK.EXE   [312]   "C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE"  /recycle
WINWORD.EXE   [1368]   "C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" -Embedding
wscript.exe   [1096]   "C:\WINDOWS\System32\WScript.exe" "C:\Documents and Settings\sh\Desktop\FileLister.vbe"
wmiprvse.exe   [3980]   

====== Uninstall List From Registry ======

WebEx
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 Plugin
Adobe Download Manager 2.2 (Remove Only)
BAM Media Player
Checker XP
Conexant D850 56K V.9x DFVc Modem
Dell AIO Printer A960
Dell Digital Jukebox Driver
Easy SpyRemover 4.3
Easy SystemCleaner 6.3
Google Desktop
HijackThis 2.0.2
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
DesignPro 5.0 Media Edition
Microsoft Data Access Components KB870669
Windows Genuine Advantage Validation Tool (KB892130)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB923689)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Internet Explorer 7 (KB928090)
Hotfix for Windows Media Format 11 SDK (KB929399)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows Internet Explorer 7 (KB939653)
Hotfix for Windows Media Player 11 (KB939683)
Security Update for Windows XP (KB941569)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows XP (KB946648)
Hotfix for Windows Internet Explorer 7 (KB947864)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Update for Windows XP (KB951072-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Update for Windows XP (KB951978)
Hotfix for Windows XP (KB952287)
Security Update for Windows XP (KB952954)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
LexisNexis Download and Print for Internet Explorer
LiveNote
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Mozilla Firefox (3.0.4)
Microsoft Compression Client Pack 1.0 for Windows XP
MSN Music Assistant
McAfee Virus and Spyware Protection Service
Microsoft National Language Support Downlevel APIs
Novell Client for Windows
Intel(R) PRO Network Adapters and Drivers
RealPlayer
Registry Mechanic 6.0
Macromedia Flash Player 8
Spybot - Search & Destroy 1.3
StampPDF2.7
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Windows Live OneCare
Windows Media Format 11 runtime
Windows Media Player 11
Microsoft User-Mode Driver Framework Feature Pack 1.0
Xerox Support Centre
Sonic Update Manager
Dell Solution Center
Sonic DLA
Dell Picture Studio - Dell Image Expert
AutoUpdate
NMAS Client (3.0.0.37)
MobileMe Control Panel
Dell Media Experience
Google Toolbar for Firefox
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Checker(1)
WebFldrs XP
Internet Explorer Default Page
MSXML 4.0 SP2 (KB927978)
Microsoft Windows OneCare Live v2.5.2900.20 Idcrl Install
NetWaiting
Dell Support
MFC
MUSICMATCH® Jukebox
Banctec Service Agreement
IPRO Tech Workstation Suite
Sibelius Scorch
WordPerfect Office 11
Microsoft Windows Live OneCare Resources v2.5.2900.20
Network Printer Driver for MFX-2030/1430 F-560/520
Lotus Notes 6.5.1
Print to Fax
Skype™ 3.5
Timeslips 2008 Local
Windows Genuine Advantage v1.3.0254.0
PX Engine
LiveNote
Dell Networking Guide
Apple Software Update
Microsoft Outlook Web Access S/MIME
Timeslips by Sage 2008
eCopy Desktop
Microsoft .NET Framework 2.0
Java 2 Runtime Environment, SE v1.4.2
Concordance
DivX
Modem Helper
Jasc Paint Shop Pro 8 Dell Edition
Microsoft Protection Service
MSXML 4.0 SP2 (KB954430)
Intel(R) Extreme Graphics 2 Driver
DivX Player
GTOneCare
QuickTime
Compatibility Pack for the 2007 Office system
Help and Support Customization
Microsoft Office Standard Edition 2003
Microsoft Office OneNote 2003
Time Zone Data Update Tool for Microsoft Office Outlook
Microsoft Application Error Reporting
Sonic RecordNow!
Apple Mobile Device Support
Intel(R) PROSet
Intel(R) Processor ID Utility
ABBYY FineReader 7.0 Professional Edition
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Acrobat 6.0.1 Standard
Adobe Reader 7.0.9
DivX Converter
Patent-In 3.3
DivX Web Player
Netflix Movie Viewer
MSXML 4.0 SP2 (KB936181)
Microsoft .NET Framework 1.1
Jasc Paint Shop Photo Album
DivX Content Uploader
Microsoft Windows OneCare Live v2.5.2900.20
ABBYY FineReader 5.0 Sprint Plus
Paint Shop Pro 7
Dell ResourceCD
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Digital Line Detect
DesignPro 5.0 Media Edition
NICI (Shared) U.S./Worldwide (128 bit) (2.6.6-1)
Windows Resource Kit Tools
MFC
Banctec Service Agreement

======== Other Info ========

TOTAL PHYSICAL RAM: 1072 MB


*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [In Progress] Multi threat adware: search redirected
« Reply #3 on: November 24, 2008, 08:07:54 AM »
scott888

Please download Combofix and save to your desktop:
  • Note: It is important that it is saved directly to your desktop
  • Close any open browsers.
  • Double click on combofix.exe and follow the prompts.
  • When it's finished it will produce a log.
  • Post the contents of the C:\ComboFix.txt into your next reply.
  • Note: Do not mouseclick combofix's window whilst it's running.
  • That may cause the program to freeze/hang.


2008-2010
Rights cannot exist without morals

*

Offline scott888

  • Bronze Member
  • 13
Re: [In Progress] Multi threat adware: search redirected
« Reply #4 on: November 24, 2008, 03:20:26 PM »
No Luck.

I was able to get combofix.exe on by desktop.  (Note, as I stated earlier, I cannot contact bleeping computer.com from this computer.  I used another computer to access the site and download the file.  I then copied the file to this desktop by way of a flashdrive.

I double-clicked on the combofix.exe desktop icon. I see the mouse arrow change into the "hourglass" icon for a few second then, unfortunately, nothing else happens. (I note that the process "combofix.exe" does appear in the windows task manager "processes" tab. But zero "CPU" is associated with the process.

The same thing happens when I try to run the malware bytes setup program, mbam-setup.exe after downloading it to my desktop. (Although, in that case I could run the setup program when I downloaded with IE, presumably placing the exe file in a windows "temp" folder, then clicking the "Run" button on the IE download window. That did not prove useful, however because the installed malwarebytes program did not run!)

In addition to double clicking in the desktop icon, I also tried to run the combofix.exe program using the "RUN" option selected from the start-up menu.  No luck. 

As I said, it is frustrating, and somewhat scary, that this malware has somehow disabled programs designed to eradicate the malware.

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [In Progress] Multi threat adware: search redirected
« Reply #5 on: November 24, 2008, 03:34:31 PM »
scott888

I know it is, but we will get it. We will just have to do it the hard way. Do not delete Combofix, we will still need it.

If you are unable to download Avenger from the infected PC, then use the same technique you used to download Combofix.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop (How to extract (decompress) zipped or compressed files, help in the link here: )
2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to Delete:
C:\WINDOWS\abesej.pif
C:\WINDOWS\hivym.ban
C:\WINDOWS\qogukyw.db
C:\WINDOWS\siposo.bat
C:\WINDOWS\SYSTEM32\agudotel.inf
C:\WINDOWS\SYSTEM32\delself.bat
C:\WINDOWS\SYSTEM32\iqocupyku.db
C:\WINDOWS\SYSTEM32\iropovy.ban

Folders to Delete:
C:\Program Files\AntivirusPro2009


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Select Load Script
  • Select Paste from Clipboard
  • The information should now appear in the Open window
  • Select Execute
  • Answer Yes When prompted "Are you sure you want to execute the current script?"
4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log

2008-2010
Rights cannot exist without morals

*

Offline scott888

  • Bronze Member
  • 13
Re: [In Progress] Multi threat adware: search redirected
« Reply #6 on: November 24, 2008, 05:02:56 PM »
OK, this time all the programs ran.

Below are the avenger.txt file followed by a fresh highjackthis.log file:

Avenger.txt

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath:  \systemroot\system32\drivers\TDSSrvdc.sys
Start Type:  1 (System)

Rootkit scan completed.


Error:  file "C:WINDOWSabesej.pif" not found!
Deletion of file "C:WINDOWSabesej.pif" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:WINDOWShivym.ban" not found!
Deletion of file "C:WINDOWShivym.ban" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:WINDOWSqogukyw.db" not found!
Deletion of file "C:WINDOWSqogukyw.db" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:WINDOWSsiposo.bat" not found!
Deletion of file "C:WINDOWSsiposo.bat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:WINDOWSSYSTEM32agudotel.inf" not found!
Deletion of file "C:WINDOWSSYSTEM32agudotel.inf" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:WINDOWSSYSTEM32delself.bat" not found!
Deletion of file "C:WINDOWSSYSTEM32delself.bat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:WINDOWSSYSTEM32iqocupyku.db" not found!
Deletion of file "C:WINDOWSSYSTEM32iqocupyku.db" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:WINDOWSSYSTEM32iropovy.ban" not found!
Deletion of file "C:WINDOWSSYSTEM32iropovy.ban" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  folder "C:Program FilesAntivirusPro2009" not found!
Deletion of folder "C:Program FilesAntivirusPro2009" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

Fresh HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:06 PM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TSSchBkpService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\mmlweb.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mmlweb] C:\WINDOWS\system32\mmlweb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TimeslipsBackup (TSScheduleBackup) - Unknown owner - C:\WINDOWS\system32\TSSchBkpService.exe

--
End of file - 6429 bytes


*

Offline scott888

  • Bronze Member
  • 13
Re: [In Progress] Multi threat adware: search redirected
« Reply #7 on: November 24, 2008, 05:23:51 PM »
Note there is one change between the two HJT logs, which I caused. So don't be distracted by it.

The original log was run with a "Startup Item" inactivated by way of the System Configuration Utility, the "Digital Line Detect" process dlg.exe.  I had reactivated it prior to the latest HJT run so you will see "C:\Program Files\Digital Line Detect\DLG.exe" running in the latest HJT log. 

I don't want you thinking this is related to the infection.

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [In Progress] Multi threat adware: search redirected
« Reply #8 on: November 25, 2008, 03:14:26 PM »
scott888

Let me check something and I'll be right back

2008-2010
Rights cannot exist without morals

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [In Progress] Multi threat adware: search redirected
« Reply #9 on: December 01, 2008, 08:46:24 AM »
scott888

Sorry for the delay.
Rerun FileLister and post a fresh log please.

2008-2010
Rights cannot exist without morals

*

Offline scott888

  • Bronze Member
  • 13
Re: [In Progress] Multi threat adware: search redirected
« Reply #10 on: December 03, 2008, 08:16:28 AM »
Here you go, the log from a fresh "FileLister" run:


+++++++++++++++++++++++++++++++++
+
+ File Lister
+
+ Version 1.0.4
+
+  By bamajim / bamajim.com
+
+++++++++++++++++++++++++++++++++


Report ran on --->>>  12/3/2008 9:24:07 AM

====== Values under HKLM\~\Run ======

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"McAfee Managed Services Tray"="\"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\StartMyagtTry.exe\""
"MVS Splash"="\"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\Splash.exe\""
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"mmlweb"="C:\\WINDOWS\\system32\\mmlweb.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"Easy SpyRemover"="C:\\Program Files\\Easy SpyRemover\\EasySpyRemover.exe /smart"
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


====== Values under HKCU\~\Run ======

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"


====== Folders and Files from "%\" and "%\Windows" Created Last 30 Days ======

11/19/2008 10:09:22 AM    13216345    C:\60001c68e8a683a13d
11/19/2008 10:09:23 AM    329829    C:\60001c68e8a683a13d\de-at
11/19/2008 10:09:23 AM    329746    C:\60001c68e8a683a13d\de-ch
11/19/2008 10:09:23 AM    330644    C:\60001c68e8a683a13d\de-de
11/19/2008 10:09:23 AM    300702    C:\60001c68e8a683a13d\en-au
11/19/2008 10:09:23 AM    301228    C:\60001c68e8a683a13d\en-ca
11/19/2008 10:09:23 AM    245485    C:\60001c68e8a683a13d\en-gb
11/19/2008 10:09:23 AM    301915    C:\60001c68e8a683a13d\en-hk
11/19/2008 10:09:23 AM    301176    C:\60001c68e8a683a13d\en-ie
11/19/2008 10:09:23 AM    302040    C:\60001c68e8a683a13d\en-in
11/19/2008 10:09:23 AM    301061    C:\60001c68e8a683a13d\en-nz
11/19/2008 10:09:23 AM    302099    C:\60001c68e8a683a13d\en-sg
11/19/2008 10:09:23 AM    320573    C:\60001c68e8a683a13d\es-es
11/19/2008 10:09:23 AM    355430    C:\60001c68e8a683a13d\es-mx
11/19/2008 10:09:23 AM    320282    C:\60001c68e8a683a13d\es-us
11/19/2008 10:09:23 AM    319458    C:\60001c68e8a683a13d\fr-be
11/19/2008 10:09:23 AM    350452    C:\60001c68e8a683a13d\fr-ca
11/19/2008 10:09:23 AM    319451    C:\60001c68e8a683a13d\fr-ch
11/19/2008 10:09:23 AM    319026    C:\60001c68e8a683a13d\fr-fr
11/19/2008 10:09:23 AM    326864    C:\60001c68e8a683a13d\it-it
11/19/2008 10:09:23 AM    851180    C:\60001c68e8a683a13d\ja-jp
11/19/2008 10:09:23 AM    261007    C:\60001c68e8a683a13d\ja-jp-psloc
11/19/2008 10:09:23 AM    2236193    C:\60001c68e8a683a13d\ko-kr
11/19/2008 10:09:23 AM    324389    C:\60001c68e8a683a13d\nl-be
11/19/2008 10:09:23 AM    324369    C:\60001c68e8a683a13d\nl-nl
11/19/2008 10:09:23 AM    314992    C:\60001c68e8a683a13d\pt-br
11/24/2008 5:56:30 PM    1045    C:\Avenger
11/19/2008 10:09:54 AM    0    C:\Config.Msi
11/24/2008 5:56:29 PM    4638    32    C:\avenger.txt
11/23/2008 6:17:13 PM    1826    32    C:\Files.txt
11/18/2008 10:26:07 AM    1071697920    38    C:\hiberfil.sys
11/13/2008 10:50:48 AM    1929963    C:\WINDOWS\$NtUninstallKB954459$
11/13/2008 10:50:48 AM    623339    C:\WINDOWS\$NtUninstallKB954459$\spuninst
11/13/2008 10:49:52 AM    1728117    C:\WINDOWS\$NtUninstallKB955069$
11/13/2008 10:49:52 AM    623221    C:\WINDOWS\$NtUninstallKB955069$\spuninst
11/13/2008 10:52:01 AM    1080287    C:\WINDOWS\$NtUninstallKB957097$
11/13/2008 10:52:01 AM    623711    C:\WINDOWS\$NtUninstallKB957097$\spuninst
11/17/2008 9:26:58 AM    128    C:\WINDOWS\CSC
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d1
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d2
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d3
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d4
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d5
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d6
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d7
11/17/2008 9:26:58 AM    0    C:\WINDOWS\CSC\d8
11/14/2008 10:53:30 PM    19016    32    C:\WINDOWS\abesej.pif
11/14/2008 10:53:30 PM    19379    32    C:\WINDOWS\hivym.ban
11/13/2008 10:29:28 AM    12705    32    C:\WINDOWS\KB954459.log
11/13/2008 10:49:01 AM    7884    32    C:\WINDOWS\KB955069.log
11/13/2008 10:51:58 AM    8318    32    C:\WINDOWS\KB957097.log
11/13/2008 10:48:30 AM    313904    32    C:\WINDOWS\msxml4-KB954430-enu.LOG
11/17/2008 9:26:46 AM    1322094    32    C:\WINDOWS\ntbtlog.txt
11/14/2008 10:53:30 PM    15576    32    C:\WINDOWS\qogukyw.db
11/14/2008 10:53:30 PM    16334    32    C:\WINDOWS\siposo.bat
11/14/2008 10:53:30 PM    16708    32    C:\WINDOWS\SYSTEM32\agudotel.inf
11/17/2008 10:20:21 AM    414944    32    C:\WINDOWS\SYSTEM32\COMCT332.OCX
11/14/2008 10:42:18 PM    114    32    C:\WINDOWS\SYSTEM32\delself.bat
11/17/2008 10:20:21 AM    446464    33    C:\WINDOWS\SYSTEM32\hhactivex.dll
11/14/2008 10:53:30 PM    11098    32    C:\WINDOWS\SYSTEM32\iqocupyku.db
11/14/2008 10:53:30 PM    19870    32    C:\WINDOWS\SYSTEM32\iropovy.ban
11/17/2008 10:20:21 AM    645616    32    C:\WINDOWS\SYSTEM32\MSCOMCT2.OCX
11/19/2008 10:55:26 AM    2888    32    C:\WINDOWS\SYSTEM32\OEMINFO.PNF
11/17/2008 10:20:21 AM    176128    32    C:\WINDOWS\SYSTEM32\RcdScan.dll
11/17/2008 10:20:21 AM    328480    32    C:\WINDOWS\SYSTEM32\ssa3d30.ocx
11/17/2008 10:20:19 AM    89360    32    C:\WINDOWS\SYSTEM32\VB5DB.DLL

====== Files under "\Administrator\Startup" Last 30 Days======


====== Files under "\All Users\Startup" Last 30 Days======

11/24/2008 4:28:48 PM    493    32    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

====== Folders under "\Program Files" Last 30 Days======

11/14/2008 10:52:42 PM    3789509    C:\Program Files\AntivirusPro2009
11/14/2008 10:52:43 PM    1085343    C:\Program Files\AntivirusPro2009\data
11/14/2008 10:52:42 PM    1655306    C:\Program Files\AntivirusPro2009\Microsoft.VC80.CRT
11/24/2008 9:19:19 PM    1217007    C:\Program Files\AskBarDis
11/24/2008 9:19:19 PM    491623    C:\Program Files\AskBarDis\bar
11/24/2008 9:19:19 PM    486160    C:\Program Files\AskBarDis\bar\bin
11/24/2008 9:19:19 PM    5463    C:\Program Files\AskBarDis\bar\Settings
11/17/2008 4:36:38 PM    6069505    C:\Program Files\Easy SpyRemover
11/17/2008 5:36:09 PM    7238286    C:\Program Files\Easy SystemCleaner
11/17/2008 10:27:09 AM    688784    C:\Program Files\Malwarebytes' Anti-Malware
11/19/2008 10:09:25 AM   
====== Files under "\System32\Drivers" Last 30 Days======

11/19/2008 10:22:35 AM    53168    32    C:\WINDOWS\SYSTEM32\DRIVERS\MpFilter.sys
11/19/2008 10:23:45 AM    91328    32    C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys
11/19/2008 10:23:38 AM    116416    32    C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys

====== Files under "\User\Local Settings\Temp" Last 30 Days======

11/17/2008 6:59:17 PM    6966    32    C:\Documents and Settings\sh\Local Settings\Temp\a535_appcompat.txt
11/27/2008 1:29:28 AM    3363    32    C:\Documents and Settings\sh\Local Settings\Temp\Acr1B.tmp
11/27/2008 1:29:28 AM    3631    32    C:\Documents and Settings\sh\Local Settings\Temp\Acr1C.tmp
11/19/2008 10:19:56 AM    5144    32    C:\Documents and Settings\sh\Local Settings\Temp\ASPNETSetup_00000.log
11/19/2008 4:37:03 PM    11508    32    C:\Documents and Settings\sh\Local Settings\Temp\AUBrowse_WebCheck.log
11/19/2008 10:10:57 AM    1022    32    C:\Documents and Settings\sh\Local Settings\Temp\AUInst.log
11/25/2008 2:07:31 AM    1484820    32    C:\Documents and Settings\sh\Local Settings\Temp\aUwZD1kE.zip.part
11/25/2008 5:28:36 AM    5460    32    C:\Documents and Settings\sh\Local Settings\Temp\BtnConfig.ini
11/18/2008 12:15:41 PM    2779    32    C:\Documents and Settings\sh\Local Settings\Temp\ctxC01.tmp
11/19/2008 10:18:20 AM    14342    32    C:\Documents and Settings\sh\Local Settings\Temp\dd_netfx20UI4BB6.txt
11/21/2008 12:08:10 AM    81    32    C:\Documents and Settings\sh\Local Settings\Temp\dw.log
11/18/2008 12:15:27 PM    264109    32    C:\Documents and Settings\sh\Local Settings\Temp\G2MCodec.log
11/19/2008 10:55:18 AM    3156172    32    C:\Documents and Settings\sh\Local Settings\Temp\gdql_oc_GtCC.log
11/20/2008 10:37:16 AM    93612    32    C:\Documents and Settings\sh\Local Settings\Temp\gdql_oc_GtCC_2.log
11/19/2008 10:54:43 AM    270    32    C:\Documents and Settings\sh\Local Settings\Temp\gdql_oc_WinSSUI.log
11/19/2008 10:55:21 AM    7859    32    C:\Documents and Settings\sh\Local Settings\Temp\GND_HTTP.log
11/19/2008 10:55:21 AM    6689    32    C:\Documents and Settings\sh\Local Settings\Temp\GND_UPNP.log
11/19/2008 10:55:20 AM    811775    32    C:\Documents and Settings\sh\Local Settings\Temp\GNetDev.log
11/24/2008 9:19:22 PM    4608    32    C:\Documents and Settings\sh\Local Settings\Temp\i4jdel0.exe
11/24/2008 9:18:22 PM    91    32    C:\Documents and Settings\sh\Local Settings\Temp\i4j_log48239.log
11/19/2008 10:10:50 AM    0    32    C:\Documents and Settings\sh\Local Settings\Temp\InC21.tmp
11/19/2008 10:10:50 AM    1445    32    C:\Documents and Settings\sh\Local Settings\Temp\InstallChannel.log
11/18/2008 12:15:04 PM    416    32    C:\Documents and Settings\sh\Local Settings\Temp\java_install_reg.log
11/19/2008 4:27:09 PM    813    32    C:\Documents and Settings\sh\Local Settings\Temp\java_install_sp.log
11/18/2008 9:29:39 AM    3879    32    C:\Documents and Settings\sh\Local Settings\Temp\jusched.log
11/17/2008 6:59:17 PM    0    32    C:\Documents and Settings\sh\Local Settings\Temp\LastHTMLPage.html
11/19/2008 10:15:24 AM    37823    33    C:\Documents and Settings\sh\Local Settings\Temp\mcle-form1.pdf
11/19/2008 10:23:24 AM    5810    32    C:\Documents and Settings\sh\Local Settings\Temp\MpSigStub.log
11/17/2008 6:54:46 PM    533    32    C:\Documents and Settings\sh\Local Settings\Temp\pcf1.tmp
11/19/2008 10:55:18 AM    1936863    32    C:\Documents and Settings\sh\Local Settings\Temp\qdiagoc_GtCC.log
11/20/2008 10:37:16 AM    56590    32    C:\Documents and Settings\sh\Local Settings\Temp\qdiagoc_GtCC_2.log
11/19/2008 10:54:43 AM    270    32    C:\Documents and Settings\sh\Local Settings\Temp\qdiagoc_WinSSUI.log
11/24/2008 9:19:29 PM    77824    32    C:\Documents and Settings\sh\Local Settings\Temp\swt-gdip-win32-3448.dll
11/24/2008 9:19:26 PM    335872    32    C:\Documents and Settings\sh\Local Settings\Temp\swt-win32-3448.dll
11/20/2008 11:30:34 PM    0    32    C:\Documents and Settings\sh\Local Settings\Temp\ukqE.tmp
11/18/2008 9:30:32 AM    553340    32    C:\Documents and Settings\sh\Local Settings\Temp\ZunrTZRw.exe.part
11/26/2008 11:33:01 PM    16384    32    C:\Documents and Settings\sh\Local Settings\Temp\~DF53DE.tmp

====== Files and Folders under "All Users\Application Data" Last 30 Days======

11/24/2008 9:19:26 PM    20    C:\Documents and Settings\All Users\Application Data\Azureus
11/18/2008 9:59:38 AM    224    C:\Documents and Settings\All Users\Application Data\Lavasoft
11/18/2008 9:59:38 AM    92    C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware
11/18/2008 9:59:38 AM    92    C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\logs
11/18/2008 9:59:53 AM    0    C:\Documents and Settings\All Users\Application Data\Lavasoft\License
11/18/2008 10:00:28 AM    132    C:\Documents and Settings\All Users\Application Data\Lavasoft\MiniMessage
11/14/2008 10:53:30 PM    14040    32    C:\Documents and Settings\All Users\Application Data\acav.bat

 ====== Possible Rootkit Scan (Note: Items listed here are not necessarily bad)======


====== Values under HKLM\Software\microsoft\shared tools\msconfig\startupreg ======

====== BHO's under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects ======

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}
AskBar BHO

====== Services ( Services that are Whitelisted are not shown) ======

 Alerter (Alerter) C:\WINDOWS\System32\svchost.exe -k LocalService  - Disabled

 Application Layer Gateway Service (ALG) C:\WINDOWS\System32\alg.exe  - Manual

 Apple Mobile Device (Apple Mobile Device) "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"  - Auto

 Application Management (AppMgmt) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Manual

 ASP.NET State Service (aspnet_state) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe  - Manual

 Windows Audio (AudioSrv) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 Background Intelligent Transfer Service (BITS)   - Auto

 Computer Browser (Browser) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 Canon Driver Information Assist Service (Canon Driver Information Assist Service) C:\Program Files\Canon\DIAS\CnxDIAS.exe  - Auto

 Indexing Service (CiSvc) C:\WINDOWS\system32\cisvc.exe  - Manual

 ClipBook (ClipSrv) C:\WINDOWS\system32\clipsrv.exe  - Disabled

 .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe  - Manual

 COM+ System Application (COMSysApp) C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}  - Manual

 Cryptographic Services (CryptSvc) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Auto

 Client Update Service for Novell (cusrvc) C:\WINDOWS\System32\cusrvc.exe  - Manual

 DCOM Server Process Launcher (DcomLaunch) C:\WINDOWS\system32\svchost -k DcomLaunch  - Auto

 DHCP Client (Dhcp) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 Logical Disk Manager Administrative Service (dmadmin) C:\WINDOWS\System32\dmadmin.exe /com  - Manual

 Logical Disk Manager (dmserver) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 DNS Client (Dnscache) C:\WINDOWS\System32\svchost.exe -k NetworkService  - Auto

 Wired AutoConfig (Dot3svc) C:\WINDOWS\System32\svchost.exe -k dot3svc  - Manual

 Extensible Authentication Protocol Service (EapHost) C:\WINDOWS\System32\svchost.exe -k eapsvcs  - Manual

 EngineServer (EngineServer) "C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe"  - Auto

 Error Reporting Service (ERSvc) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 Event Log (Eventlog) C:\WINDOWS\system32\services.exe  - Auto

 COM+ Event System (EventSystem) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual

 Fast User Switching Compatibility (FastUserSwitchingCompatibility) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual

 Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"  - Manual

 Help and Support (helpsvc) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 Human Interface Device Access (HidServ) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Disabled

 Health Key and Certificate Management Service (hkmsvc) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual

 HTTP SSL (HTTPFilter) C:\WINDOWS\System32\svchost.exe -k HTTPFilter  - Manual

 InstallDriver Table Manager (IDriverT) "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"  - Manual

 IMAPI CD-Burning COM Service (ImapiService) C:\WINDOWS\System32\imapi.exe  - Manual

 Server (lanmanserver) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 Workstation (lanmanworkstation) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 LexBce Server (LexBceS) C:\WINDOWS\system32\LEXBCES.EXE  - Auto

 TCP/IP NetBIOS Helper (LmHosts) C:\WINDOWS\System32\svchost.exe -k LocalService  - Auto

 Machine Debug Manager (MDM) "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"  - Auto

 Messenger (Messenger) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Disabled

 NetMeeting Remote Desktop Sharing (mnmsrvc) C:\WINDOWS\System32\mnmsrvc.exe  - Manual

 Distributed Transaction Coordinator (MSDTC) C:\WINDOWS\System32\msdtc.exe  - Manual

 OneCare Firewall (msfwsvc) "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"  - Auto

 Windows Installer (MSIServer) C:\WINDOWS\system32\msiexec.exe /V  - Manual

 Multi-user Cleanup Service (Multi-user Cleanup Service) "C:\Program Files\lotus\notes\ntmulti.exe"  - Auto

 McAfee Virus and Spyware Protection Service (myAgtSvc) "C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart  - Auto

 Network Access Protection Agent (napagent) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual

 Network DDE (NetDDE) C:\WINDOWS\system32\netdde.exe  - Disabled

 Network DDE DSDM (NetDDEdsdm) C:\WINDOWS\system32\netdde.exe  - Disabled

 Net Logon (Netlogon) C:\WINDOWS\System32\lsass.exe  - Manual

 Network Connections (Netman) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual

 Intel NCS NetService (NetSvc) C:\Program Files\Intel\NCS\Sync\NetSvc.exe  - Manual

 Network Location Awareness (NLA) (Nla) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual

 NT LM Security Support Provider (NtLmSsp) C:\WINDOWS\System32\lsass.exe  - Manual

 Removable Storage (NtmsSvc) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Manual

 Windows Live OneCare Health Monitor (OcHealthMon) "C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe"  - Auto

 OneCare AntiSpyware and AntiVirus (OneCareMP) "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"  - Auto

 Office Source Engine (ose) "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"  - Manual

 Plug and Play (PlugPlay) C:\WINDOWS\system32\services.exe  - Auto

 IPSEC Services (PolicyAgent) C:\WINDOWS\System32\lsass.exe  - Auto

 Protected Storage (ProtectedStorage) C:\WINDOWS\system32\lsass.exe  - Auto

 Remote Access Auto Connection Manager (RasAuto) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual

 Remote Access Connection Manager (RasMan) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual

 Remote Desktop Help Session Manager (RDSessMgr) C:\WINDOWS\system32\sessmgr.exe  - Manual

 Routing and Remote Access (RemoteAccess) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Disabled

 Remote Registry (RemoteRegistry) C:\WINDOWS\system32\svchost.exe -k LocalService  - Disabled

 Remote Procedure Call (RPC) Locator (RpcLocator) C:\WINDOWS\System32\locator.exe  - Manual

 Remote Procedure Call (RPC) (RpcSs) C:\WINDOWS\system32\svchost -k rpcss  - Auto

 QoS RSVP (RSVP) C:\WINDOWS\System32\rsvp.exe  - Manual

 Security Accounts Manager (SamSs) C:\WINDOWS\system32\lsass.exe  - Auto

 Smart Card (SCardSvr) C:\WINDOWS\System32\SCardSvr.exe  - Manual

 Task Scheduler (Schedule) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 Secondary Logon (seclogon) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 System Event Notification (SENS) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Auto

 Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 Shell Hardware Detection (ShellHWDetection) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 Print Spooler (Spooler) C:\WINDOWS\system32\spoolsv.exe  - Auto

 System Restore Service (srservice) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 SSDP Discovery Service (SSDPSRV) C:\WINDOWS\System32\svchost.exe -k LocalService  - Manual

 Windows Image Acquisition (WIA) (stisvc) C:\WINDOWS\System32\svchost.exe -k imgsvc  - Auto

 MS Software Shadow Copy Provider (SwPrv) C:\WINDOWS\System32\dllhost.exe /Processid:{261FF5D6-55B3-4D28-8348-7DBC93E219F0}  - Manual

 Performance Logs and Alerts (SysmonLog) C:\WINDOWS\system32\smlogsvc.exe  - Manual

 Telephony (TapiSrv) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual

 Terminal Services (TermService) C:\WINDOWS\System32\svchost -k DComLaunch  - Manual

 Themes (Themes) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 Telnet (TlntSvr) C:\WINDOWS\System32\tlntsvr.exe  - Disabled

 Distributed Link Tracking Client (TrkWks) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Auto

 TimeslipsBackup (TSScheduleBackup) C:\WINDOWS\system32\TSSchBkpService.exe  - Auto

 Universal Plug and Play Device Host (upnphost) C:\WINDOWS\System32\svchost.exe -k LocalService  - Manual

 Uninterruptible Power Supply (UPS) C:\WINDOWS\System32\ups.exe  - Manual

 Volume Shadow Copy (VSS) C:\WINDOWS\System32\vssvc.exe  - Manual

 Windows Time (w32time) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Auto

 WebClient (WebClient) C:\WINDOWS\System32\svchost.exe -k LocalService  - Auto

 Windows Management Instrumentation (winmgmt) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Auto

 Windows Live OneCare (winss) C:\Program Files\Microsoft Windows OneCare Live\winss.exe  - Auto

 Portable Media Serial Number Service (WmdmPmSN) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual

 Windows Management Instrumentation Driver Extensions (Wmi) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual

 WMI Performance Adapter (WmiApSrv) C:\WINDOWS\System32\wbem\wmiapsrv.exe  - Manual

 Windows Media Player Network Sharing Service (WMPNetworkSvc) "C:\Program Files\Windows Media Player\WMPNetwk.exe"  - Manual

 Security Center (wscsvc) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 Automatic Updates (wuauserv) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Auto

 Windows Driver Foundation - User-mode Driver Framework (WudfSvc) C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup  - Manual

 Wireless Zero Configuration (WZCSVC) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto

 Network Provisioning Service (xmlprov) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual


====== Running Processes ======

System Idle Process   
  •    

System   [4]   
smss.exe   [596]   \SystemRoot\System32\smss.exe
csrss.exe   [644]   
winlogon.exe   [668]   winlogon.exe
services.exe   [716]   C:\WINDOWS\system32\services.exe
lsass.exe   [728]   C:\WINDOWS\system32\lsass.exe
svchost.exe   [920]   C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe   [1024]   
MsMpEng.exe   [1116]   "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
svchost.exe   [1160]   C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe   [1272]   
svchost.exe   [1320]   C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe   [1616]   
svchost.exe   [1632]   C:\WINDOWS\System32\svchost.exe -k dot3svc
spoolsv.exe   [1836]   C:\WINDOWS\system32\spoolsv.exe
AppleMobileDeviceService.exe   [120]   "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
CnxDIAS.exe   [164]   "C:\Program Files\Canon\DIAS\CnxDIAS.exe"
EngineServer.exe   [156]   "C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe"
MDM.EXE   [312]   "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
ntmulti.exe   [412]   "C:\Program Files\lotus\notes\ntmulti.exe"
myAgtSvc.exe   [640]   "C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart
OcHealthMon.exe   [756]   "C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe"
svchost.exe   [1072]   C:\WINDOWS\System32\svchost.exe -k imgsvc
TSSchBkpService.exe   [1264]   C:\WINDOWS\system32\TSSchBkpService.exe
msfwsvc.exe   [1316]   "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
winss.exe   [1536]   "C:\Program Files\Microsoft Windows OneCare Live\winss.exe"
alg.exe   [2456]   
wmiprvse.exe   [2728]   
explorer.exe   [3124]   C:\WINDOWS\Explorer.EXE
svchost.exe   [3576]   C:\WINDOWS\System32\svchost.exe -k HTTPFilter
nwtray.exe   [3588]   "C:\WINDOWS\system32\NWTRAY.EXE"
tfswctrl.exe   [3712]   "C:\WINDOWS\system32\dla\tfswctrl.exe"
hkcmd.exe   [3992]   "C:\WINDOWS\system32\hkcmd.exe"
igfxpers.exe   [4036]   "C:\WINDOWS\system32\igfxpers.exe"
mmlweb.exe   [4056]   "C:\WINDOWS\system32\mmlweb.exe"
jusched.exe   [4064]   "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
winssnotify.exe   [240]   "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
ctfmon.exe   [1104]   "C:\WINDOWS\system32\ctfmon.exe"
acrotray.exe   [1528]   "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe"
DLG.exe   [2184]   "C:\Program Files\Digital Line Detect\DLG.exe"
McResetService.exe   [2232]   "C:\Program Files\McAfee\Managed VirusScan\Agent\McResetService.exe" 10 UpdDlg.exe
UpdDlg.exe   [3968]   
myAgtTry.exe   [1048]   "C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry"
wscript.exe   [2224]   "C:\WINDOWS\System32\WScript.exe" "C:\Documents and Settings\sh\Desktop\FileLister.vbe"
wmiprvse.exe   [3884]   
notepad.exe   [2876]   "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Documents and Settings\sh\Desktop\R.txt

====== Uninstall List From Registry ======

WebEx
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 Plugin
Adobe Download Manager 2.2 (Remove Only)
Ask Toolbar
BAM Media Player
Checker XP
Conexant D850 56K V.9x DFVc Modem
Dell AIO Printer A960
Dell Digital Jukebox Driver
Easy SpyRemover 4.3
Easy SystemCleaner 6.3
Google Desktop
HijackThis 2.0.2
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
DesignPro 5.0 Media Edition
Microsoft Data Access Components KB870669
Windows Genuine Advantage Validation Tool (KB892130)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB923689)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Internet Explorer 7 (KB928090)
Hotfix for Windows Media Format 11 SDK (KB929399)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows Internet Explorer 7 (KB939653)
Hotfix for Windows Media Player 11 (KB939683)
Security Update for Windows XP (KB941569)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows XP (KB946648)
Hotfix for Windows Internet Explorer 7 (KB947864)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Update for Windows XP (KB951072-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Update for Windows XP (KB951978)
Hotfix for Windows XP (KB952287)
Security Update for Windows XP (KB952954)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
LexisNexis Download and Print for Internet Explorer
LiveNote
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Mozilla Firefox (3.0.4)
Microsoft Compression Client Pack 1.0 for Windows XP
MSN Music Assistant
McAfee Virus and Spyware Protection Service
Microsoft National Language Support Downlevel APIs
Novell Client for Windows
Intel(R) PRO Network Adapters and Drivers
RealPlayer
Registry Mechanic 6.0
Macromedia Flash Player 8
Spybot - Search & Destroy 1.3
StampPDF2.7
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Windows Live OneCare
Windows Media Format 11 runtime
Windows Media Player 11
Microsoft User-Mode Driver Framework Feature Pack 1.0
Xerox Support Centre
Sonic Update Manager
Dell Solution Center
Sonic DLA
Dell Picture Studio - Dell Image Expert
AutoUpdate
NMAS Client (3.0.0.37)
MobileMe Control Panel
Dell Media Experience
Google Toolbar for Firefox
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Checker(1)
WebFldrs XP
Internet Explorer Default Page
MSXML 4.0 SP2 (KB927978)
Microsoft Windows OneCare Live v2.5.2900.20 Idcrl Install
NetWaiting
Dell Support
MFC
MUSICMATCH® Jukebox
Banctec Service Agreement
IPRO Tech Workstation Suite
Sibelius Scorch
WordPerfect Office 11
Microsoft Windows Live OneCare Resources v2.5.2900.20
Network Printer Driver for MFX-2030/1430 F-560/520
Lotus Notes 6.5.1
Print to Fax
Skype™ 3.5
Timeslips 2008 Local
Windows Genuine Advantage v1.3.0254.0
PX Engine
LiveNote
Dell Networking Guide
Apple Software Update
Microsoft Outlook Web Access S/MIME
Timeslips by Sage 2008
eCopy Desktop
Microsoft .NET Framework 2.0
Java 2 Runtime Environment, SE v1.4.2
Concordance
DivX
Modem Helper
Jasc Paint Shop Pro 8 Dell Edition
Microsoft Protection Service
MSXML 4.0 SP2 (KB954430)
Intel(R) Extreme Graphics 2 Driver
DivX Player
GTOneCare
QuickTime
Compatibility Pack for the 2007 Office system
Help and Support Customization
Microsoft Office Standard Edition 2003
Microsoft Office OneNote 2003
Time Zone Data Update Tool for Microsoft Office Outlook
Microsoft Application Error Reporting
Sonic RecordNow!
Apple Mobile Device Support
Intel(R) PROSet
Intel(R) Processor ID Utility
ABBYY FineReader 7.0 Professional Edition
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Acrobat 6.0.1 Standard
Adobe Reader 7.0.9
DivX Converter
Patent-In 3.3
DivX Web Player
Netflix Movie Viewer
MSXML 4.0 SP2 (KB936181)
Microsoft .NET Framework 1.1
Jasc Paint Shop Photo Album
DivX Content Uploader
Microsoft Windows OneCare Live v2.5.2900.20
ABBYY FineReader 5.0 Sprint Plus
Paint Shop Pro 7
Dell ResourceCD
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Digital Line Detect
DesignPro 5.0 Media Edition
NICI (Shared) U.S./Worldwide (128 bit) (2.6.6-1)
Windows Resource Kit Tools
MFC
Banctec Service Agreement

======== Other Info ========

TOTAL PHYSICAL RAM: 1072 MB


*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [In Progress] Multi threat adware: search redirected
« Reply #11 on: December 03, 2008, 08:54:29 AM »
scott888

Something went wrong with the last Avenger script I had you load. Did you copy and paste the last info you loaded into Avenger or did you manually type it? Threason I ask is the script I had you load was interpreted differently by Avenger. And I am trying to find out what went wrong, notice:

I had you load this

Code: [Select]
Files to Delete:
C:\WINDOWS\abesej.pif
C:\WINDOWS\hivym.ban
C:\WINDOWS\qogukyw.db
C:\WINDOWS\siposo.bat
C:\WINDOWS\SYSTEM32\agudotel.inf
C:\WINDOWS\SYSTEM32\delself.bat
C:\WINDOWS\SYSTEM32\iqocupyku.db
C:\WINDOWS\SYSTEM32\iropovy.ban

Folders to Delete:
C:\Program Files\AntivirusPro2009

But the results in avenger showed:

Code: [Select]
Error:  file "C:WINDOWSabesej.pif" not found!
Deletion of file "C:WINDOWSabesej.pif" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist
Notice the path seperators are missing ( \ )

So when you load the script in Avenger this time, make sure the information is exactly as posted

1. Rerun Avenger

2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to Delete:
TDSSserv.sys

Files to Delete:
C:\Windows\system32\drivers\TDSSrvdc.sys
C:\WINDOWS\abesej.pif
C:\WINDOWS\hivym.ban
C:\WINDOWS\qogukyw.db
C:\WINDOWS\siposo.bat
C:\WINDOWS\SYSTEM32\agudotel.inf
C:\WINDOWS\SYSTEM32\delself.bat
C:\WINDOWS\SYSTEM32\iqocupyku.db
C:\WINDOWS\SYSTEM32\iropovy.ban

Folders to Delete:
C:\Program Files\AntivirusPro2009


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Select Load Script
  • Select Paste from Clipboard
  • The information should now appear in the Open window
  • Select Execute
  • Answer Yes When prompted "Are you sure you want to execute the current script?"
4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log.

You may be able to boot into Normal Windows after this step.


2008-2010
Rights cannot exist without morals

*

Offline scott888

  • Bronze Member
  • 13
Re: [In Progress] Multi threat adware: search redirected
« Reply #12 on: December 03, 2008, 09:22:51 AM »
I also wondered about the missing file separators. I "selected" by clicking and dragging as usual. In any event, the second time appears to have worked properly:

c:\avenger.txt:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath:  \systemroot\system32\drivers\TDSSrvdc.sys
Start Type:  4 (Disabled)

Rootkit scan completed.

Driver "TDSSserv.sys" deleted successfully.
File "C:\Windows\system32\drivers\TDSSrvdc.sys" deleted successfully.
File "C:\WINDOWS\abesej.pif" deleted successfully.
File "C:\WINDOWS\hivym.ban" deleted successfully.
File "C:\WINDOWS\qogukyw.db" deleted successfully.
File "C:\WINDOWS\siposo.bat" deleted successfully.
File "C:\WINDOWS\SYSTEM32\agudotel.inf" deleted successfully.
File "C:\WINDOWS\SYSTEM32\delself.bat" deleted successfully.
File "C:\WINDOWS\SYSTEM32\iqocupyku.db" deleted successfully.
File "C:\WINDOWS\SYSTEM32\iropovy.ban" deleted successfully.
Folder "C:\Program Files\AntivirusPro2009" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

*

Offline scott888

  • Bronze Member
  • 13
Re: [In Progress] Multi threat adware: search redirected
« Reply #13 on: December 03, 2008, 09:27:58 AM »
Opp.  Forgot the HJT log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:01 AM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TSSchBkpService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\mmlweb.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mmlweb] C:\WINDOWS\system32\mmlweb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TimeslipsBackup (TSScheduleBackup) - Unknown owner - C:\WINDOWS\system32\TSSchBkpService.exe

--
End of file - 6833 bytes

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [In Progress] Multi threat adware: search redirected
« Reply #14 on: December 03, 2008, 09:55:12 AM »
scott888

Looks better.

How's your PC running now?

1. Rerun Hijackthis (scan only) and place checks beside the following entries


O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O20 - AppInit_DLLs: karna.dat


Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log

2008-2010
Rights cannot exist without morals