Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Help! i'm going to odd places... Help! i'm going to odd places...
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2 >
 
Thread Tools
Old 04-18-2007, 11:26 AM   #1 (permalink)
Registered User
 
Join Date: Apr 2007
Location: england
Posts: 32
OS: xp


Help! i'm going to odd places...
When I use google with Explorer, it re-routes me to what appear to be random websites, sometimes ebay, sometimes adverts. If I use google through AOL, it works OK, as it does with Opera.
I'm a bit of a luddite, but ive downloaded and analysed with hijackthis today, and I think I've attached the right info. I'd appreciate if somebody can tell me what shouldnt be there!
Thanks in advance
Woodsy
woodsy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-20-2007, 05:46 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help! i'm going to odd places...
Please follow MicroBell's 5 Step process - http://www.techsupportforum.com/secu...sting-log.html


I'm subscribed to this thread & would be notified of your reply.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-23-2007, 03:26 AM   #3 (permalink)
Registered User
 
Join Date: Apr 2007
Location: england
Posts: 32
OS: xp


Re: Help! i'm going to odd places...
Hi
Ive now done the five steps as advised, but my PC is going slower than ever now!
The pandavision scan showed two pieces of adware which adaware then removedscan showed no viruses
I've attached the log files from the deckards system scanner for your analysis please

Deckard's System Scanner v20070411.38
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 1.70GHz
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 383.3 MiB / 100.94 MiB
Pagefile Memory (total/avail): 922.18 MiB / 577.31 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1982.15 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.64 GiB total, 9.68 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.465 v7.5.465 (GRISOFT)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\bryan\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PCUSER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\bryan
LOGONSERVER=\\PCUSER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\bryan\LOCALS~1\Temp
TMP=C:\DOCUME~1\bryan\LOCALS~1\Temp
USERDOMAIN=PCUSER
USERNAME=bryan
USERPROFILE=C:\Documents and Settings\bryan
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

user
bryan (admin)
wendy


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AnalogX CookieWall --> C:\Program Files\AnalogX\CookieWall\cookieu.exe
AOL Coach Version 1.0(Build:20040229.1 uk) --> "C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe" -lang="en-uk"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
AVG Anti-Virus 7.1 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Belkin 54g USB Network Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Belkin\Belkin Wireless Network Utility\setup.exe" -l0x9
Belkin F5D5000 Desktop PCI Card Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1798227A-AA89-4C78-AF55-56A38E654788}\setup.exe" -l0x9 -removeonly
Canon iP1300 --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1300\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1300 /L0x0009
Canon iP1300 User Registration --> C:\Program Files\Canon\IJEREG\iP1300\UNINST.EXE
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Canon Utilities Easy-PrintToolBox --> C:\WINDOWS\BJPSUNST.EXE
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
Eusing Free Registry Cleaner --> C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HexDump plug-in for Ad-Aware SE --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\hexdump\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\hexdump\INSTALL.LOG
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Lavasoft VX2 Cleaner --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\INSTALL.LOG
Lucent Win Modem --> C:\WINDOWS\system32\ltremove.exe -s
Messenger-Control plug-in for Ad-Aware SE --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\MESSEN~1\INSTALL.LOG
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{91190409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OE/W Messengerctrl plug-in for Ad-Aware SE --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\OEMESS~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\OEMESS~1\INSTALL.LOG
Opera 9.20 --> MsiExec.exe /X{E5EC3E84-F3D6-4ECB-9486-69FCF11694B3}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
QuickCam --> MsiExec.exe /I{43A9F944-0398-425E-9E22-201F65FE0CCA}
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Task Manager 1.7 --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
SoftK56 Data Fax Voice CARP --> C:\Program Files\CONEXANT\CNXT_MODEM_USB_VID_0572&PID_1301\HXFSETUP.EXE -U -IVID_0572&PID_1301
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
Tweak-SE plug-in for Ad-Aware SE --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\tweakse\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\tweakse\INSTALL.LOG
TweakNow RegCleaner Standard --> "C:\Program Files\TweakNow RegCleaner Std\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"


-- End of Deckard's System Scanner: finished at 2007-04-23 at 09:42:59 ---------
woodsy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-23-2007, 01:14 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help! i'm going to odd places...
Ermm ...you posted the wrong log. DSS.exe produces 2 logs. Where's the other one?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-23-2007, 01:25 PM   #5 (permalink)
Registered User
 
Join Date: Apr 2007
Location: england
Posts: 32
OS: xp


Re: Help! i'm going to odd places...
oh. sorry. From the 5 steps, I thought only 1 was needed. I'll have to start again. Sorry if ive wasted your time
woodsy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-23-2007, 01:36 PM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help! i'm going to odd places...
No need to start all over again. Just run dss.exe &post the resulting logs
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-23-2007, 01:45 PM   #7 (permalink)
Registered User
 
Join Date: Apr 2007
Location: england
Posts: 32
OS: xp


Re: Help! i'm going to odd places...
Thanks for your quick response- I'm running hijackthis again right now
woodsy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-23-2007, 01:46 PM   #8 (permalink)
Registered User
 
Join Date: Apr 2007
Location: england
Posts: 32
OS: xp


Re: Help! i'm going to odd places...
here it is- I hope this is OK.....
Deckard's System Scanner v20070411.38
Run by bryan on 2007-04-23 at 20:43:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as bryan.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 20:44:43, on 23/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\AOL\1132087283\ee\AOLSoftware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\SpywareGuard\sgmain.exe
c:\program files\common files\aol\1132087283\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\program files\common files\aol\1132087283\ee\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\AOL9~1.0A\waol.exe
C:\PROGRA~1\AOL9~1.0A\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\bryan\My Documents\dss.exe
C:\PROGRA~1\HIJACK~1\bryan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132087283\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131966212173
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1134420727765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4906D31C-7A75-4433-9DCA-454AE3D3B1B3}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{52C6A054-2B56-4D6C-9C6D-66D66C187A2D}: NameServer = 85.255.115.75,85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{57386629-01F3-4E86-B1B1-97D55C6C1905}: NameServer = 85.255.115.75,85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{82D923A6-8012-4C29-ABDC-F2EFDB424B66}: NameServer = 85.255.115.75,85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEAC3BD2-5809-4C66-B74F-C871ED8ADE12}: NameServer = 85.255.115.75,85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{F828BBEB-0960-4AA3-AA51-F63F0F2B7012}: NameServer = 85.255.115.75,85.255.112.139
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


-- Files created between 2007-03-23 and 2007-04-23 -----------------------------

2007-04-22 19:53:33 21312 --a------ C:\WINDOWS\choice.exe
2007-04-22 18:39:53 0 d-------- C:\ie-spyad
2007-04-22 18:28:53 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-04-22 17:01:35 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-04-21 14:14:59 0 d-------- C:\Program Files\Eusing Free Registry Cleaner<EUSING~1>
2007-04-21 14:07:27 0 d-------- C:\Documents and Settings\bryan\Application Data\RegistrySmart<REGIST~1>
2007-04-21 14:07:01 0 d-------- C:\Program Files\RegistrySmart<REGIST~1>
2007-04-21 12:45:09 0 d-------- C:\Program Files\PConPoint<PCONPO~1>
2007-04-21 11:51:24 0 d-------- C:\Program Files\3B Software<3BSOFT~1>
2007-04-19 15:51:31 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-04-19 15:44:48 0 d-------- C:\WINDOWS\pss
2007-04-18 17:08:06 1308216 --a------ C:\Program Files\HiJackThis_v2.exe<HIJACK~1.EXE>
2007-04-16 19:45:52 53248 --a------ C:\WINDOWS\system32\LVFWWDMT.dll
2007-04-16 19:45:51 69632 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-04-16 19:45:51 57344 --a------ C:\WINDOWS\system32\LVComC.dll
2007-04-16 19:45:51 30208 --a------ C:\WINDOWS\system32\drivers\LVSound2.sys
2007-04-16 19:45:51 412160 --a------ C:\WINDOWS\system32\drivers\lvcodek2.dll
2007-04-16 19:45:51 44032 --a------ C:\WINDOWS\system32\drivers\lvce.sys
2007-04-16 19:45:51 59904 --a------ C:\WINDOWS\system32\drivers\lvcam2.dll
2007-04-16 19:45:50 200704 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-04-16 19:45:50 94208 --a------ C:\WINDOWS\system32\LVComS.exe
2007-04-16 19:45:50 167936 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-04-16 19:44:23 0 d-------- C:\Program Files\Reality Fusion<REALIT~1>
2007-04-16 19:43:59 0 d-------- C:\Program Files\Logitech
2007-04-16 19:43:54 0 d-------- C:\Program Files\Common Files\Logitech
2007-04-05 18:04:05 0 d-------- C:\Documents and Settings\wendy\Contacts
2007-04-04 19:35:32 0 d-------- C:\WINDOWS\Cache
2007-04-04 13:12:25 5504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-04-04 13:12:16 10880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-04-04 13:12:14 15360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-04-04 13:12:10 11136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-04-04 13:12:05 19328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-04-04 13:12:01 85376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-04-04 13:11:58 17024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-04-04 13:11:33 25216 --a------ C:\WINDOWS\system32\drivers\OVSound2.sys
2007-04-04 13:11:03 41984 --a------ C:\WINDOWS\system32\OVUI2RC.dll
2007-04-04 13:11:02 44544 --a------ C:\WINDOWS\system32\OVUI2.dll
2007-04-04 13:11:02 39424 --a------ C:\WINDOWS\system32\OVComS.exe
2007-04-04 13:11:02 20480 --a------ C:\WINDOWS\system32\OVComC.dll
2007-04-04 13:11:01 351616 --a------ C:\WINDOWS\system32\drivers\OVCodek2.sys
2007-04-04 13:11:00 116736 --a------ C:\WINDOWS\system32\OVCodec2.dll
2007-04-04 13:10:59 31872 --a------ C:\WINDOWS\system32\drivers\OVCE.sys
2007-04-04 13:10:54 48000 --a------ C:\WINDOWS\system32\drivers\OVCam2.sys
2007-04-04 13:10:50 53760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-04-04 13:10:37 31616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-04-03 15:00:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-03-31 13:16:12 0 d-------- C:\Program Files\CCleaner
2007-03-31 12:46:21 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan<SECTAS~1>
2007-03-31 12:45:57 0 d-------- C:\Program Files\Security Task Manager<SECURI~1>
2007-03-31 12:04:15 0 d-------- C:\WINDOWS\system32\NtmsData
2007-03-30 14:36:59 0 d-------- C:\Documents and Settings\wendy\Application Data\Leadertech<LEADER~1>
2007-03-29 19:43:38 0 d-------- C:\Documents and Settings\bryan\Application Data\Leadertech<LEADER~1>
2007-03-26 10:59:19 0 d-------- C:\Documents and Settings\wendy\Application Data\AdobeUM


-- Find3M Report ---------------------------------------------------------------

2007-04-23 14:48:43 0 d-------- C:\Program Files\Common Files\AOL
2007-04-23 08:00:09 0 d-------- C:\Documents and Settings\bryan\Application Data\AVG7
2007-04-22 18:30:43 0 d-------- C:\Program Files\Windows Defender<WINDOW~4>
2007-04-22 18:26:22 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-04-22 18:16:54 0 d-------- C:\Program Files\Common Files\Scanner
2007-04-22 18:13:21 0 d-------- C:\Program Files\AOL 9.0a<AOL9~1.0A>
2007-04-20 09:46:20 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-04-18 17:49:02 6382 --a------ C:\Program Files\startuplist.txt<STARTU~1.TXT>
2007-04-18 17:40:55 8002 --a------ C:\Program Files\hijackthis.log<HIJACK~1.LOG>
2007-04-17 16:03:29 0 d-------- C:\Program Files\Opera
2007-04-17 10:21:45 0 d-------- C:\Documents and Settings\bryan\Application Data\Macromedia<MACROM~1>
2007-04-09 16:20:03 0 d-------- C:\Documents and Settings\bryan\Application Data\AdobeUM
2007-04-06 15:18:03 0 d-------- C:\Program Files\Yahoo!
2007-04-04 19:37:38 0 d-------- C:\Program Files\Common Files\Adobe
2007-03-31 1443 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-28 09:49:19 0 d---s---- C:\Documents and Settings\bryan\Application Data\Microsoft<MICROS~1>
2007-03-22 18:32:29 12289487 --a------ C:\AVG7QT.DAT
2007-03-17 14:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 13:11:55 0 d-------- C:\Program Files\Java
2007-03-08 16:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 21:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1132087283\\ee\\AOLSoftware.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CookieWall"="C:\\Program Files\\AnalogX\\CookieWall\\cookie.exe"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver\\LVCOMS.EXE"
"nwiz"="nwiz.exe /install"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
"backup"="C:\\WINDOWS\\pss\\Reality Fusion GameCam SE.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\REALIT~1\\REALIT~1\\Program\\RFTRay.exe "
"item"="Reality Fusion GameCam SE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="kduua.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-04-23 at 20:45:17 ---------
woodsy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-23-2007, 01:54 PM   #9 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help! i'm going to odd places...
1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-23-2007, 02:26 PM   #10 (permalink)
Registered User
 
Join Date: Apr 2007
Location: england
Posts: 32
OS: xp


Re: Help! i'm going to odd places...
here's the log...

I can't make HJT run again, but i'll keep trying...
"bryan" - 07-04-23 21:00:00 Service Pack 2
ComboFix 07-04-24V - Running from: "C:\PROGRA~1\AOL9~1.0A\download\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\bryan\Desktop.\internet explorer.lnk


((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 ))))))))))))))))))))))))))))))))))


2007-04-23 09:38 <DIR> d-------- C:\Deckard
2007-04-22 19:53 21,312 --a------ C:\WINDOWS\choice.exe
2007-04-22 18:39 <DIR> d-------- C:\ie-spyad
2007-04-22 18:28 <DIR> d-------- C:\Program Files\SpywareGuard
2007-04-22 17:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-21 14:14 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-04-21 14:07 <DIR> d-------- C:\Program Files\RegistrySmart
2007-04-21 14:07 <DIR> d-------- C:\DOCUME~1\bryan\APPLIC~1\RegistrySmart
2007-04-21 12:45 <DIR> d-------- C:\Program Files\PConPoint
2007-04-21 11:51 <DIR> d-------- C:\Program Files\3B Software
2007-04-19 15:51 <DIR> d-------- C:\VundoFix Backups
2007-04-19 15:44 <DIR> d-------- C:\WINDOWS\pss
2007-04-18 17:08 1,308,216 --a------ C:\Program Files\HiJackThis_v2.exe
2007-04-16 19:45 94,208 --a------ C:\WINDOWS\system32\LVComS.exe
2007-04-16 19:45 69,632 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-04-16 19:45 59,904 --a------ C:\WINDOWS\system32\drivers\lvcam2.dll
2007-04-16 19:45 57,344 --a------ C:\WINDOWS\system32\LVComC.dll
2007-04-16 19:45 53,248 --a------ C:\WINDOWS\system32\LVFWWDMT.dll
2007-04-16 19:45 44,032 --a------ C:\WINDOWS\system32\drivers\lvce.sys
2007-04-16 19:45 412,160 --a------ C:\WINDOWS\system32\drivers\lvcodek2.dll
2007-04-16 19:45 30,208 --a------ C:\WINDOWS\system32\drivers\LVSound2.sys
2007-04-16 19:45 200,704 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-04-16 19:45 167,936 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-04-16 19:44 <DIR> d-------- C:\Program Files\Reality Fusion
2007-04-16 19:43 <DIR> d-------- C:\Program Files\Logitech
2007-04-16 19:43 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-04-05 18:04 <DIR> d-------- C:\DOCUME~1\wendy\Contacts
2007-04-04 19:35 <DIR> d-------- C:\WINDOWS\Cache
2007-04-04 13:12 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-04-04 13:12 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-04-04 13:12 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-04-04 13:12 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-04-04 13:12 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-04-04 13:12 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-04-04 13:11 44,544 --a------ C:\WINDOWS\system32\OVUI2.dll
2007-04-04 13:11 41,984 --a------ C:\WINDOWS\system32\OVUI2RC.dll
2007-04-04 13:11 39,424 --a------ C:\WINDOWS\system32\OVComS.exe
2007-04-04 13:11 351,616 --a------ C:\WINDOWS\system32\drivers\OVCodek2.sys
2007-04-04 13:11 25,216 --a------ C:\WINDOWS\system32\drivers\OVSound2.sys
2007-04-04 13:11 20,480 --a------ C:\WINDOWS\system32\OVComC.dll
2007-04-04 13:11 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-04-04 13:11 116,736 --a------ C:\WINDOWS\system32\OVCodec2.dll
2007-04-04 13:10 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-04-04 13:10 48,000 --a------ C:\WINDOWS\system32\drivers\OVCam2.sys
2007-04-04 13:10 31,872 --a------ C:\WINDOWS\system32\drivers\OVCE.sys
2007-04-04 13:10 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-04-03 15:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-31 13:16 <DIR> d-------- C:\Program Files\CCleaner
2007-03-31 12:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-03-31 12:45 <DIR> d-------- C:\Program Files\Security Task Manager
2007-03-31 12:04 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-03-30 14:36 <DIR> d-------- C:\DOCUME~1\wendy\APPLIC~1\Leadertech
2007-03-29 19:43 <DIR> d-------- C:\DOCUME~1\bryan\APPLIC~1\Leadertech
2007-03-26 10:59 <DIR> d-------- C:\DOCUME~1\wendy\APPLIC~1\AdobeUM


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-22 18:30 -------- d-------- C:\Program Files\windows defender
2007-04-22 18:26 -------- d-------- C:\Program Files\msn messenger
2007-04-22 18:16 -------- d-------- C:\Program Files\Common Files\scanner
2007-04-22 18:13 -------- d-------- C:\Program Files\aol 9.0a
2007-04-20 09:46 -------- d-------- C:\Program Files\spywareblaster
2007-04-18 17:49 6382 --a------ C:\Program Files\startuplist.txt
2007-04-18 17:40 8002 --a------ C:\Program Files\hijackthis.log
2007-04-17 16:03 -------- d-------- C:\Program Files\opera
2007-04-06 15:18 -------- d-------- C:\Program Files\yahoo!
2007-03-31 14:06 -------- d--h----- C:\Program Files\installshield installation information
2007-03-22 18:32 12289487 --a------ C:\AVG7QT.DAT
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1132087283\\ee\\AOLSoftware.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="kduua.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CookieWall"="C:\\Program Files\\AnalogX\\CookieWall\\cookie.exe"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver\\LVCOMS.EXE"
"nwiz"="nwiz.exe /install"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
"backup"="C:\\WINDOWS\\pss\\Reality Fusion GameCam SE.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\REALIT~1\\REALIT~1\\Program\\RFTRay.exe "
"item"="Reality Fusion GameCam SE"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\RegistrySmart Scheduled Scan.job
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 2110
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-23 2131
C:\ComboFix-quarantined-files.txt ... 07-04-23 21:06
woodsy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-23-2007, 02:32 PM   #11 (permalink)
Registered User
 
Join Date: Apr 2007
Location: england
Posts: 32
OS: xp


Re: Help! i'm going to odd places...
[i] think this is the file....
Logfile of HijackThis v1.99.1
Scan saved at 21:28:45, on 23/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\AOL\1132087283\ee\AOLSoftware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\SpywareGuard\sgmain.exe
c:\program files\common files\aol\1132087283\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\program files\common files\aol\1132087283\ee\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\AOL9~1.0A\waol.exe
C:\PROGRA~1\AOL9~1.0A\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\aol\1132087283\ee\anotify.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132087283\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131966212173
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1134420727765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4906D31C-7A75-4433-9DCA-454AE3D3B1B3}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{52C6A054-2B56-4D6C-9C6D-66D66C187A2D}: NameServer = 85.255.115.75,85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{57386629-01F3-4E86-B1B1-97D55C6C1905}: NameServer = 85.255.115.75,85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{82D923A6-8012-4C29-ABDC-F2EFDB424B66}: NameServer = 85.255.115.75,85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEAC3BD2-5809-4C66-B74F-C871ED8ADE12}: NameServer = 85.255.115.75,85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{F828BBEB-0960-4AA3-AA51-F63F0F2B7012}: NameServer = 85.255.115.75,85.255.112.139
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
woodsy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-23-2007, 02:50 PM   #12 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help! i'm going to odd places...