|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-19-2008, 10:56 PM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 7
OS: XP SP2
|
Google search results hijacked & Adware hijack
I have 2 problems, one of which I might have already corrected. First, here's the problem I know that I have. Whenever I do a Google search-- be it from the Google Toolbar, the Google web page or the Google search line on top of my IE bar; my results are hijacked 2 out 3 times. For example, I search for Star Wars Clone Wars. I get my normal page worth's of links/sites. When I go and click on one of the links/sites, I do not go to that page. I get redirected. In the address bar, I'll see an IP that starts with 719.xxx.xxx which quickly redirects to gosplat.net, which then redirects to another search engine's results or to a site that is similiar to the one I want to go to but is not that site. This happens 2/3s the time. The other 1/3 of the time, I actually get to the site I want to.
My second issue happened last week, but I think I corrected it by running Lava-Soft Ad-Aware. Some sort of Adware infected my system in 3 ways. First, my wallpaper was replaced with a blue screen (still had my icons). On the blue screen was a link saying my system was infected. Upon clicking on this link, I was sent to a site trying to sell antispyware and anti adware. The second way was I'd get a pop every now and then which looked like a pop up from MS Security Center. Again, it was a bogus redirect to an advertisement. The final way was that in my system tray next to my clock, I'd get a little triangle again mimicing Security Center and telling me my system was infected. Again, clicking on the triangle sent me to an advertisement. Like I said, I ran Ad-Aware, and I haven't had that problem since. My protection is the Windows XP Firewall and Trend Micro Internet Security 2008. I'm not running the Trend Micro firewall only the MS firewall. I also use Ad-Aware as mentioned. Attached below are the Hi-Jack This report and the Panda Soft active scan report. Thanks in advance for your assistance. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:25:40 PM, on 8/19/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe C:\WINDOWS\system32\RioMSC.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\WINDOWS\system32\UAService.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ASUS\ASUS Remote Master\remote master.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ASUS\ASUS Remote Master\RCManager.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\system32\slrundll.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mycopper.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/?page=1&refresh=1#11135 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = copper.net Internet Explorer F2 - REG:system.ini: UserInit=userinit.exe N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.msn.com/"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\harcxu76.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\harcxu76.slt\prefs.js) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Copper HiSpeed\components\NOWImaging.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B862223} - C:\Program Files\Helper\1218527988.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [remotecontrol] C:\Program Files\ASUS\ASUS Remote Master\remote master.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1161046921496 O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe -- End of file - 9823 bytes Active Scan Log: ;*********************************************************************************************************************************************************************************** ANALYSIS: 2008-08-19 21:58:24 PROTECTIONS: 1 MALWARE: 33 SUSPECTS: 0 ;*********************************************************************************************************************************************************************************** PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== Trend Micro Internet Security 2008 16.10.1079 No No ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\runmsc.loader.1 00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\runmsc.loader 00035872 adware/popuper Adware No 0 Yes No c:\windows\system32\msole32.exe 00040319 adware/activesearch Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{12F02779-6D88-4958-8AD3-83C12D86ADC7} 00040376 adware/adblaster Adware No 0 Yes No hkey_classes_root\clsid\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} 00040376 adware/adblaster Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{e9147a0a-a866-4214-b47c-da821891240f} 00040376 adware/adblaster Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} 00047327 adware/adsincontext Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{029E02F0-A0E5-4B19-B958-7BF2DB29FB13} 00047327 adware/adsincontext Adware No 0 Yes No hkey_classes_root\clsid\{029e02f0-a0e5-4b19-b958-7bf2db29fb13} 00048242 adware/404search Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4} 00120993 adware/deskwizz Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4dfb-9693-23AB7686A456} 00132710 dialer.xd Dialers No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{54645654-2225-4455-44A1-9F4543D34546} 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.casalemedia.com/] 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.casalemedia.com/] 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.doubleclick.net/] 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.atdmt.com/] 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.fastclick.net/] 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.fastclick.net/] 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.fastclick.net/] 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.fastclick.net/] 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@com[1].txt 00167744 Cookie/GoStats TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.gostats.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.statcounter.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[ad.yieldmanager.com/] 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[ad.yieldmanager.com/] 00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.apmebf.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.advertising.com/] 00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[statse.webtrendslive.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt 00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.overture.com/] 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.questionmarket.com/] 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.questionmarket.com/] 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.zedo.com/] 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.zedo.com/] 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.zedo.com/] 00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.bluestreak.com/] 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.adrevolver.com/] 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.adrevolver.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@go[2].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\harcxu76.slt\cookies.txt[.go.com/] 00206648 adware/activshopper Adware No 0 Yes No c:\program files\e-zshopper 00218901 adware/adbars Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{51641EF3-8A7A-4D84-8659-B0911E947CC8} 00221182 adware/eshopper Adware No 0 Yes No c:\windows\system32\eshopee.exe 00235137 application/activitymon HackTools No 0 Yes No c:\program files\amsys 03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Ralph's Downloads\KL083621.exe ;=================================================================================================================================================================================== SUSPECTS Sent Location 4 ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description 4 ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
08-23-2008, 09:03 AM
|
#3 (permalink) |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 10,647
OS: XP SP3
|
Re: Google search results hijacked & Adware hijack
Hello and Welcome to TSF.
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription. Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ------------------------------------------------------ Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper. ------------------------------------------------------ Please download ComboFix and Save it to your Desktop. **Note: It is important that it is saved directly to your desktop** First, we need to install the Windows Recovery Console. The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Download the file from this Microsoft page: For XP Home >> http://www.microsoft.com/downloads/d...displaylang=en For XP Pro >> http://www.microsoft.com/downloads/d...displaylang=en Do not be concerned that this file is for SP2 and you have SP3. It will work just fine on your system. Save it as it is originally named to your Desktop. Now close all open windows and programs, including all antivirus and antispyware programs. Get help here  Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console. As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Recovery Console is installed, this blue window will appear:  Please continue as follows:
Please post that log, ComboFix.txt along with a new HijackThis log so we may continue cleansing the system. ------------------------------------------------------ Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here. ------------------------------------------------------ Go to Start > Run and copy/paste the following single-line command into the Run box and click OK: C:\Qoobox\Add-Remove Programs.txt A text file should open. Please post the contents of that file in your next reply. ------------------------------------------------------ Please post the following in your next reply: C:\ComboFix.txt new HijackThis log Add-Remove Programs.txt If you have any questions along the way...STOP and ask them before proceeding. |
|
|
|
|
08-23-2008, 10:12 AM
|
#4 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 7
OS: XP SP2
|
Re: Google search results hijacked & Adware hijack
Thanks. Here are the requested logs.
C:ComboFix.txt: ComboFix 08-08-21.02 - Owner 2008-08-23 10:54:02.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1358 [GMT -5:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\88JVAZCX\interclick.com C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\88JVAZCX\interclick.com\ud.sol C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Owner\Cookies\owner@live[2].txt C:\Documents and Settings\Owner\Cookies\owner@my.clearchannelradio[2].txt C:\Program Files\akl C:\Program Files\akl\akl.dll C:\Program Files\akl\akl.exe C:\Program Files\akl\curlog.htm C:\Program Files\akl\keylog.txt C:\Program Files\akl\readme.txt C:\Program Files\akl\uninstall.exe C:\Program Files\akl\unsetup.dat C:\Program Files\akl\unsetup.exe C:\Program Files\amsys C:\Program Files\amsys\awmsg.dat C:\Program Files\amsys\guid.dat C:\Program Files\amsys\ijl15.dll C:\Program Files\amsys\mfc42.dll C:\Program Files\amsys\msvcrt.dll C:\Program Files\amsys\unins000.dat C:\Program Files\amsys\unis000.exe C:\Program Files\amsys\winam.dat C:\Program Files\e-zshopper C:\Program Files\e-zshopper\BarLcher.dll C:\Program Files\Helper C:\Program Files\Helper\1218527988.dll C:\Program Files\p2pnetworks C:\Program Files\p2pnetworks\amp2pl.exe C:\WINDOWS\764.exe C:\WINDOWS\7search.dll C:\WINDOWS\absolute key logger.lnk C:\WINDOWS\aconti.exe C:\WINDOWS\aconti.ini C:\WINDOWS\aconti.log C:\WINDOWS\aconti.sdb C:\WINDOWS\acontidialer.txt C:\WINDOWS\adbar.dll C:\WINDOWS\cbinst$.exe C:\WINDOWS\daxtime.dll C:\WINDOWS\dp0.dll C:\WINDOWS\eventlowg.dll C:\WINDOWS\fhfmm-Uninstaller.exe C:\WINDOWS\fhfmm.exe C:\WINDOWS\flt.dll C:\WINDOWS\hcwprn.exe C:\WINDOWS\hotporn.exe C:\WINDOWS\ie_32.exe C:\WINDOWS\jd2002.dll C:\WINDOWS\kkcomp$.exe C:\WINDOWS\kkcomp.exe C:\WINDOWS\liqad$.exe C:\WINDOWS\liqad.exe C:\WINDOWS\liqui-Uninstaller.exe C:\WINDOWS\liqui.exe C:\WINDOWS\ngd.dll C:\WINDOWS\pbar.dll C:\WINDOWS\settn.dll C:\WINDOWS\spredirect.dll C:\WINDOWS\system32\ace16win.dll C:\WINDOWS\system32\ESHOPEE.exe C:\WINDOWS\system32\msole32.exe C:\WINDOWS\system32\vxddsk.exe C:\WINDOWS\system32\wml.exe C:\WINDOWS\vxddsk.exe C:\WINDOWS\wbeInst$.exe C:\WINDOWS\wml.exe C:\WINDOWS\xadbrk.exe C:\WINDOWS\xadbrk_.exe C:\WINDOWS\xxxvideo.exe D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 ))))))))))))))))))))))))))))))) . 2008-08-19 22:45 . 2008-07-22 09:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb 2008-08-19 22:45 . 2008-07-22 09:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb 2008-08-19 22:45 . 2008-07-22 09:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb 2008-08-19 22:05 . 2008-08-19 22:08 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-08-19 18:50 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-08-18 23:24 . 2008-08-18 23:24 <DIR> d-------- C:\Program Files\Panda Security 2008-08-18 23:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-08-14 08:11 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-14 08:10 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-08-12 18:06 . 2008-08-12 18:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-12 18:06 . 2008-08-12 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-12 01:12 . 2008-08-12 17:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-08-11 19:30 . 2008-08-11 19:30 <DIR> d-------- C:\Program Files\QuickMediaConverter 2008-08-11 19:05 . 2008-08-11 19:05 <DIR> d-------- C:\Program Files\iSofter 2008-08-11 19:05 . 2005-09-29 21:37 716,800 --a------ C:\WINDOWS\system32\lameACM.acm 2008-08-11 19:05 . 2006-01-30 21:54 414 --a------ C:\WINDOWS\system32\lame_acm.xml 2008-08-11 11:39 . 2008-08-11 11:39 <DIR> d-------- C:\Program Files\Avex 2008-08-11 01:26 . 2008-08-11 18:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\dvdcss 2008-08-11 01:25 . 2008-05-06 01:01 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS 2008-08-10 23:51 . 2008-08-11 19:32 <DIR> d-------- C:\My Movies 2008-08-10 20:18 . 2008-08-10 20:18 <DIR> d-------- C:\Program Files\AC3Filter 2008-08-10 20:18 . 2008-07-09 03:05 421,888 --a------ C:\WINDOWS\system32\ac3filter.acm 2008-08-10 18:52 . 2008-08-10 18:52 <DIR> d-------- C:\Documents and Settings\Owner\New Folder 2008-08-10 17:47 . 2008-08-10 17:47 <DIR> d-------- C:\Program Files\Cucusoft 2008-08-10 17:47 . 2008-08-11 11:39 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-07-25 03:36 . 2008-07-25 03:36 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe 2008-07-25 03:36 . 2008-07-25 03:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb 2008-07-23 11:50 . 2008-07-23 11:50 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2008-07-23 11:48 . 2008-07-23 11:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2008-07-23 11:48 . 2008-07-23 11:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2008-07-23 11:47 . 2008-07-23 11:47 634,880 --a------ C:\WINDOWS\system32\divxdec.ax 2008-07-23 11:47 . 2008-07-23 11:47 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax 2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest 2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest 2008-07-23 11:46 . 2008-07-23 11:46 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-23 15:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-20 03:49 --------- d-----w C:\Program Files\Microsoft Works 2008-08-19 23:50 --------- d-----w C:\Program Files\Java 2008-08-18 04:41 --------- d-----w C:\Program Files\Trend Micro 2008-08-18 02:59 --------- d-----w C:\Program Files\Google 2008-08-12 23:07 --------- d-----w C:\Program Files\Lavasoft 2008-08-12 23:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft 2008-08-12 00:52 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-12 00:52 --------- d-----w C:\Program Files\NCSoft 2008-08-11 04:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX 2008-08-11 01:11 --------- d-----w C:\Program Files\DivX 2008-07-26 05:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\OfficeUpdate12 2008-07-23 16:50 129,784 ------w C:\WINDOWS\system32\pxafs.dll 2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-07-19 00:08 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys 2008-07-19 00:08 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys 2008-07-18 23:51 1,195,448 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-30 05:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies 2008-06-30 05:05 --------- d-----w C:\Program Files\Electronic Arts 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-23 04:51 --------- d-----w C:\Program Files\Democracy2 Demo 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2007-03-25 04:38 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360] "OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-17 10:29 488712] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-17 18:32 171448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "remotecontrol"="C:\Program Files\ASUS\ASUS Remote Master\remote master.exe" [2002-11-17 21:41 69632] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 01:42 212992] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe] "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 18:56 24576 C:\WINDOWS\system32\CTHELPER.EXE] "SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 90112 C:\WINDOWS\soundman.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM "vidc.asv2"= asusasv2.dll "msvideo7"= STV680tg.dll "msacm.ac3filter"= ac3filter.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Copper HiSpeed.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Copper HiSpeed.lnk backup=C:\WINDOWS\pss\Copper HiSpeed.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Agent] --a------ 2002-07-17 16:13 94208 C:\Program Files\CyberLink\PowerVCRII\agent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 19:12 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core] --a------ 2006-06-09 02:35 1851392 C:\Program Files\Electronic Arts\EA Downloader\Core.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzAgent] --a------ 2002-10-31 10:20 114688 C:\Program Files\ASUS\ASUS EzVCR.FM\ezagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] --a------ 2003-01-17 12:08 1224704 C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 19:12 1695232 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] -ra------ 2001-07-09 05:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage] --a------ 2002-02-20 20:01 49152 C:\Program Files\ScanSoft\OmniPageSE\opware32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2006-11-04 00:26 214560 C:\Program Files\Real\RealPlayer\realplay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remote_Agent] --a------ 2002-07-05 11:29 32768 C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-11-04 00:26 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Unforgettable!] --a------ 2005-08-31 17:01 1688576 C:\Program Files\Unforgettable!\Unforgettable.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "PrismXL"=2 (0x2) "ose"=3 (0x3) "WMPNetworkSvc"=2 (0x2) "Pctspk"=2 (0x2) "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup "<NO NAME>"= "UpdReg"=C:\WINDOWS\UpdReg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\WINDOWS\\system32\\dxdiag.exe"= "C:\\WINDOWS\\system32\\dpnsvr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\EA SPORTS\\Madden NFL 08\\Updater.exe"= "C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\fpupdate.exe"= "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"= "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"= "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"= "C:\\Program Files\\Netscape\\Netscape\\Netscp.exe"= "C:\\Program Files\\DNA\\btdna.exe"= "C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"= "C:\\WINDOWS\\system32\\msiexec.exe"= "C:\\Program Files\\The Adventure Company\\Evidence\\chapp.EXE"= "C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\LaunchBFII.exe"= "C:\\Program Files\\BearShare\\BearShare.exe"= R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-05 18:07] R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-01-15 13:02] R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-13 19:12] R2 OpenCASE Media Agent;OpenCASE Media Agent;C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [2008-01-16 16:57] S3 Cap7134;ASUS TV7133 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-05-21 14:24] S3 PhTVTune;ASUS TV7133 WDM TVTuner;C:\WINDOWS\system32\DRIVERS\Ph33Tune.sys [2002-11-13 02:54] S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28] S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2006-01-07 12:09] S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55ab965b-980d-11da-921b-806d6172696f}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94ae581-9805-11da-b621-806d6172696f}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] 2008-08-23 C:\WINDOWS\Tasks\B16D7880907EF66C.job - c:\docume~1\owner\applic~1\balldo~1\Does Team Gram.exe [] 2006-06-18 C:\WINDOWS\Tasks\ISP signup reminder 3.job - C:\WINDOWS\system32\OOBE\oobebaln.exe [2008-04-13 19:12] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Power2GoExpress - (no file) MSConfigStartUp-iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe MSConfigStartUp-Jump Readme - C:\DOCUME~1\Owner\APPLIC~1\BALLDO~1\Part 32 Intra.exe MSConfigStartUp-MovieNetworks Instant Access - C:\Program Files\Instant Access\InstantAccess.exe MSConfigStartUp-mpeg heck log link - C:\Documents and Settings\All Users\Application Data\Joy coal mpeg heck\mix fast.exe MSConfigStartUp-SlipStream - C:\Program Files\Copper HiSpeed\coppercore.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kqwcbgmh.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://my.msn.com/ . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-23 10:57:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-23 10:59:40 ComboFix-quarantined-files.txt 2008-08-23 15:59:18 Pre-Run: 175,358,312,448 bytes free Post-Run: 175,657,193,472 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 327 --- E O F --- 2008-08-19 12:25:03 New HiJackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11  22 AM, on 8/23/2008Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe C:\WINDOWS\system32\RioMSC.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\UAService.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\dllhost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\slrundll.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/?page=1&refresh=1#11135 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.msn.com/"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\harcxu76.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\harcxu76.slt\prefs.js) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Copper HiSpeed\components\NOWImaging.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [remotecontrol] C:\Program Files\ASUS\ASUS Remote Master\remote master.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1161046921496 O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe -- End of file - 9189 bytes Add-Remove Programs.txt: AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7} Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003} Adobe Reader 8.1.2 Security Update 1 (KB403742) --> Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log Ahead InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL Ahead NeroMediaPlayer --> C:\WINDOWS\UNNMP.exe /UNINSTALL Ahead NeroVision Express --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL Apple Mobile Device Support --> MsiExec.exe /I{373CDFEC-F0DE-4C40-81AB-EF64F6F2F948} Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} ArcSoft PhotoBase 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1D14C0D-FDAA-4DF2-8441-A902805CCE8C}\setup.exe" -l0x9 -uninst ArcSoft PhotoStudio 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03F1CC67-5BD8-4C36-8394-76311B2AE69A}\setup.exe" -l0x9 -uninst ASUS EzVCR.FM --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ASUS\ASUS EzVCR.FM\Uninst.isu" ASUS Remote Master --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5E9BD269-C5A7-4AB9-B121-D499210EA4B6} ASUS TV FM CARD --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2D37FB97-944C-402E-B587-E969BFD99A10} BearShare --> C:\PROGRA~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\INSTALL.LOG BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll" Browser Address Error Redirector --> regsvr32 /u /s "c:\windows\system32\BAE.dll" Canon CanoScan Toolbox 4.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\CanoScan Toolbox Ver4.0\Uninst.isu" -c"C:\Program Files\Canon\CanoScan Toolbox Ver4.0\uninst.dll" Canon i850 --> C:\WINDOWS\system32\CNMCP4b.exe "-PRINTERNAMECanon i850" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon i850 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon i850 Installer\Inst2\cnmi0409.dll" Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoRecord\Uninst.isu" -c"C:\Program Files\Canon\PhotoRecord\Program\uninstdll.dll" Canon Utilities Easy-PhotoPrint --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Canon\Easy-PhotoPrint\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint\EZUNINST.DLL" Canon Utilities PhotoStitch 3.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoStitch\Uninst.isu" Canon Utilities ZoomBrowser EX --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\ZoomBrowser EX\Uninst.isu" -c"C:\Program Files\Canon\ZoomBrowser EX\Program\uninstallutilities.dll" CiD Help --> C:\DOCUME~1\Owner\APPLIC~1\BALLDO~1\Part 32 Intra.exe -uninstall Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE} Democracy 2 Demo --> "C:\Program Files\Democracy2 Demo\unins000.exe" Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875} /l1033 DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN DVD Solution --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall EA downloader --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{1D171963-9063-4423-898B-8EC4F1F190B7} /l1033 EA SPORTS online 2008 --> C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe Evidence The Last Ritual --> C:\Program files\The Adventure Company\Evidence\Desinst.exe Futuremark Measurement Services Client --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msc3.inf,DefaultUninstall,5 GGE909 PC Recoil Pad --> C:\PROGRA~1\GAMEEL~1\GGE909~1\UNWISE.EXE C:\PROGRA~1\GAMEEL~1\GGE909~1\INSTALL.LOG Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll" HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Internet Explorer 7 (KB947864) --> "C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe" Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Hotfix for Windows Media Player 10 (KB903157) --> "C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe" Hotfix for Windows Media Player 10 (KB910393) --> "C:\WINDOWS\$NtUninstallKB910393$\spuninst\spuninst.exe" Hotfix for Windows Media Player 11 (KB939683) --> "C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe" Hotfix for Windows XP (KB952287) --> "C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" Image Transfer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{564A8DD3-70BC-4018-A5C3-7CEB10BBB6E9}\Setup.exe" UNINSTALL ImageMixer for Sony --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1B4AA674-F5CA-4BB5-831A-CD37B4021959}\setup.exe" Indeo® software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intel\Indeo\Uninst.isu" -c"C:\Program Files\Intel\Indeo\SavedSystemFiles\indounin.dll" J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020} J2SE Runtime Environment 5.0 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070} Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext Java Web Start --> "C:\Program Files\Java\jre1.5.0_07\bin\uninst-javaws.exe" Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} Madden NFL 08 --> C:\Program Files\EA Sports\Madden NFL 08\EAUninstall.exe Mah Jong Medley --> "C:\Program Files\Mah Jong Medley\ReflexiveArcade\unins000.exe" MahJong v1.2 --> "C:\Program Files\Absolutist.com\MahJong\unins000.exe" Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp" Microsoft .NET Framework 2.0 --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe" Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11 Microsoft Internationalized Domain Names Mitigation APIs --> "C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe" Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120 Microsoft National Language Support Downlevel APIs --> "C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe" Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91E30409-6000-11D3-8CFE-0150048383C9} Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1} MicroStaff WINASPI --> C:\MWASPI\uninst.exe Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe MSN --> C:\Program Files\MSN\MsnInstaller\msniadm.exe /Action:ARP MSXML 4.0 SP2 (KB925672) --> MsiExec.exe /I{A9CF9052-F4A0-475D-A00F-A8388C62DD63} MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F} MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF} MyDSC2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83D96ED0-98AA-4515-8DDC-816F3EFDD104}\Setup.exe" -l0x9 Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1} NBC Direct Beta --> MsiExec.exe /I{C91EF330-F152-44ED-A33A-0F4FF3FAF813} Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0} Netscape (7.2) --> C:\WINDOWS\NSUninst.exe /ua "7.2 (en)" NFL Head Coach --> C:\Program Files\EA SPORTS\NFL Head Coach\EAUninstall.exe NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI OmniPage SE --> MsiExec.exe /I{6249C22D-E6A8-407B-BA8B-40298848ED94} OpenCASE Media Agent --> MsiExec.exe /I{1771FDC8-D846-4B77-996A-C80DAD42C03F} Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe PeaceMaker Demo 1.063 --> C:\Program Files\PeaceMaker Demo\uninstall.exe Player --> "C:\Program Files\QuickMediaConverter\WDUNINST.EXE" /REG="QUICKMEDIACONVERTER" PlayNC Launcher --> C:\Program Files\InstallShield Installation Information\{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}\setup.exe -runfromtemp -l0x0009 -removeonly Power2Go 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall PowerDirector Pro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\Setup.exe" -uninstall PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall PowerVCR II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0BA5720-E189-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD} RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly Rio Internet Update --> MsiExec.exe /X{493F2531-C2E5-4B73-8B11-66E9CFDA9AFA} Rio Music Manager --> MsiExec.exe /X{282EF7E3-AE54-48AE-A11D-27F512F23AB3} Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Security Update for Microsoft .NET Framework 2.0 (KB928365) --> C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} Security Update for Windows Internet Explorer 7 (KB929969) --> Security Update for Windows Internet Explorer 7 (KB937143) --> "C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB938127) --> "C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB939653) --> "C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB942615) --> "C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB944533) --> "C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB950759) --> "C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB953838) --> "C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe" Security Update for Windows Media Player 10 (KB917734) --> "C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB936782) --> "C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe" Security Update for Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648) --> "C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB950760) --> "C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762) --> "C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974) --> "C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066) --> "C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2) --> "C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376) --> "C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698) --> "C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748) --> "C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954) --> "C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB953839) --> "C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe" Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log Sid Meier's Pirates! --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{1632FD86-1BA4-4FC4-8B25-A8C655D63F68} /l1033 SimCity 4 Deluxe --> C:\Program Files\Maxis\SimCity 4 Deluxe\EAUninstall.exe SimCity™ Societies --> MsiExec.exe /X{0B5154C0-8F00-4616-B0AB-6240AE80D9CE} Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011} Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL Sound Blaster Live! Web 2K/XP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}\Setup.exe" -l0x9 SpeedStream 2604 DSL/Cable Router --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\SpeedStream 2604\Uninst.isu" SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe" Star Wars Battlefront II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3D374523-CFDE-461A-827E-2A102E2AB365}\Setup.exe" -l0x9 -removeonly Star Wars Empire at War --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99AE7207-8612-4DBA-A8F8-BAE5C633390D}\Setup.exe" -l0x9 -removeonly Star Wars Galaxies --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88038160-9BCB-47BE-A5C3-5CE2DC115509}\setup.exe" -l0x9 Star Wars Galaxies: Jump To Lightspeed --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D90A2D08-010E-4029-A29B-95411B917862}\setup.exe" -l0x9 System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe The Movies(TM) --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{0556F885-2415-4666-B53E-33727E46AEA1} /l1033 Time Zone Data Update Tool for Microsoft Office Outlook --> MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE} Trend Micro Internet Security --> C:\Program Files\Trend Micro\Internet Security\remove.exe Trend Micro Internet Security --> MsiExec.exe /X{A621B45A-D138-4A95-BE10-7CABA05EF94E} Unforgettable! 3.67 (Build:31 Aug 2005) --> "C:\Program Files\Unforgettable!\Bin\unins000.exe" Update for Windows Media Player 10 (KB913800) --> "C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe" Update for Windows Media Player 10 (KB926251) --> "C:\WINDOWS\$NtUninstallKB926251$\spuninst\spuninst.exe" Update for Windows XP (KB951072-v2) --> "C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Update for Windows XP (KB951618-v2) --> "C:\WINDOWS\$NtUninstallKB951618-v2$\spuninst\spuninst.exe" Update for Windows XP (KB951978) --> "C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe" Update for Windows XP (KB953356) --> "C:\WINDOWS\$NtUninstallKB953356$\spuninst\spuninst.exe" Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe Virtual Earth 3D (Beta) --> MsiExec.exe /I{39CE3C17-846D-4D9B-8B3E-C01A4B90FB73} WinAce Archiver --> "C:\Program Files\WinAce\SXUNINST.EXE" "C:\Program Files\WinAce\SXUNINST.INI" Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE} Windows Genuine Advantage Notifications (KB905474) --> Windows Genuine Advantage Validation Tool (KB892130) --> Windows Genuine Advantage Validation Tool (KB892130) --> Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe" Windows Internet Explorer 7 --> Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe" Windows Media Format 11 runtime --> "C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Player 11 --> "C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall Windows Media Player 11 --> "C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe" Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4} Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790} Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8} Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe" Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall World in Conflict --> C:\Program Files\InstallShield Installation Information\{F11ADC64-C89E-47F4-A0B3-3665FF859397}\setup.exe -runfromtemp -l0x0009 -removeonly Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe" XviD 1.1 final uninstall --> "C:\Program Files\XviD\unins000.exe" |
|
|
|
|
08-23-2008, 11:50 AM
|
#5 (permalink) |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 10,647
OS: XP SP3
|
Re: Google search results hijacked & Adware hijack
Hello again, Ralphmtsu. Please tell us how your system is behaving after doing the following.
Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ------------------------------------------------------ I see you have P2P software ( BearShare ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares. References for the risk of these programs are here, here, and here. I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs. If you decide to uninstall BearShare, also delete these Folders if they still exist: C:\Documents and Settings\Owner\Application Data\BearShare C:\Program Files\BearShare ------------------------------------------------------ Close any open browsers. Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix. Open Notepad and copy/paste all the text in the codebox below into Notepad: Code:
Registry::
[-hkey_local_machine\software\classes\runmsc.loader.1]
[-hkey_local_machine\software\classes\runmsc.loader]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{12F02779-6D88-4958-8AD3-83C12D86ADC7}]
[-hkey_classes_root\clsid\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{029E02F0-A0E5-4B19-B958-7BF2DB29FB13}]
[-hkey_classes_root\clsid\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4dfb-9693-23AB7686A456}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{51641EF3-8A7A-4D84-8659-B0911E947CC8}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=-
File::
C:\Ralph's Downloads\KL083621.exe
C:\WINDOWS\Tasks\B16D7880907EF66C.job
 Referring to the picture above, drag CFScript onto ComboFix If you are prompted to update ComboFix, please click Yes Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply. Note: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall. ------------------------------------------------------ You have old versions of Java still installed. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components.
Please download ATF-Cleaner by Atribune and Save it to your Desktop. This program is for XP and Windows 2000 only
For Technical Support, double-click the e-mail address located at the bottom of each menu. ------------------------------------------------------ Please run this online scan to help look for remnants. Go here to run an online scannner from ESET. **Note** To optimize scanning time and produce a more sensible report for review:
Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here. ------------------------------------------------------ Please post the following in your next reply: C:\ComboFix.txt log.txt from ESET new HijackThis log report on system behavior Last edited by chemist; 08-23-2008 at 11:55 AM. |
|
|
|
|
08-23-2008, 03:24 PM
|
#6 (permalink) |
|
Registered User
Join Date: Aug 2008
Posts: 7
OS: XP SP2
|
Re: Google search results hijacked & Adware hijack
Thanks-- Here are the log files. Also, my system seems to be back to normal. No more Google hijacked search results-- great!! Can I delete/remove the ancillary programs if my system is clean, or should I keep them? Thanks, again.
ComboFix.txt: ComboFix 08-08-21.02 - Owner 2008-08-23 14:03:39.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1452 [GMT -5:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore point FILE :: C:\Ralph's Downloads\KL083621.exe C:\WINDOWS\Tasks\B16D7880907EF66C.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Owner\Cookies\owner@live[2].txt C:\Ralph's Downloads\KL083621.exe C:\WINDOWS\Tasks\B16D7880907EF66C.job . ((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 ))))))))))))))))))))))))))))))) . 2008-08-19 22:45 . 2008-07-22 09:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb 2008-08-19 22:45 . 2008-07-22 09:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb 2008-08-19 22:45 . 2008-07-22 09:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb 2008-08-19 22:05 . 2008-08-19 22:08 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-08-19 18:50 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-08-18 23:24 . 2008-08-18 23:24 <DIR> d-------- C:\Program Files\Panda Security 2008-08-18 23:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-08-14 08:11 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-14 08:10 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-08-12 18:06 . 2008-08-12 18:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-12 18:06 . 2008-08-12 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-12 01:12 . 2008-08-12 17:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-08-11 19:30 . 2008-08-11 19:30 <DIR> d-------- C:\Program Files\QuickMediaConverter 2008-08-11 19:05 . 2008-08-11 19:05 <DIR> d-------- C:\Program Files\iSofter 2008-08-11 19:05 . 2005-09-29 21:37 716,800 --a------ C:\WINDOWS\system32\lameACM.acm 2008-08-11 19:05 . 2006-01-30 21:54 414 --a------ C:\WINDOWS\system32\lame_acm.xml 2008-08-11 11:39 . 2008-08-11 11:39 <DIR> d-------- C:\Program Files\Avex 2008-08-11 01:26 . 2008-08-11 18:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\dvdcss 2008-08-11 01:25 . 2008-05-06 01:01 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS 2008-08-10 23:51 . 2008-08-11 19:32 <DIR> d-------- C:\My Movies 2008-08-10 20:18 . 2008-08-10 20:18 <DIR> d-------- C:\Program Files\AC3Filter 2008-08-10 20:18 . 2008-07-09 03:05 421,888 --a------ C:\WINDOWS\system32\ac3filter.acm 2008-08-10 18:52 . 2008-08-10 18:52 <DIR> d-------- C:\Documents and Settings\Owner\New Folder 2008-08-10 17:47 . 2008-08-10 17:47 <DIR> d-------- C:\Program Files\Cucusoft 2008-08-10 17:47 . 2008-08-11 11:39 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-07-25 03:36 . 2008-07-25 03:36 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe 2008-07-25 03:36 . 2008-07-25 03:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb 2008-07-23 11:50 . 2008-07-23 11:50 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2008-07-23 11:48 . 2008-07-23 11:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2008-07-23 11:48 . 2008-07-23 11:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2008-07-23 11:47 . 2008-07-23 11:47 634,880 --a------ C:\WINDOWS\system32\divxdec.ax 2008-07-23 11:47 . 2008-07-23 11:47 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax 2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest 2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest 2008-07-23 11:46 . 2008-07-23 11:46 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-23 15:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-20 03:49 --------- d-----w C:\Program Files\Microsoft Works 2008-08-19 23:50 --------- d-----w C:\Program Files\Java 2008-08-18 04:41 --------- d-----w C:\Program Files\Trend Micro 2008-08-18 02:59 --------- d-----w C:\Program Files\Google 2008-08-12 23:07 --------- d-----w C:\Program Files\Lavasoft 2008-08-12 23:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft 2008-08-12 00:52 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-12 00:52 --------- d-----w C:\Program Files\NCSoft 2008-08-11 04:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX 2008-08-11 01:11 --------- d-----w C:\Program Files\DivX 2008-07-26 05:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\OfficeUpdate12 2008-07-23 16:50 129,784 ------w C:\WINDOWS\system32\pxafs.dll 2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-07-19 00:08 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys 2008-07-19 00:08 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys 2008-07-18 23:51 1,195,448 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-30 05:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies 2008-06-30 05:05 --------- d-----w C:\Program Files\Electronic Arts 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-23 04:51 --------- d-----w C:\Program Files\Democracy2 Demo 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2007-03-25 04:38 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-17 18:32 171448] "OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-17 10:29 488712] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "remotecontrol"="C:\Program Files\ASUS\ASUS Remote Master\remote master.exe" [2002-11-17 21:41 69632] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 01:42 212992] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe] "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 18:56 24576 C:\WINDOWS\system32\CTHELPER.EXE] "SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 90112 C:\WINDOWS\soundman.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM "vidc.asv2"= asusasv2.dll "msvideo7"= STV680tg.dll "msacm.ac3filter"= ac3filter.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Copper HiSpeed.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Copper HiSpeed.lnk backup=C:\WINDOWS\pss\Copper HiSpeed.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Agent] --a------ 2002-07-17 16:13 94208 C:\Program Files\CyberLink\PowerVCRII\agent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 19:12 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core] --a------ 2006-06-09 02:35 1851392 C:\Program Files\Electronic Arts\EA Downloader\Core.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzAgent] --a------ 2002-10-31 10:20 114688 C:\Program Files\ASUS\ASUS EzVCR.FM\ezagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] --a------ 2003-01-17 12:08 1224704 C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 19:12 1695232 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] -ra------ 2001-07-09 05:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage] --a------ 2002-02-20 20:01 49152 C:\Program Files\ScanSoft\OmniPageSE\opware32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2006-11-04 00:26 214560 C:\Program Files\Real\RealPlayer\realplay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remote_Agent] --a------ 2002-07-05 11:29 32768 C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-11-04 00:26 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Unforgettable!] --a------ 2005-08-31 17:01 1688576 C:\Program Files\Unforgettable!\Unforgettable.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "PrismXL"=2 (0x2) "ose"=3 (0x3) "WMPNetworkSvc"=2 (0x2) "Pctspk"=2 (0x2) "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup "<NO NAME>"= "UpdReg"=C:\WINDOWS\UpdReg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\WINDOWS\\system32\\dxdiag.exe"= "C:\\WINDOWS\\system32\\dpnsvr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\EA SPORTS\\Madden NFL 08\\Updater.exe"= "C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\fpupdate.exe"= "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"= "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"= "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"= "C:\\Program Files\\Netscape\\Netscape\\Netscp.exe"= "C:\\Program Files\\DNA\\btdna.exe"= "C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"= "C:\\WINDOWS\\system32\\msiexec.exe"= "C:\\Program Files\\The Adventure Company\\Evidence\\chapp.EXE"= "C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\LaunchBFII.exe"= "C:\\Program Files\\BearShare\\BearShare.exe"= R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-05 18:07] R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-01-15 13:02] R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-13 19:12] R2 OpenCASE Media Agent;OpenCASE Media Agent;C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [2008-01-16 16:57] S3 Cap7134;ASUS TV7133 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-05-21 14:24] S3 PhTVTune;ASUS TV7133 WDM TVTuner;C:\WINDOWS\system32\DRIVERS\Ph33Tune.sys [2002-11-13 02:54] S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28] S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2006-01-07 12:09] S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55ab965b-980d-11da-921b-806d6172696f}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94ae581-9805-11da-b621-806d6172696f}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 . Contents of the 'Scheduled Tasks' folder 2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] 2006-06-18 C:\WINDOWS\Tasks\ISP signup reminder 3.job - C:\WINDOWS\system32\OOBE\oobebaln.exe [2008-04-13 19:12] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-23 14 53Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-23 14:08:32 ComboFix-quarantined-files.txt 2008-08-23 19:08:06 ComboFix2.txt 2008-08-23 15:59:41 Pre-Run: 175,667,458,048 bytes free Post-Run: 175,665,692,672 bytes free 235 --- E O F --- 2008-08-19 12:25:03 ESET Log: # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3382 (20080823) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=3e070810feae60499f9ffca64219da54 # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-08-23 08:18:31 # local_time=2008-08-23 03:18:31 (-0600, Central Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=457927 # found=4 # scan_time=3404 C:\QooBox\Quarantine\C\Program Files\Helper\1218527988.dll.vir Win32/BHO.NBZ trojan 26D7C16012EF508270A384A713E49422 C:\QooBox\Quarantine\C\Ralph's Downloads\KL083621.exe.vir Win32/TrojanDownloader.FakeAlert.AG trojan 8D59008E075ADE5A0A1456270F47C51E C:\Ralph's Downloads\BSINSTALL.exe Win32/Adware.SaveNow application D386D853B1A1528CE305299EF7C2088E C:\Ralph's Downloads\BSINSTALL.exe »WISE »saveinstwm.exe Win32/Adware.SaveNow application 00000000000000000000000000000000 HijackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:08:34 PM, on 8/23/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RioMSC.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\WINDOWS\system32\UAService.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Program Files\ASUS\ASUS Remote Master\remote master.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\ASUS\ASUS Remote Master\RCManager.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\slrundll.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/?page=1&refresh=1#11135 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.msn.com/"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\harcxu76.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\harcxu76.slt\prefs.js) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Copper HiSpeed\components\NOWImaging.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [remotecontrol] C:\Program Files\ASUS\ASUS Remote Master\remote master.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1161046921496 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe -- End of file - 9884 bytes |
|
|
|
|
08-23-2008, 03:40 PM
|
#7 (permalink) |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 10,647
OS: XP SP3
|
Re: Google search results hijacked & Adware hijack
Hello again, Ralphmtsu. You can keep ATF-Cleaner to clean out the junk every once in awhile. We will get rid of the rest now.
------------------------------------------------------ Delete the following File if it still exists: C:\Ralph's Downloads\BSINSTALL.exe ------------------------------------------------------ Congratulations. Well done! Your logs appear clean. You should be good to go. As far as those infected objects listed in the ESET log, those are safely tucked away in ComboFix's quarantine folder or in old System Restore points, which we will be taking care of now. Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK combofix /uThis will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore points which contain previous infections, and create a fresh, clean System Restore point. Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already. You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix. ------------------------------------------------------ MICROSOFT UPDATES It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection. SPYWARE PREVENTION This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
Please respond to this thread one more time so we can mark this thread as resolved. |
|
|
|
| Thread Tools | |
|
|
