[rajdeepguha]

IE randomly pops up, google shows unrelated links & computer is slower than before

Since the last couple of days my computer has been acting in a very strange manner. When I use Firefox, IE randomly opens up with advertisements. It also appears that google has been hijacked or something. When I search for something I get some of the same links for every search, which are completely unrelated to what I am searching for. In addition, the internet (and the computer) are slower than before, and occasionally all the windows and desktop icons disappear with only the desktop wallpaper remaining in the background. However, since the last couple of hours some of the symptoms (IE opening up, and google acting weird) seem to have reduced. I must also confess that I had recently downloaded and installed Limewire, although I did uninstall it shortly after I had installed it. Also, I had bought a Norton Antivirus protection in late August/early September and it was working fine until around early October when I was prompted to upgrade to Norton 2009 for free; Norton 2009 does not work properly with certain things like intrusion prevention being turned off.


DDS (Version 1.0) - NTFSx86
Run by Owner at 21:23:42.51 on Tue 11/11/2008
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.979 [GMT -5:00]

=============== Created Last 30 ================

2008-11-11 17:23 <DIR> --dsh--- c:\windows\system32\GroupPolicyManifest
2008-11-11 17:23 318,976 a--sh--- c:\windows\system32\16C.tmp
2008-11-11 01:30 250 a------- c:\windows\gmer.ini
2008-11-11 00:44 26,496 a------- c:\windows\system32\dllcache\usbstor.sys
2008-11-10 15:54 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-10 15:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-10 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2008-11-10 14:58 <DIR> --d----- c:\program files\common files\iS3
2008-11-10 14:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2008-11-10 01:16 5,603 a------- c:\windows\GnuHashes.ini
2008-11-10 01:08 1,504 a--sh--- c:\windows\system32\GroupPolicy000.dat
2008-11-10 01:08 318,976 a--sh--- c:\windows\system32\104.tmp
2008-11-10 01:08 135,168 a------- c:\windows\system32\dmintf32.dll
2008-10-30 16:53 <DIR> --d----- c:\program files\Veoh Networks
2008-10-23 19:18 2,302,017 a------- c:\windows\system32\GPhotos.scr
2008-10-17 22:22 32 a------- c:\windows\system32\use_atc.dat
2008-10-17 22:22 <DIR> --d----- c:\program files\All That Chords!

================== Find3M ==================

2008-11-10 19:01 <DIR> --d----- c:\program files\Norton Support
2008-11-10 01:18 <DIR> --d----- c:\docume~1\owner\applic~1\LimeWire
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-13 15:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-10-10 13:38 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-10-09 15:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2008-10-09 15:37 <DIR> --d----- c:\program files\Norton AntiVirus
2008-10-09 15:31 <DIR> --d----- c:\program files\Symantec
2008-10-09 15:31 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-10-09 15:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2008-10-09 15:27 <DIR> --d----- c:\program files\NortonInstaller
2008-10-09 15:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2008-10-03 12:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 06:57 1,846,016 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-07 23:31 348,160 a------- c:\windows\system32\msvcr71.dll
2008-08-28 15:15 80,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-08-28 14:16 <DIR> --d----- c:\docume~1\owner\applic~1\Intuit
2008-08-28 14:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
2008-08-28 14:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2008-08-28 05:04 333,056 -------- c:\windows\system32\dllcache\srv.sys
2008-08-27 03:24 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-08-25 03:38 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 03:37 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 00:56 635,848 -------- c:\windows\system32\dllcache\iexplore.exe
2008-08-23 00:54 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-08-14 04:57 2,185,984 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-08-14 04:55 2,142,720 a------- c:\windows\system32\ntoskrnl.exe
2008-08-14 04:55 2,142,720 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 04:51 138,368 -------- c:\windows\system32\dllcache\afd.sys
2008-08-14 04:18 2,020,864 a------- c:\windows\system32\ntkrnlpa.exe
2008-08-14 04:18 2,020,864 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-08-14 04:18 2,062,976 -------- c:\windows\system32\dllcache\ntkrnlpa.exe

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton antivirus\norton antivirus\engine\16.0.0.125\IPSBHO.DLL
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hp pavilion webcam tray icon.lnk - c:\program files\hewlett-packard\hp pavilion webcam\tsnp2std.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hp photosmart premier fast start.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office11\MSOXMLMF.DLL
Notify: e06ea148502 -c:\windows\system32\dmintf32.dll
Notify: igfxcui -igfxdev.dll
AppInit_DLLs: c:\windows\system32\dmintf32.dll

============= SERVICES / DRIVERS ==============

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1000000.07d\BHDrvx86.sys
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1000000.07d\ccHPx86.sys
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081031.001\IDSxpx86.sys
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1000000.07d\SYMEFA.SYS
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\16.0.0.125\ccsvchst.exe /s norton antivirus /m c:\program files\norton antivirus\norton antivirus\engine\16.0.0.125\diMaster.dll

============= FINISH: 21:25:30.43 ===============

 

[Angelfire777]

Re: IE randomly pops up, google shows unrelated links & computer is slower than befor

Hi,

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

[rajdeepguha]

Re: IE randomly pops up, google shows unrelated links & computer is slower than befor

I am not exactly able to disable Norton Antivirus. It won't let me. In any case I'm hoping that Norton did not create a problem for combofix since Norton is not working properly. Also, the first time I ran combofix it said that the download failed, and then it started scanning. I tried using combofix again since the first time it failed to download the windows recovery console. However, the second time it worked; it successfully installed the windows recovery console. Anyway here is the log it produced the second time (after it succeeded in installing the windows recovery console):

ComboFix 08-11-11.01 - Owner 2008-11-12 23:28:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1021 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.

2008-11-12 19:23 . 2008-11-12 19:23 318,976 --ahs---- c:\windows\system32\18.tmp
2008-11-12 04:40 . 2008-11-12 15:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\gtk-2.0
2008-11-12 04:38 . 2008-11-12 04:38 <DIR> d-------- c:\documents and settings\Owner\.thumbnails
2008-11-12 04:32 . 2008-11-12 15:28 <DIR> d-------- c:\documents and settings\Owner\.gimp-2.6
2008-11-12 04:32 . 2008-11-12 04:32 <DIR> d-------- c:\documents and settings\Owner\.gegl-0.0
2008-11-12 04:31 . 2008-11-12 04:31 <DIR> d-------- c:\program files\Gimp-2.0
2008-11-12 03:48 . 2008-11-12 04:18 <DIR> d-------- c:\program files\MyFantasyMaker
2008-11-11 17:23 . 2008-11-11 17:23 <DIR> d--hs---- c:\windows\system32\GroupPolicyManifest
2008-11-11 17:23 . 2008-11-11 17:23 318,976 --ahs---- c:\windows\system32\16C.tmp
2008-11-11 01:30 . 2008-11-11 17:37 250 --a------ c:\windows\gmer.ini
2008-11-11 00:44 . 2004-08-03 23:08 26,496 --a------ c:\windows\system32\dllcache\usbstor.sys
2008-11-10 16:58 . 2008-11-12 03:55 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-10 15:54 . 2008-11-12 22:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-10 15:54 . 2008-11-12 22:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 14:59 . 2008-11-10 16:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-11-10 14:58 . 2008-11-10 14:58 <DIR> d-------- c:\program files\Common Files\iS3
2008-11-10 14:58 . 2008-11-10 16:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-11-10 01:16 . 2008-11-11 17:38 5,603 --a------ c:\windows\GnuHashes.ini
2008-11-10 01:08 . 2008-11-10 01:08 318,976 --ahs---- c:\windows\system32\104.tmp
2008-11-10 01:08 . 2008-11-10 01:08 135,168 --a------ c:\windows\system32\dmintf32.dll
2008-11-10 01:08 . 2008-11-11 17:23 1,504 --ahs---- c:\windows\system32\GroupPolicy000.dat
2008-10-30 16:53 . 2008-10-30 16:53 <DIR> d-------- c:\program files\Veoh Networks
2008-10-23 19:18 . 2008-10-23 19:18 2,302,017 --a------ c:\windows\system32\GPhotos.scr
2008-10-17 22:22 . 2008-10-17 22:24 <DIR> d-------- c:\program files\All That Chords!
2008-10-17 22:22 . 2008-10-17 22:22 32 --a------ c:\windows\system32\use_atc.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 03:38 --------- d-----w c:\program files\Norton Support
2008-11-12 08:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 06:18 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-13 20:23 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-10 18:38 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-09 20:38 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2008-10-09 20:37 --------- d-----w c:\program files\Norton AntiVirus
2008-10-09 20:31 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-09 20:31 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-10-09 20:31 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-09 20:31 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-09 20:31 --------- d-----w c:\program files\Symantec
2008-10-09 20:27 --------- d-----w c:\program files\NortonInstaller
2008-10-09 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2008-10-09 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-10-08 06:18 --------- d-----w c:\program files\Google
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-08 04:31 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 16:42 1,106,944 ------w c:\windows\system32\dllcache\msxml3.dll
2008-08-28 10:04 333,056 ------w c:\windows\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 09:57 2,185,984 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2008-08-14 09:55 2,142,720 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:55 2,142,720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 09:51 138,368 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:18 2,062,976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 09:18 2,020,864 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-14 09:18 2,020,864 ------w c:\windows\system32\dllcache\ntkrpamp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-17 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-10-09 3502840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 36975]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-11 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-07 185896]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-17 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\tsnp2std.exe [2008-08-28 98304]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\e06ea148502]
2008-11-10 01:08 135168 c:\windows\system32\dmintf32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\dmintf32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-10-09 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-10-09 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-10-09 362544]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081031.001\IDSxpx86.sys [2008-10-09 274808]
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe /s Norton AntiVirus /m c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll [ ]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\827szv32.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 23:30:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? [email protected][email protected]? [email protected][email protected]

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\System32\dmintf32.dll

PROCESS: c:\windows\system32\lsass.exe
-> c:\windows\System32\dmintf32.dll
.
Completion time: 2008-11-12 23:31:29
ComboFix-quarantined-files.txt 2008-11-13 04:31:27
ComboFix2.txt 2008-11-13 04:11:34

Pre-Run: 56,230,469,632 bytes free
Post-Run: 56,223,674,368 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

165 --- E O F --- 2008-11-12 08:05:49

 

[Angelfire777]

Re: IE randomly pops up, google shows unrelated links & computer is slower than befor

Hi,

Since Norton is not working, have you considered reinstalling?

*Open notepad.
Copy and paste the text inside the code box below to notepad

File::
c:\windows\system32\dmintf32.dll
c:\windows\system32\104.tmp
c:\windows\system32\16C.tmp
c:\windows\system32\18.tmp
c:\windows\system32\GroupPolicy000.dat
Folder::
c:\documents and settings\Owner\Application Data\LimeWire
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\e06ea148502]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
Dirlook::
c:\windows\system32\GroupPolicyManifest

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.
• You can take a look at the image below if you're unsure on how to do it.
  
• Combofix wil restart your machine then it will produce a log afterwards.
• Please post the contents of that log along with a fresh HijackThis log.

___________

Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.

• Click Start > Control Panel
• Click Add/Remove Programs
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove button.
• Repeat as many times as necessary to remove all versions of Java.
• Reboot your computer once all Java components are removed.

Then download Java Runtime Environment 6u10, and install it to your computer.

• Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • 
    Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

_________

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

On your next reply, please include a

• fresh DDS log
• kaspersky scan log
• combofix log

 

[rajdeepguha]

Re: IE randomly pops up, google shows unrelated links & computer is slower than befor

DDS (Version 1.0) - NTFSx86
Run by Owner at 1:11:56.37 on Sat 11/15/2008
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1526.729 [GMT -5:00]

=============== Created Last 30 ================

2008-11-13 04:57 664 a------- c:\windows\system32\d3d9caps.dat
2008-11-13 03:14 <DIR> --dsh--- C:\RECYCLER
2008-11-13 03:09 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-13 03:09 73,728 a------- c:\windows\system32\javacpl.cpl
2008-11-12 23:28 <DIR> a-dshr-- C:\cmdcons
2008-11-12 22:55 161,792 a------- c:\windows\SWREG.exe
2008-11-12 22:55 98,816 a------- c:\windows\sed.exe
2008-11-12 04:38 <DIR> --d----- c:\documents and settings\owner\.thumbnails
2008-11-12 04:32 <DIR> --d----- c:\documents and settings\owner\.gimp-2.6
2008-11-12 04:32 <DIR> --d----- c:\documents and settings\owner\.gegl-0.0
2008-11-12 04:31 <DIR> --d----- c:\program files\Gimp-2.0
2008-11-12 03:48 <DIR> --d----- c:\program files\MyFantasyMaker
2008-11-11 17:23 <DIR> --dsh--- c:\windows\system32\GroupPolicyManifest
2008-11-11 01:30 250 a------- c:\windows\gmer.ini
2008-11-11 00:44 26,496 a------- c:\windows\system32\dllcache\usbstor.sys
2008-11-10 15:54 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-10 15:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-10 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2008-11-10 14:58 <DIR> --d----- c:\program files\common files\iS3
2008-11-10 14:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2008-11-10 01:16 5,603 a------- c:\windows\GnuHashes.ini
2008-10-30 16:53 <DIR> --d----- c:\program files\Veoh Networks
2008-10-23 19:18 2,302,017 a------- c:\windows\system32\GPhotos.scr
2008-10-17 22:22 32 a------- c:\windows\system32\use_atc.dat
2008-10-17 22:22 <DIR> --d----- c:\program files\All That Chords!

================== Find3M ==================

2008-11-13 03:27 <DIR> --d----- c:\program files\Norton Support
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-13 15:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-10-10 13:38 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-10-09 15:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2008-10-09 15:37 <DIR> --d----- c:\program files\Norton AntiVirus
2008-10-09 15:31 <DIR> --d----- c:\program files\Symantec
2008-10-09 15:31 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-10-09 15:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2008-10-09 15:27 <DIR> --d----- c:\program files\NortonInstaller
2008-10-09 15:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2008-10-03 12:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 06:57 1,846,016 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-07 23:31 348,160 a------- c:\windows\system32\msvcr71.dll
2008-09-04 11:42 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-09-04 11:42 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2008-08-28 15:15 80,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-08-28 14:16 <DIR> --d----- c:\docume~1\owner\applic~1\Intuit
2008-08-28 14:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
2008-08-28 14:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2008-08-28 05:04 333,056 -------- c:\windows\system32\dllcache\srv.sys
2008-08-27 03:24 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-08-25 03:38 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 03:37 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 00:56 635,848 -------- c:\windows\system32\dllcache\iexplore.exe
2008-08-23 00:54 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton antivirus\norton antivirus\engine\16.0.0.125\IPSBHO.DLL
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hp pavilion webcam tray icon.lnk - c:\program files\hewlett-packard\hp pavilion webcam\tsnp2std.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hp photosmart premier fast start.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui -igfxdev.dll

============= SERVICES / DRIVERS ==============

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1000000.07d\BHDrvx86.sys
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1000000.07d\ccHPx86.sys
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081031.001\IDSxpx86.sys
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1000000.07d\SYMEFA.SYS
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\16.0.0.125\ccsvchst.exe /s norton antivirus /m c:\program files\norton antivirus\norton antivirus\engine\16.0.0.125\diMaster.dll

============= FINISH: 1:12:20.98 ===============






ComboFix 08-11-11.01 - Owner 2008-11-13 2:32:45.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1040 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\104.tmp
c:\windows\system32\16C.tmp
c:\windows\system32\18.tmp
c:\windows\system32\dmintf32.dll
c:\windows\system32\GroupPolicy000.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dmintf32.dll
.
---- Previous Run -------
.
c:\documents and settings\Owner\Application Data\LimeWire
c:\documents and settings\Owner\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Owner\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Owner\Application Data\LimeWire\downloads.dat
c:\documents and settings\Owner\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Owner\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Owner\Application Data\LimeWire\filters.props
c:\documents and settings\Owner\Application Data\LimeWire\gnutella.net
c:\documents and settings\Owner\Application Data\LimeWire\installation.props
c:\documents and settings\Owner\Application Data\LimeWire\library.dat
c:\documents and settings\Owner\Application Data\LimeWire\limewire.props
c:\documents and settings\Owner\Application Data\LimeWire\mojito.props
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Owner\Application Data\LimeWire\questions.props
c:\documents and settings\Owner\Application Data\LimeWire\responses.cache
c:\documents and settings\Owner\Application Data\LimeWire\simpp.xml
c:\documents and settings\Owner\Application Data\LimeWire\spam.dat
c:\documents and settings\Owner\Application Data\LimeWire\tables.props
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Owner\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Owner\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Owner\Application Data\LimeWire\version.xml
c:\documents and settings\Owner\Application Data\LimeWire\versions.props
c:\windows\system32\104.tmp
c:\windows\system32\16C.tmp
c:\windows\system32\18.tmp
c:\windows\system32\dmintf32.dll
c:\windows\system32\GroupPolicy000.dat

.
((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.

2008-11-12 04:40 . 2008-11-12 15:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\gtk-2.0
2008-11-12 04:38 . 2008-11-12 04:38 <DIR> d-------- c:\documents and settings\Owner\.thumbnails
2008-11-12 04:32 . 2008-11-12 15:28 <DIR> d-------- c:\documents and settings\Owner\.gimp-2.6
2008-11-12 04:32 . 2008-11-12 04:32 <DIR> d-------- c:\documents and settings\Owner\.gegl-0.0
2008-11-12 04:31 . 2008-11-12 04:31 <DIR> d-------- c:\program files\Gimp-2.0
2008-11-12 03:48 . 2008-11-12 04:18 <DIR> d-------- c:\program files\MyFantasyMaker
2008-11-11 17:23 . 2008-11-11 17:23 <DIR> d--hs---- c:\windows\system32\GroupPolicyManifest
2008-11-11 01:30 . 2008-11-11 17:37 250 --a------ c:\windows\gmer.ini
2008-11-11 00:44 . 2004-08-03 23:08 26,496 --a------ c:\windows\system32\dllcache\usbstor.sys
2008-11-10 16:58 . 2008-11-12 03:55 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-10 15:54 . 2008-11-12 22:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-10 15:54 . 2008-11-12 22:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 14:59 . 2008-11-10 16:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-11-10 14:58 . 2008-11-10 14:58 <DIR> d-------- c:\program files\Common Files\iS3
2008-11-10 14:58 . 2008-11-10 16:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-11-10 01:16 . 2008-11-11 17:38 5,603 --a------ c:\windows\GnuHashes.ini
2008-10-30 16:53 . 2008-10-30 16:53 <DIR> d-------- c:\program files\Veoh Networks
2008-10-23 19:18 . 2008-10-23 19:18 2,302,017 --a------ c:\windows\system32\GPhotos.scr
2008-10-17 22:22 . 2008-10-17 22:24 <DIR> d-------- c:\program files\All That Chords!
2008-10-17 22:22 . 2008-10-17 22:22 32 --a------ c:\windows\system32\use_atc.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 03:38 --------- d-----w c:\program files\Norton Support
2008-11-12 08:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-13 20:23 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-10 18:38 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-09 20:38 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2008-10-09 20:37 --------- d-----w c:\program files\Norton AntiVirus
2008-10-09 20:31 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-09 20:31 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-09 20:31 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-09 20:31 --------- d-----w c:\program files\Symantec
2008-10-09 20:27 --------- d-----w c:\program files\NortonInstaller
2008-10-09 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2008-10-09 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-10-08 06:18 --------- d-----w c:\program files\Google
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\GroupPolicyManifest ----

2008-11-06 23:46 7 --a------ c:\windows\system32\GroupPolicyManifest\12.unpack.zip.kwd
2008-11-05 08:27 77284 --a------ c:\windows\system32\GroupPolicyManifest\12.unpack.zip
2008-11-05 08:27 77284 --a------ c:\windows\system32\GroupPolicyManifest\10.serial.zip
2008-11-05 08:27 77282 --a------ c:\windows\system32\GroupPolicyManifest\9.patch.zip
2008-11-05 08:27 77282 --a------ c:\windows\system32\GroupPolicyManifest\11.setup.zip
2008-11-05 08:27 77281 --a------ c:\windows\system32\GroupPolicyManifest\8.nodvd.zip
2008-11-05 08:26 77292 --a------ c:\windows\system32\GroupPolicyManifest\5.installer.zip
2008-11-05 08:26 77284 --a------ c:\windows\system32\GroupPolicyManifest\6.keygen.zip
2008-11-05 08:26 77280 --a------ c:\windows\system32\GroupPolicyManifest\7.nocd.zip
2008-11-05 08:26 76550 --a------ c:\windows\system32\GroupPolicyManifest\2.free_access_to_150_adult_sites.zip
2008-11-05 08:26 76524 --a------ c:\windows\system32\GroupPolicyManifest\3.free_adult_videos.zip
2008-11-05 08:26 76514 --a------ c:\windows\system32\GroupPolicyManifest\4.free_porn_passwords.zip
2008-11-05 08:25 77282 --a------ c:\windows\system32\GroupPolicyManifest\1.crack.zip
2008-11-03 21:13 6145 --a------ c:\windows\system32\GroupPolicyManifest\4.free_porn_passwords.zip.kwd
2008-11-03 21:12 6075 --a------ c:\windows\system32\GroupPolicyManifest\2.free_access_to_150_adult_sites.zip.kwd
2008-11-03 21:12 5979 --a------ c:\windows\system32\GroupPolicyManifest\3.free_adult_videos.zip.kwd
2008-10-18 19:23 37 --a------ c:\windows\system32\GroupPolicyManifest\9.patch.zip.kwd
2008-10-18 19:21 136 --a------ c:\windows\system32\GroupPolicyManifest\8.nodvd.zip.kwd
2008-10-18 19:12 45 --a------ c:\windows\system32\GroupPolicyManifest\11.setup.zip.kwd
2008-10-18 19:11 136 --a------ c:\windows\system32\GroupPolicyManifest\7.nocd.zip.kwd
2008-10-18 19:11 126 --a------ c:\windows\system32\GroupPolicyManifest\10.serial.zip.kwd
2008-10-18 19:09 193 --a------ c:\windows\system32\GroupPolicyManifest\6.keygen.zip.kwd
2008-10-18 19:07 115 --a------ c:\windows\system32\GroupPolicyManifest\5.installer.zip.kwd
2008-10-18 19:06 180 --a------ c:\windows\system32\GroupPolicyManifest\1.crack.zip.kwd


((((((((((((((((((((((((((((( [email protected]_23.11.10.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-12 20:06:57 53,166 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-13 07:23:25 53,166 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-12 20:06:57 380,918 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-13 07:23:25 380,918 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-13 07:36:16 16,384 ----atw c:\windows\temp\Perflib_Perfdata_ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-17 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-10-09 3502840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 36975]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-11 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-07 185896]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-17 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\tsnp2std.exe [2008-08-28 98304]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-10-09 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-10-09 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-10-09 362544]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081031.001\IDSxpx86.sys [2008-10-09 274808]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 02:36:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\imapi.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2008-11-13 2:40:15 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-11-13 07:40:10
ComboFix2.txt 2008-11-13 04:31:30
ComboFix3.txt 2008-11-13 04:11:34

Pre-Run: 56,134,537,216 bytes free
Post-Run: 56,118,566,912 bytes free

225 --- E O F --- 2008-11-12 08:05:49




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 14, 2008 20:14:58
Records in database: 1385149
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 71810
Threat name: 8
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 03:18:05


File name / Threat name / Threats count
C:\Documents and Settings\Owner\Desktop\New Folder\Rajdeep\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2AB87CD2.tmp Infected: Trojan-Downloader.Win32.Agent.bkd 1
C:\Documents and Settings\Owner\Desktop\New Folder\Rajdeep\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6C9D5F40 Infected: Trojan-Downloader.Win32.Zlob.pll 1
C:\Documents and Settings\Owner\Desktop\New Folder\Rajdeep\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6C9D5F40.exe Infected: Trojan-Downloader.Win32.Zlob.pll 1
C:\Documents and Settings\Owner\Desktop\New Folder\Rajdeep\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77C82E53 Infected: Trojan-Downloader.JS.Psyme.hz 1
C:\Documents and Settings\Owner\Desktop\New Folder\Rajdeep\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79B058B9 Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Owner\Desktop\New Folder\Rajdeep\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79BD00AB Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Owner\Desktop\New Folder\Rajdeep\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79C02AA7.cla Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Owner\Desktop\New Folder\Rajdeep\Documents and Settings\Owner\.housecall6.6\Quarantine\43f905f8-1f636b0a.bac_a03352 Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Owner\Desktop\New Folder\Rajdeep\Documents and Settings\Owner\.housecall6.6\Quarantine\Ultimate Collection of Dating Books ... Ver 2 0 - David Deangelo and Others.zip.bac_a03352 Infected: P2P-Worm.Win32.VB.dw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dmintf32.dll.vir Infected: Trojan-Downloader.Win32.Agent.aoal 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_dmintf32_.dll.zip Infected: Trojan-Downloader.Win32.Agent.aoal 2
C:\WINDOWS\system32\GroupPolicyManifest\1.crack.zip Infected: Trojan-Downloader.Win32.Agent.aocd 1
C:\WINDOWS\system32\GroupPolicyManifest\10.serial.zip Infected: Trojan-Downloader.Win32.Agent.aocd 1
C:\WINDOWS\system32\GroupPolicyManifest\11.setup.zip Infected: Trojan-Downloader.Win32.Agent.aocd 1
C:\WINDOWS\system32\GroupPolicyManifest\12.unpack.zip Infected: Trojan-Downloader.Win32.Agent.aocd 1
C:\WINDOWS\system32\GroupPolicyManifest\5.installer.zip Infected: Trojan-Downloader.Win32.Agent.aocc 1
C:\WINDOWS\system32\GroupPolicyManifest\6.keygen.zip Infected: Trojan-Downloader.Win32.Agent.aocd 1
C:\WINDOWS\system32\GroupPolicyManifest\7.nocd.zip Infected: Trojan-Downloader.Win32.Agent.aocd 1
C:\WINDOWS\system32\GroupPolicyManifest\8.nodvd.zip Infected: Trojan-Downloader.Win32.Agent.aocd 1
C:\WINDOWS\system32\GroupPolicyManifest\9.patch.zip Infected: Trojan-Downloader.Win32.Agent.aocd 1

The selected area was scanned.

 

[Angelfire777]

Re: IE randomly pops up, google shows unrelated links & computer is slower than befor

Hi,

Please answer the question in my previous post:

Since Norton is not working, have you considered reinstalling?

It seems that you didn't update java. Please update java as older versions are vulnerable to various infections.


*Delete the following folders using windows explorer:

c:\windows\system32\GroupPolicyManifest
C:\Documents and Settings\Owner\Desktop\New Folder\Rajdeep\Documents and Settings\Owner\.housecall6.6 << trend micro online scan folder


*Now you need to delete the infected files in your Norton AntiVirus Quarantine.
Go to this page and follow the directions for emptying Quarantine for your version of Norton Antivirus:
Removing files from Norton AntiVirus Quarantine

How is your computer running?

 

[rajdeepguha]

Re: IE randomly pops up, google shows unrelated links & computer is slower than befor

Hi there sorry for the late reply. Anyway I have reinstalled norton and it's working well. As for java I did update it the last time you advised. However, I will do it again. As for the files I have deleted: C:\Documents and Settings\Owner\Desktop\New Folder\Rajdeep\Documents and Settings\Owner\.housecall6.6 but I cannot find the other one. The link for removing quarantine files is not applicable for my norton since I have 2009. But in any case I don't have any quarantined files on my new norton. The computer is generally fine but for some reason firefox is not working as well as it used to. For instance, I am having trouble opening gmail with firefox. I am thinking of uninstalling and then reinstalling firefox.

 

[Angelfire777]

Re: IE randomly pops up, google shows unrelated links & computer is slower than befor

For Java, this is the entry that you need to uninstall in add/remove programs before you install the latest version.

J2SE Runtime Environment 5.0 Update 6


*Click start > run > copy and paste:

cmd /c attrib -s -h -r c:\windows\system32\GroupPolicyManifest

press enter.

cmd /c rd /s /q c:\windows\system32\GroupPolicyManifest

press enter.

The computer is generally fine but for some reason firefox is not working as well as it used to. For instance, I am having trouble opening gmail with firefox. I am thinking of uninstalling and then reinstalling firefox.

I think it is best for you to uninstall then reinstall firefox because you have an old version anyway. You only have version 2 installed and you can download and install version 3 now.

Let me know how that goes.

 

[Angelfire777]

Re: IE randomly pops up, google shows unrelated links & computer is slower than befor

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/sec...read-before-posting-malware-removal-help.html