Tech Support Forum banner
Cancel

Rootkit.dayoff.process and Browser Redirect

Jump to Latest Follow
Status
Not open for further replies.
1 - 7 of 7 Posts
R

· Registered
Joined
·
4 Posts
Discussion Starter · #1 ·
I have been experiencing random browser redirects from sites I have bookmarked or sites that have been directly linked to a variety of sites, such as sedoparking.com, as.caselmedia.com, webfile.com, and a few random others. I ran adaware, ewido, and spybot scans. All are clean, except spybot, which found the rootkit.dayoff.process. Spybot was unable to clean this up after the initial scan or after a restart scan.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-06-01 13:05:13
PROTECTIONS: 2
MALWARE: 17
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ThreatFire 3.5.0.21 Yes Yes
avast! antivirus 4.8.1201 [VPS 080531-1] 4.8.1201 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00020302 adware/ncase Adware No 0 Yes No c:\windows\system32\fleok
00029767 adware/delfinmedia Adware No 1 Yes No c:\keys.ini
00041904 adware/sidesearch Adware No 0 Yes No c:\documents and settings\russell\application data\lycos
00041904 adware/sidesearch Adware No 0 Yes No hkey_local_machine\software\lycos
00047888 adware/iedriver Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{120E090D-9136-4b78-8258-F0B44B4BD2AC}
00047888 adware/iedriver Adware No 0 Yes No hkey_local_machine\software\microsoft\internet explorer\extensions\{120e090d-9136-4b78-8258-f0b44b4bd2ac}
00047888 adware/iedriver Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\extensions\cmdmapping\{120e090d-9136-4b78-8258-f0b44b4bd2ac}
00047888 adware/iedriver Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{8f9fbeb8-d216-4d6c-8d21-513157e09c0d}
00093000 Spyware/Apropos Spyware No 1 Yes No C:\Documents and Settings\Melissa\Local Settings\Temp\AutoUpdate0\setup.inf
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.casalemedia.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.tribalfusion.com/]
00145745 Cookie/OfferOptimizer TrackingCookie No 0 Yes No C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.com.com/]
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[landing.domainsponsor.com/]
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[landing.domainsponsor.com/]
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[landing.domainsponsor.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.xiti.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.apmebf.com/]
00168108 Cookie/Tickle TrackingCookie No 0 Yes No C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
00173986 Cookie/421 TrackingCookie No 0 Yes No C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Russell\Application Data\Mozilla\Firefox\Profiles\default.n6n\cookies.txt[.go.com/]
00219288 adware/clickalchemy Adware No 0 Yes No c:\windows\inf\alchem.inf
00305526 Spyware/MarketScore Spyware No 1 Yes No C:\WINDOWS\SYSTEM32\cemetrix.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location d
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description d
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Deckard's System Scanner v20071014.68
Run by Russell on 2008-06-01 13:33:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-01 19:33:13 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-01 13:34:40
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\SYSTEM32\cisvc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\wuauclt.exe
C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe
C:\Documents and Settings\Russell\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {951C286A-C8FA-D133-F7DC-B2DEB5B20ACB} - (no file)
O2 - BHO: (no name) - {ACB4664F-8DDF-9149-DFCE-F3DA14C96AC7} - (no file)
O2 - BHO: (no name) - {C78E7E3D-9EA2-856E-F7A9-E0CB259C5CC4} - (no file)
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFFD935E-94D0-43E7-9292-04EAE9BE7055}: NameServer = 200.14.241.36
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: mshta.dll A
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe


--
End of file - 7993 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S2 windev-56e4-6ba2 - c:\windows\system32\windev-56e4-6ba2.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 pdiddcci (DDC/CI monitor) - c:\windows\system32\drivers\pdiddcci.sys <Not Verified; Portrait Displays, Inc.; Portrait Displays DDC/CI Monitor Device Driver>
S3 SDDMI2 - c:\windows\system32\ddmi2.sys (file missing)
S3 StMp3Rec (Player Recovery Device Control Driver) - c:\windows\system32\drivers\stmp3rec.sys <Not Verified; Microsoft Corporation; >
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 a2AntiMalware (a-squared Anti-Malware Service) - "c:\program files\a-squared anti-malware\a2service.exe" <Not Verified; Emsi Software GmbH; a-squared>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 DTSRVC (Portrait Displays Display Tune Service) - c:\program files\common files\portrait displays\shared\dtsrvc.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
Description: HP w2007 Wide LCD Monitor
Device ID: DISPLAY\HWP26A6\4&328453E3&0&80861100&00&02
Manufacturer: HP
Name: HP w2007 Wide LCD Monitor
PNP Device ID: DISPLAY\HWP26A6\4&328453E3&0&80861100&00&02
Service: pdiddcci


-- Scheduled Tasks -------------------------------------------------------------

2004-01-04 20:36:14 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2008-05-01 and 2008-06-01 -----------------------------

2008-06-01 13:17:33 0 d-------- C:\Program Files\SpywareBlaster
2008-06-01 11:00:40 0 d-------- C:\WINDOWS\LastGood
2008-06-01 10:52:58 0 d-------- C:\Program Files\Panda Security
2008-05-31 16:29:10 0 d-------- C:\VundoFix Backups
2008-05-30 06:17:10 0 dr-h----- C:\Documents and Settings\Russell\Recent
2008-05-23 16:53:23 0 d-------- C:\Documents and Settings\Russell\Application Data\DisplayTune
2008-05-23 16:52:55 11776 --a------ C:\WINDOWS\system32\drivers\pdiddcci.sys <Not Verified; Portrait Displays, Inc.; Portrait Displays DDC/CI Monitor Device Driver>
2008-05-23 16:52:32 372736 --a------ C:\WINDOWS\ijl15.dll <Not Verified; Intel Corporation; Intel® JPEG Library>
2008-05-23 16:52:30 0 d-------- C:\Program Files\Portrait Displays
2008-05-23 16:52:30 0 d-------- C:\Program Files\Common Files\Portrait Displays
2008-05-02 23:25:37 0 d-------- C:\Program Files\IObit
2008-05-02 23:18:54 0 d-------- C:\Program Files\CCleaner
2008-05-02 23:17:08 0 d-------- C:\Program Files\Foxit Software


-- Find3M Report ---------------------------------------------------------------

2008-06-01 10:55:12 0 d-------- C:\Program Files\Java
2008-05-31 16:45:40 0 d-------- C:\Program Files\ewido anti-spyware 4.0
2008-05-28 17:23:34 0 d-------- C:\Program Files\Last.fm
2008-05-23 16:52:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-23 16:52:30 0 d-a------ C:\Program Files\Common Files
2008-05-07 19:10:47 0 d-------- C:\Program Files\Winamp
2008-05-07 06:36:45 0 d-------- C:\Documents and Settings\Russell\Application Data\Winamp
2008-05-03 23:35:17 0 d-------- C:\Documents and Settings\Russell\Application Data\DivX
2008-04-30 06:02:28 0 d-------- C:\Program Files\ThreatFire
2008-04-27 07:51:10 0 d-------- C:\Program Files\Audacity
2008-04-08 20:36:25 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-04-06 10:43:13 0 d-------- C:\Documents and Settings\Russell\Application Data\uTorrent


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{951C286A-C8FA-D133-F7DC-B2DEB5B20ACB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACB4664F-8DDF-9149-DFCE-F3DA14C96AC7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C78E7E3D-9EA2-856E-F7A9-E0CB259C5CC4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [02/13/2003 01:01 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/19/2005 08:59 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/06/2003 01:04 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 05:19 PM]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [04/24/2008 04:52 PM]
"DT HPW"="C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe" [04/25/2007 12:36 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/19/2005 08:59 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []

C:\Documents and Settings\Russell\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [10/30/2007 10:43:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=mshta.dll A

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


*Newly Created Service* - ASWFSBLK
*Newly Created Service* - ASWSP
*Newly Created Service* - GMER
*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-06-01 13:35:57 ------------
 

Attachments

Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#3 ·
Hello RustyKSU,

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
 
Save Share
R

· Registered
Joined
·
4 Posts
Discussion Starter · #4 ·
Thank you for your reply and help.

ComboFix 08-06-05.3 - Russell 2008-06-06 19:30:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.331 [GMT -6:00]
Running from: C:\Documents and Settings\Russell\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Melissa\Local Settings\Temporary Internet Files\QcBarA_Tmp.txt
C:\Documents and Settings\Melissa\Local Settings\Temporary Internet Files\QcBarK_Tmp.txt
C:\Documents and Settings\Melissa\Local Settings\Temporary Internet Files\QcBarL_Tmp.txt
C:\Documents and Settings\Melissa\Local Settings\Temporary Internet Files\QcBarP_Tmp.txt
C:\Documents and Settings\Melissa\Local Settings\Temporary Internet Files\QcBarT_Tmp.txt
C:\Documents and Settings\Russell\Application Data\CROSOF~1
C:\Documents and Settings\Russell\Application Data\DOBE~1
C:\Documents and Settings\Russell\Application Data\FNTS~1
C:\Documents and Settings\Russell\Application Data\PPPATC~1
C:\Documents and Settings\Russell\Application Data\SSEMBL~1
C:\Documents and Settings\Russell\Application Data\SSTEM~1
C:\Documents and Settings\Russell\Application Data\STEM32~1
C:\Documents and Settings\Russell\Application Data\TSKS~1
C:\Documents and Settings\Russell\Application Data\YMANTE~1
C:\Documents and Settings\Russell\Application Data\YSTEM~1
C:\Documents and Settings\Russell\My Documents\CURITY~1
C:\Documents and Settings\Russell\My Documents\ICROSO~2
C:\Documents and Settings\Russell\My Documents\PPATCH~1
C:\Documents and Settings\Russell\My Documents\SMBOLS~1
C:\Documents and Settings\Russell\My Documents\TSKS~1
C:\Documents and Settings\Russell\My Documents\YMANTE~1
C:\Program Files\asks~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\icroso~1\ICROSO~1\ctxad-453.0000
C:\Program Files\Common Files\icroso~1\ICROSO~1\ctxad-453.0001
C:\Program Files\Common Files\icroso~1\ICROSO~1\ctxad-453.0002
C:\Program Files\Common Files\icroso~1\ICROSO~1\ctxad-453.0003
C:\Program Files\Common Files\icroso~1\ICROSO~1\ctxad-453.0004
C:\Program Files\Common Files\icroso~1\ICROSO~1\ctxad-453.0005
C:\Program Files\Common Files\mcroso~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\crosof~1
C:\Program Files\crosof~1.net
C:\Program Files\dobe~1
C:\Program Files\sks~1
C:\WINDOWS\curity~1
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~2
C:\WINDOWS\icroso~1.net
C:\WINDOWS\ppatch~1
C:\WINDOWS\smante~1
C:\WINDOWS\ssembl~1
C:\WINDOWS\sstem~1
C:\WINDOWS\system32\cemetrix.dll
C:\WINDOWS\system32\components
C:\WINDOWS\system32\components\mrxf.dll
C:\WINDOWS\system32\components\msxf.dll
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\ymante~1
C:\WINDOWS\ymbols~1

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-05 22:25 . 2008-06-05 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-05 22:24 . 2008-06-05 22:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-05 22:24 . 2008-06-05 22:24 <DIR> d-------- C:\Documents and Settings\Russell\Application Data\SUPERAntiSpyware.com
2008-06-05 22:18 . 2008-06-05 22:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-05 22:18 . 2008-06-05 22:18 <DIR> d-------- C:\Documents and Settings\Russell\Application Data\Malwarebytes
2008-06-05 22:18 . 2008-06-05 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 22:18 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-05 22:18 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-05 22:17 . 2008-06-05 22:17 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-05 21:57 . 2008-06-05 21:57 <DIR> d-------- C:\Documents and Settings\Russell\Application Data\Amazon
2008-06-05 21:56 . 2008-06-05 21:56 <DIR> d-------- C:\Program Files\Amazon
2008-06-04 23:19 . 2008-06-04 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-04 23:17 . 2008-06-05 22:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 13:33 . 2008-06-01 13:33 <DIR> d-------- C:\Deckard
2008-06-01 13:17 . 2008-06-04 21:50 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-01 10:52 . 2008-06-01 11:00 <DIR> d-------- C:\Program Files\Panda Security
2008-06-01 10:22 . 2008-06-01 10:22 250 --a------ C:\WINDOWS\gmer.ini
2008-05-31 16:29 . 2008-05-31 16:29 <DIR> d-------- C:\VundoFix Backups
2008-05-28 05:52 . 2008-06-04 08:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-28 05:52 . 2008-05-28 05:52 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-23 16:59 . 2005-10-19 08:59 163,840 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2008-05-23 16:52 . 2004-08-04 01:56 1,392,671 --a------ C:\WINDOWS\msvbvm60.dll
2008-05-23 16:52 . 2002-01-05 04:40 487,424 --a------ C:\WINDOWS\msvcp70.dll
2008-05-23 16:52 . 2002-01-05 04:37 344,064 --a------ C:\WINDOWS\msvcr70.dll
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 01:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-05 05:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 05:19 --------- d-----w C:\Program Files\Lavasoft
2008-06-05 05:10 --------- d-----w C:\Documents and Settings\Russell\Application Data\Lavasoft
2008-06-05 03:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-05 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-05 03:48 --------- d-----w C:\Program Files\Java
2008-06-05 03:46 --------- d-----w C:\Program Files\Canon
2008-05-31 22:45 --------- d-----w C:\Program Files\ewido anti-spyware 4.0
2008-05-28 23:23 --------- d-----w C:\Program Files\Last.fm
2008-05-08 01:10 --------- d-----w C:\Program Files\Winamp
2008-05-07 12:36 --------- d-----w C:\Documents and Settings\Russell\Application Data\Winamp
2008-05-04 05:35 --------- d-----w C:\Documents and Settings\Russell\Application Data\DivX
2008-05-03 05:25 --------- d-----w C:\Program Files\IObit
2008-05-03 05:18 --------- d-----w C:\Program Files\CCleaner
2008-05-03 05:17 --------- d-----w C:\Program Files\Foxit Software
2008-04-30 12:02 --------- d-----w C:\Program Files\ThreatFire
2008-04-29 17:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 17:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 17:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-27 13:51 --------- d-----w C:\Program Files\Audacity
2008-04-24 22:52 51,520 ----a-w C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-04-24 22:52 38,208 ----a-w C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-04-24 22:52 33,088 ----a-w C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-04-24 22:52 12,608 ----a-w C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-04-09 02:36 --------- d-----w C:\Program Files\a-squared Anti-Malware
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 01:01 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 01:04 114741]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"DT HPW"="C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-30 22:43:24 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 17:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 17:16]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2005-08-26 09:22]

.
Contents of the 'Scheduled Tasks' folder
"2004-01-05 02:36:14 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 19:36:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-06 19:43:48 - machine was rebooted [Russell]
ComboFix-quarantined-files.txt 2008-06-07 01:43:37

Pre-Run: 18,260,914,176 bytes free
Post-Run: 18,176,937,984 bytes free

211 --- E O F --- 2008-05-16 05:42:56



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:43 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Russell\Desktop\Russell.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFFD935E-94D0-43E7-9292-04EAE9BE7055}: NameServer = 200.14.241.36
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 6173 bytes
 

Attachments

Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#5 ·
You're welcome, RustyKSU. : )

The log is looking much better, but it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        [*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
 
Save Share
R

· Registered
Joined
·
4 Posts
Discussion Starter · #6 ·
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 07, 2008 7:28:06 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/06/2008
Kaspersky Anti-Virus database records: 836369
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 74128
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:14:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b4ffe5ac45ad5f10fcc52285e30dcb5a_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\PC Tools\ThreatFire\Orig.db Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Russell\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Russell\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Russell\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Russell\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_57c.dat Object is locked skipped
C:\WINDOWS\temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\change.log Object is locked skipped

Scan process completed.
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#7 ·
Hi RustyKSU,

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically. :smile:

**Kindly respond one more time and let me know if we may consider this thread resolved.
 
Save Share
1 - 7 of 7 Posts
Status
Not open for further replies.
About this Discussion
6 Replies
2 Participants
Last post:
Ried
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top