TechSpot

Brower hijack

By Jaggs
Sep 27, 2010
  1. Thanks Bobbye for taking a look at this for me.

    I was being redirected in IE and Firefox I. I have up to date Avast... Adaware... Spybot S&D... Spy Blaster.

    I ran full system scan using all the above..
    then tried Malwarebytes Anti-Malware.. Quick Heal.. Super Anti Spyware

    Found I was infected with the following...
    slirsredirect ...trojan Agent ATV ... Win 32..adware Vapsup.5 w32.zmist...w97m.class D.
    Removed all but ...Still had the slirsredirect problem.

    I did all this before I came to this forum.. :blush:

    Upon reading the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    I downloaded TFC and ran that...and then Ran MBAM again... (Log Posted below)

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4680

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.11

    9/24/2010 7:23:24 PM
    mbam-log-2010-09-24 (19-23-24).txt

    Scan type: Quick scan
    Objects scanned: 155506
    Time elapsed: 6 minute(s), 7 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    I quarantined the registry above and the problem was resloved... No more redirect

    computer is running good again... re ran all the about programs.. No problems found..
    Do I need to run GMER?
    Thanks again... You people are super...Jaggs
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Give me a change to go over this and your prior post. I'm not real sure what you're asking.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Jaggs, did you want to continue with this? One malware problem can be resolved, but that does not mean all of the malware has been found and removed.
     
  4. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Hello Bobbye ... I just sent a reply but not sure where it went.. sorry if I did it wrong.

    Yes I would like to continue..I'm new at this and thought all was taken care of... Should I start from the begining and do the steps over again and post the results?

    Thanks Jaggs
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I need description of current problem: getting redirected to site you haven't chosen? Unfortunately, sometimes one problem gets resolved, but it does not mean all of the malware is gone and the files are fixed.

    We need to start at the beginning. Apparently you ran the programs yourself, but didn't leave logs for review and thought malware was gone.
    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, paste the logs for review in your next reply . You can use multiple posts for the logs if needed.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  6. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Hello Bobbye
    Thank you for sticking with me... I was having trouble using FireFox also IE... when I tried to search it would be redirected to a different site that had nothing to do with what I was searching for.. it gave me a "slirsredirect"...I tried super Anti Spyware Quick Heal (free ver.) updated Malwarebytes Adaware Avast Spybot and Spy blaster... during that process if found several trojans and removed them...after using TFC and Malwarebytes Anti-Malware, it found a registry key called HKEYCurrent_UserSoftware\Policies\Microsoft\Internet\Explorer\ControlPanel\Homepage.....
    Malwarebytes Anti-Malware removed the key... all was working well with the computer so I did not continue the eight steps...( Shame on Me)..
    So now as requested here are the Logs. I hope I have done them correct... Thanks again for all your help..Jaggs

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4772

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.11

    10/7/2010 9:22:23 PM
    mbam-log-2010-10-07 (21-22-23).txt

    Scan type: Quick scan
    Objects scanned: 155302
    Time elapsed: 7 minute(s), 7 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ---------------------------------------------------------------------------------------------------------


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-10-07 21:35:42
    Windows 5.1.2600 Service Pack 2
    Running: 12r8sqrl.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxlyifog.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF38E2BAE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xF38E29D2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xF38E2B0C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----

    more to follow
     
  7. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Here are the rest of the logs
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The logs look pretty good Jaggs- just a few entries to remove. I'd like you to run this following to make sure we've checked everything:

    Question first: You have Comodo 'Group' installed and in the installed programs list, I see Comodo System- Cleaner What is that? Okay to have Comodo firewall, but not AV since you have Avast.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ===================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please paste the logs in the next reply. Okay to use multiple posts if needed.
     
  9. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    The comodo is a cleaning program.. It cleans like the disk clean up on XP...I think only better.. Should I get rid of it...
    Will do combofix and report logs.. Thanks again.. Jaggs
     
  10. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Hello Bobbye

    I am sending the following logs for ComboFix and Eset Online . Thanks Jaggs
     

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Also, when you open Notepad again for a log, please clixk on Format> Uncheck Word Wrap
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\temp01
    c:\program files\Firefox Setup 3.0.1.exe
    c:\program files\spybotsd160.exe
    c:\windows\system32\drivers\CFRMD.sys 
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "3c1807pd"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"=-
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    
    Driver::
    CFRMD
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    I strongly suggest you remove this program: TweakNow RegCleaner. Most of us don't recommend using a registry cleaner.

    P2P File Sharing Warning:
    Are you aware of the Windows Peer-to-Peer Grouping and Peer Name Resolution Protocol (PNRP) being given access through the GloballyOpenPort?
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    =================================
    We'll finish with this: Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  12. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Hello Bobbye, Below is the "pasted" comboFix Txt... sorry . The TweakNow Reg Cleaner was installed to try and correct the problem with the redirect.. when it didn't work I uninstalled it ( with control panel) before starting the 8 step Virus removal . I checked and it isn't in control panel... is there something I need to do to remove it?? How do I stop the P2P? I don't share! I had Bearshare installed but haven't used it in a very long time... but it's not in Control panel... as far as I know that the only program... Thanks Jaggs


    ComboFix 10-10-08.01 - Owner 10/10/2010 11:43:04.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.580 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    FILE ::
    "c:\program files\Firefox Setup 3.0.1.exe"
    "c:\program files\spybotsd160.exe"
    "c:\program files\temp01"
    "c:\windows\system32\drivers\CFRMD.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Firefox Setup 3.0.1.exe
    c:\program files\spybotsd160.exe
    c:\program files\temp01

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_CFRMD


    ((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
    .

    2010-10-09 16:17 . 2010-10-09 16:17 -------- d-----w- c:\program files\ESET
    2010-10-07 17:45 . 2010-09-17 14:40 421888 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
    2010-10-01 17:05 . 2010-10-01 17:11 -------- d-----w- c:\program files\Mystery in London
    2010-09-25 00:06 . 2010-05-23 21:50 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
    2010-09-25 00:06 . 2010-04-18 18:33 307200 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
    2010-09-25 00:06 . 2010-04-18 18:33 172032 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
    2010-09-23 05:35 . 2010-09-23 05:35 -------- d-----w- c:\documents and settings\Owner\Application DataComodoGroup
    2010-09-23 05:33 . 2010-09-23 05:33 -------- d-----w- c:\documents and settings\Owner\Application Data\ComodoGroup
    2010-09-23 05:32 . 2010-09-23 05:32 -------- d-----w- c:\program files\COMODO
    2010-09-23 03:33 . 2010-09-24 02:39 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-09-23 03:33 . 2010-09-23 03:33 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-09-23 03:32 . 2010-09-24 02:39 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-09-23 03:32 . 2010-09-23 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2010-09-23 03:32 . 2010-09-23 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-09-23 03:32 . 2010-09-30 22:41 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-09-23 02:43 . 2010-09-23 02:43 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\msvcp71.dll
    2010-09-23 02:43 . 2010-09-23 02:43 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\jmc.dll
    2010-09-23 02:43 . 2010-09-23 02:43 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\msvcr71.dll
    2010-09-23 02:42 . 2010-09-23 02:42 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7fe31b41-n\decora-sse.dll
    2010-09-23 02:42 . 2010-09-23 02:42 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7fe31b41-n\decora-d3d.dll
    2010-09-23 02:42 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-20 02:06 . 2010-09-20 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Eurotalk
    2010-09-19 18:40 . 2010-09-19 18:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PlayPond

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-10 15:36 . 2008-04-13 02:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-10-09 16:12 . 2008-04-13 02:50 -------- d-----w- c:\program files\SpywareBlaster
    2010-10-06 19:50 . 2006-08-02 14:15 -------- d-----w- c:\program files\Common Files\Adobe
    2010-09-24 23:59 . 2008-02-15 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-09-23 03:45 . 2008-07-01 03:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-09-23 02:54 . 2009-07-09 01:12 0 ----a-w- c:\windows\system32\drivers\crpf.sys
    2010-09-23 02:46 . 2007-09-21 03:22 -------- d-----w- c:\program files\Java
    2010-09-23 02:46 . 2007-09-21 03:21 -------- d-----w- c:\program files\Common Files\Java
    2010-09-23 02:28 . 2010-02-02 04:49 -------- d-----w- c:\documents and settings\Owner\Application Data\TweakNow RegCleaner
    2010-09-23 02:27 . 2008-02-16 19:41 -------- d-----w- c:\program files\Common Files\Intuit
    2010-09-22 01:43 . 2010-08-15 18:39 -------- d-----w- c:\program files\Common Files\Sandlot Shared
    2010-09-22 01:42 . 2009-04-20 05:19 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
    2010-09-13 03:49 . 2009-01-20 03:27 58 ---h--w- c:\windows\popcreg.dat
    2010-09-13 03:49 . 2009-01-20 03:27 20 ----a-w- c:\windows\popcinfot.dat
    2010-09-07 15:12 . 2010-08-09 21:07 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2008-06-29 04:43 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2008-06-29 04:43 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2008-06-29 04:43 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2008-06-29 04:43 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2008-06-29 04:43 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2008-06-29 04:43 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2008-06-29 04:43 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2008-06-29 04:43 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-08-30 21:11 . 2010-08-30 20:57 -------- d-----w- c:\documents and settings\Owner\Application Data\OurPictures
    2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-25 04:24 . 2010-08-15 18:41 -------- d-----w- c:\program files\Mystery Case Files - Madame Fate
    2010-08-25 01:30 . 2010-08-25 01:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Go-Go Gourmet Chef of the Year
    2010-08-21 05:26 . 2008-01-13 21:34 -------- d-----w- c:\documents and settings\Owner\Application Data\NeroDCTemplates
    2010-08-16 02:58 . 2010-08-16 02:58 -------- d-----w- c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers
    2010-08-16 02:41 . 2010-01-20 05:08 -------- d-----w- c:\program files\DVDVideoSoft
    2010-08-15 18:43 . 2010-08-15 18:43 -------- d-----w- c:\program files\Best Buy Games
    2010-08-15 18:39 . 2009-01-20 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
    2010-08-15 18:39 . 2010-08-15 18:38 -------- d-----w- c:\program files\Glyph
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-03 5244216]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-30 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
    "nwiz"="nwiz.exe" [2008-05-03 1630208]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
    "HostManager"="c:\program files\Common Files\AOL\1190762739\ee\AOLSoftware.exe" [2008-06-24 41824]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALi5289]
    2005-03-10 06:56 405504 -c--a-w- c:\program files\ULI5289\ALi5289.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
    2007-06-06 16:04 50736 ----a-w- c:\program files\AOL 9.0\aol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1190762739\ee\aolsoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2010-03-03 17:32 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 16:24 1694208 --sh--w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2006-07-23 04:50 26112 -c--a-w- c:\program files\Real\RealPlayer\realplay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2004-12-22 09:09 77824 -c--a-w- c:\windows\SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
    2006-07-21 21:19 129536 ----a-w- c:\progra~1\Yahoo!\browser\ybrwicon.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1190762739\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\iWin Games\\WebUpdater.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\AOL 9.0\\waol.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:peer Name Resolution Protocol (PNRP)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/28/2010 1:14 AM 64288]
    R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [7/22/2006 3:51 PM 51840]
    R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [7/22/2006 3:51 PM 45056]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/29/2008 12:43 AM 165584]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
    R2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [7/24/2006 5:02 PM 84159]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/29/2008 12:43 AM 17744]
    R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 8:00 AM 14336]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1357464]
    R3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [7/24/2006 5:02 PM 5318]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/11/2010 11:36 AM 15008]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:24]

    2010-09-24 c:\windows\Tasks\COMODO System Cleaner Update.job
    - c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 19:41]
    .
    .
    ---
     
  13. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Here is the rest of the scan... Thanks Jaggs

    ---- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com/
    uInternet Settings,ProxyOverride = 127.0.0.1
    uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    IE: &Yahoo! Search
    IE: Free YouTube Download
    IE: Free YouTube to Mp3 Converter
    IE: Yahoo! &Dictionary
    IE: Yahoo! &Maps
    IE: Yahoo! &SMS
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
    FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    pref(dom.disable_open_during_load, true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-73586283-1284227242-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(600)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(1080)
    c:\windows\system32\WININET.dll
    c:\progra~1\WINDOW~3\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\AOL\ACS\AOLacsd.exe
    c:\windows\System32\tcpsvcs.exe
    c:\windows\System32\snmp.exe
    c:\windows\wanmpsvc.exe
    c:\windows\System32\wbem\unsecapp.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-10 12:04:00 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-10 16:03
    ComboFix2.txt 2010-10-09 16:07

    Pre-Run: 46,815,977,472 bytes free
    Post-Run: 46,754,963,456 bytes free

    - - End Of File - - 8AA0E48193524CF185539E13E6CEAE75
     
  14. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    I will do the Hijack This and send it on. Thanks Jaggs
     
  15. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Hello Bobbye As requested HJT Thanks again Jaggs

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:54:32 PM, on 10/10/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17055)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\AOL\1190762739\ee\AOLSoftware.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1190762739\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154796310779
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 6279 bytes
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please eun this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\popcreg.dat
    c:\windows\popcinfot.dat
    
    Folder::
    c:\documents and settings\Owner\Application Data\TweakNow RegCleaner
    
    Regnull:
    [HKEY_USERS\S-1-5-21-73586283-1284227242-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "c:\\Program Files\\iWin Games\\WebUpdater.exe"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "3587:TCP"=- 
    "3540:UDP"=- 
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings]
    "AllowInboundEchoRequest"=- 
    
    DDS::
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    IE: &Yahoo! Search
    IE: Free YouTube Download
    IE: Free YouTube to Mp3 Converter
    IE: Yahoo! &Dictionary
    IE: Yahoo! &Maps
    IE: Yahoo! &SMS
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
     
  17. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Hello Bobbye Here it is... Thanks Jaggs

    ComboFix 10-10-08.01 - Owner 10/12/2010 11:35:35.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.585 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\New Folder (2)\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    * Created a new restore point

    FILE ::
    "c:\windows\popcinfot.dat"
    "c:\windows\popcreg.dat"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Owner\Application Data\TweakNow RegCleaner
    c:\documents and settings\Owner\Application Data\TweakNow RegCleaner\Backup\DiskCleaner_2%a1%a2010_11%b56%b27_P.zip
    c:\documents and settings\Owner\Application Data\TweakNow RegCleaner\Backup\DiskCleaner_8%a27%a2010_3%b31%b49_P.zip
    c:\documents and settings\Owner\Application Data\TweakNow RegCleaner\Backup\RegCleaner_2%a1%a2010_11%b51%b47_P.dat
    c:\windows\popcinfot.dat
    c:\windows\popcreg.dat

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-12 to 2010-10-12 )))))))))))))))))))))))))))))))
    .

    2010-10-10 16:53 . 2010-10-10 16:53 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-10-07 17:45 . 2010-09-17 14:40 421888 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
    2010-09-25 00:06 . 2010-05-23 21:50 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
    2010-09-25 00:06 . 2010-04-18 18:33 307200 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
    2010-09-25 00:06 . 2010-04-18 18:33 172032 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
    2010-09-23 05:33 . 2010-09-23 05:33 -------- d-----w- c:\documents and settings\Owner\Application Data\ComodoGroup
    2010-09-23 03:33 . 2010-09-24 02:39 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-09-23 03:33 . 2010-09-23 03:33 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-09-23 03:32 . 2010-09-24 02:39 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-09-23 03:32 . 2010-09-23 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2010-09-23 03:32 . 2010-09-23 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-09-23 02:43 . 2010-09-23 02:43 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\msvcp71.dll
    2010-09-23 02:43 . 2010-09-23 02:43 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\jmc.dll
    2010-09-23 02:43 . 2010-09-23 02:43 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\msvcr71.dll
    2010-09-23 02:42 . 2010-09-23 02:42 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7fe31b41-n\decora-sse.dll
    2010-09-23 02:42 . 2010-09-23 02:42 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7fe31b41-n\decora-d3d.dll
    2010-09-20 02:06 . 2010-09-20 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Eurotalk

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-10 16:53 . 2010-10-10 16:53 -------- d-----w- c:\program files\Trend Micro
    2010-10-10 15:36 . 2008-04-13 02:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-10-09 16:17 . 2010-10-09 16:17 -------- d-----w- c:\program files\ESET
    2010-10-09 16:12 . 2008-04-13 02:50 -------- d-----w- c:\program files\SpywareBlaster
    2010-10-06 19:50 . 2006-08-02 14:15 -------- d-----w- c:\program files\Common Files\Adobe
    2010-10-01 17:11 . 2010-10-01 17:05 -------- d-----w- c:\program files\Mystery in London
    2010-09-30 22:41 . 2010-09-23 03:32 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-09-24 23:59 . 2008-02-15 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-09-23 05:32 . 2010-09-23 05:32 -------- d-----w- c:\program files\COMODO
    2010-09-23 03:45 . 2008-07-01 03:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-09-23 02:54 . 2009-07-09 01:12 0 ----a-w- c:\windows\system32\drivers\crpf.sys
    2010-09-23 02:46 . 2007-09-21 03:22 -------- d-----w- c:\program files\Java
    2010-09-23 02:46 . 2007-09-21 03:21 -------- d-----w- c:\program files\Common Files\Java
    2010-09-23 02:27 . 2008-02-16 19:41 -------- d-----w- c:\program files\Common Files\Intuit
    2010-09-22 01:43 . 2010-08-15 18:39 -------- d-----w- c:\program files\Common Files\Sandlot Shared
    2010-09-22 01:42 . 2009-04-20 05:19 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
    2010-09-07 15:12 . 2010-08-09 21:07 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2008-06-29 04:43 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2008-06-29 04:43 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2008-06-29 04:43 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2008-06-29 04:43 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2008-06-29 04:43 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2008-06-29 04:43 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2008-06-29 04:43 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2008-06-29 04:43 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-08-30 21:11 . 2010-08-30 20:57 -------- d-----w- c:\documents and settings\Owner\Application Data\OurPictures
    2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-25 04:24 . 2010-08-15 18:41 -------- d-----w- c:\program files\Mystery Case Files - Madame Fate
    2010-08-25 01:30 . 2010-08-25 01:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Go-Go Gourmet Chef of the Year
    2010-08-21 05:26 . 2008-01-13 21:34 -------- d-----w- c:\documents and settings\Owner\Application Data\NeroDCTemplates
    2010-08-16 02:58 . 2010-08-16 02:58 -------- d-----w- c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers
    2010-08-16 02:41 . 2010-01-20 05:08 -------- d-----w- c:\program files\DVDVideoSoft
    2010-08-15 18:43 . 2010-08-15 18:43 -------- d-----w- c:\program files\Best Buy Games
    2010-08-15 18:39 . 2009-01-20 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
    2010-08-15 18:39 . 2010-08-15 18:38 -------- d-----w- c:\program files\Glyph
    2010-07-17 09:00 . 2010-09-23 02:42 423656 ----a-w- c:\windows\system32\deployJava1.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-03 5244216]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-30 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
    "nwiz"="nwiz.exe" [2008-05-03 1630208]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
    "HostManager"="c:\program files\Common Files\AOL\1190762739\ee\AOLSoftware.exe" [2008-06-24 41824]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALi5289]
    2005-03-10 06:56 405504 -c--a-w- c:\program files\ULI5289\ALi5289.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
    2007-06-06 16:04 50736 ----a-w- c:\program files\AOL 9.0\aol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1190762739\ee\aolsoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2010-03-03 17:32 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 16:24 1694208 --sh--w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2006-07-23 04:50 26112 -c--a-w- c:\program files\Real\RealPlayer\realplay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2004-12-22 09:09 77824 -c--a-w- c:\windows\SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
    2006-07-21 21:19 129536 ----a-w- c:\progra~1\Yahoo!\browser\ybrwicon.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1190762739\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\iWin Games\\WebUpdater.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\AOL 9.0\\waol.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:peer Name Resolution Protocol (PNRP)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/28/2010 1:14 AM 64288]
    R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [7/22/2006 3:51 PM 51840]
    R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [7/22/2006 3:51 PM 45056]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/29/2008 12:43 AM 165584]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
    R2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [7/24/2006 5:02 PM 84159]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/29/2008 12:43 AM 17744]
    R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 8:00 AM 14336]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1357464]
    R3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [7/24/2006 5:02 PM 5318]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/11/2010 11:36 AM 15008]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:24]

    2010-09-24 c:\windows\Tasks\COMODO System Cleaner Update.job
    - c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 19:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com/
    uInternet Settings,ProxyOverride = 127.0.0.1
    uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    IE: &Yahoo! Search
    IE: Free YouTube Download
    IE: Free YouTube to Mp3 Converter
    IE: Yahoo! &Dictionary
    IE: Yahoo! &Maps
    IE: Yahoo! &SMS
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
    FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    pref(dom.disable_open_during_load, true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-73586283-1284227242-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(600)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(252)
    c:\windows\system32\WININET.dll
    c:\progra~1\WINDOW~3\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\System32\tcpsvcs.exe
    c:\windows\System32\snmp.exe
    c:\windows\wanmpsvc.exe
    c:\windows\System32\wbem\unsecapp.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-12 11:58:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-12 15:58
    ComboFix2.txt 2010-10-10 16:04
    ComboFix3.txt 2010-10-09 16:07

    Pre-Run: 46,558,072,832 bytes free
    Post-Run: 46,536,761,344 bytes free

    - - End Of File - - 469BEF762135915223D7D21950704B4A
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you copy all of the script in Reply 16? Some of the entries I had are still showing in Combofix.
     
  19. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Hello Bobbye I thought I did... I'll run it again and post log...Thanks Jaggs
     
  20. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Hello Bobbye ComboFix has an update which I didn't do yet.. so it is in reduced function but started at stage 49...didn't want to update unless it was ok'd by you to do so... the following is the log using the reduced ComboFix... Thanks Jaggs
    ComboFix 10-10-08.01 - Owner 10/15/2010 15:37:30.4.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.544 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    * Created a new restore point
    .
    - REDUCED FUNCTIONALITY MODE -

    FILE ::
    "c:\windows\popcinfot.dat"
    "c:\windows\popcreg.dat"
    .

    ((((((((((((((((((((((((( Files Created from 2010-09-15 to 2010-10-15 )))))))))))))))))))))))))))))))
    .

    2010-10-10 16:53 . 2010-10-10 16:53 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-10-10 16:53 . 2010-10-10 16:53 -------- d-----w- c:\program files\Trend Micro
    2010-10-09 16:17 . 2010-10-09 16:17 -------- d-----w- c:\program files\ESET
    2010-10-07 17:45 . 2010-09-17 14:40 421888 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
    2010-10-01 17:05 . 2010-10-01 17:11 -------- d-----w- c:\program files\Mystery in London
    2010-09-25 00:06 . 2010-05-23 21:50 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
    2010-09-25 00:06 . 2010-04-18 18:33 307200 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
    2010-09-25 00:06 . 2010-04-18 18:33 172032 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
    2010-09-23 05:35 . 2010-09-23 05:35 -------- d-----w- c:\documents and settings\Owner\Application DataComodoGroup
    2010-09-23 05:33 . 2010-09-23 05:33 -------- d-----w- c:\documents and settings\Owner\Application Data\ComodoGroup
    2010-09-23 05:32 . 2010-09-23 05:32 -------- d-----w- c:\program files\COMODO
    2010-09-23 03:33 . 2010-09-24 02:39 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-09-23 03:33 . 2010-09-23 03:33 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-09-23 03:32 . 2010-09-24 02:39 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-09-23 03:32 . 2010-09-23 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2010-09-23 03:32 . 2010-09-23 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-09-23 03:32 . 2010-09-30 22:41 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-09-23 02:43 . 2010-09-23 02:43 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\msvcp71.dll
    2010-09-23 02:43 . 2010-09-23 02:43 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\jmc.dll
    2010-09-23 02:43 . 2010-09-23 02:43 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4cd98790-n\msvcr71.dll
    2010-09-23 02:42 . 2010-09-23 02:42 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7fe31b41-n\decora-sse.dll
    2010-09-23 02:42 . 2010-09-23 02:42 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7fe31b41-n\decora-d3d.dll
    2010-09-23 02:42 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-20 02:06 . 2010-09-20 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Eurotalk
    2010-09-19 18:40 . 2010-09-19 18:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PlayPond

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-15 19:34 . 2008-04-13 02:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-10-13 01:19 . 2008-04-13 02:50 -------- d-----w- c:\program files\SpywareBlaster
    2010-10-06 19:50 . 2006-08-02 14:15 -------- d-----w- c:\program files\Common Files\Adobe
    2010-09-24 23:59 . 2008-02-15 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-09-23 03:45 . 2008-07-01 03:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-09-23 02:54 . 2009-07-09 01:12 0 ----a-w- c:\windows\system32\drivers\crpf.sys
    2010-09-23 02:46 . 2007-09-21 03:22 -------- d-----w- c:\program files\Java
    2010-09-23 02:46 . 2007-09-21 03:21 -------- d-----w- c:\program files\Common Files\Java
    2010-09-23 02:27 . 2008-02-16 19:41 -------- d-----w- c:\program files\Common Files\Intuit
    2010-09-22 01:43 . 2010-08-15 18:39 -------- d-----w- c:\program files\Common Files\Sandlot Shared
    2010-09-22 01:42 . 2009-04-20 05:19 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
    2010-09-07 15:12 . 2010-08-09 21:07 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2008-06-29 04:43 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2008-06-29 04:43 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2008-06-29 04:43 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2008-06-29 04:43 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2008-06-29 04:43 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2008-06-29 04:43 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2008-06-29 04:43 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2008-06-29 04:43 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-08-30 21:11 . 2010-08-30 20:57 -------- d-----w- c:\documents and settings\Owner\Application Data\OurPictures
    2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-27 16:27 . 2010-08-27 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-25 04:24 . 2010-08-15 18:41 -------- d-----w- c:\program files\Mystery Case Files - Madame Fate
    2010-08-25 01:30 . 2010-08-25 01:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Go-Go Gourmet Chef of the Year
    2010-08-21 05:26 . 2008-01-13 21:34 -------- d-----w- c:\documents and settings\Owner\Application Data\NeroDCTemplates
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-03 5244216]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-30 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
    "nwiz"="nwiz.exe" [2008-05-03 1630208]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
    "HostManager"="c:\program files\Common Files\AOL\1190762739\ee\AOLSoftware.exe" [2008-06-24 41824]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALi5289]
    2005-03-10 06:56 405504 -c--a-w- c:\program files\ULI5289\ALi5289.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
    2007-06-06 16:04 50736 ----a-w- c:\program files\AOL 9.0\aol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1190762739\ee\aolsoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2010-03-03 17:32 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 16:24 1694208 --sh--w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2006-07-23 04:50 26112 -c--a-w- c:\program files\Real\RealPlayer\realplay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2004-12-22 09:09 77824 -c--a-w- c:\windows\SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
    2006-07-21 21:19 129536 ----a-w- c:\progra~1\Yahoo!\browser\ybrwicon.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1190762739\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\iWin Games\\WebUpdater.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\AOL 9.0\\waol.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:peer Name Resolution Protocol (PNRP)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/28/2010 1:14 AM 64288]
    R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [7/22/2006 3:51 PM 51840]
    R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [7/22/2006 3:51 PM 45056]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/29/2008 12:43 AM 165584]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
    R2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [7/24/2006 5:02 PM 84159]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/29/2008 12:43 AM 17744]
    R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 8:00 AM 14336]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1357464]
    R3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [7/24/2006 5:02 PM 5318]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/11/2010 11:36 AM 15008]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:24]

    2010-10-14 c:\windows\Tasks\COMODO System Cleaner Update.job
    - c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 19:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com/
    uInternet Settings,ProxyOverride = 127.0.0.1
    uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    IE: &Yahoo! Search
    IE: Free YouTube Download
    IE: Free YouTube to Mp3 Converter
    IE: Yahoo! &Dictionary
    IE: Yahoo! &Maps
    IE: Yahoo! &SMS
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y7kv72dl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
    FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    pref(dom.disable_open_during_load, true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-73586283-1284227242-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(600)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(3020)
    c:\windows\system32\WININET.dll
    c:\progra~1\WINDOW~3\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\AOL\ACS\AOLacsd.exe
    c:\windows\System32\tcpsvcs.exe
    c:\windows\System32\snmp.exe
    c:\windows\wanmpsvc.exe
    c:\windows\System32\wbem\unsecapp.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-15 15:55:02 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-15 19:55
    ComboFix2.txt 2010-10-12 15:58
    ComboFix3.txt 2010-10-10 16:04
    ComboFix4.txt 2010-10-09 16:07

    Pre-Run: 46,144,790,528 bytes free
    Post-Run: 46,200,246,272 bytes free

    - - End Of File - - FABE807770E291C80A3100556E7EA8DA
     
  21. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Hello Bobye Haven't heard from you and was wondering if you had time to check out the log that I sent.... and what the next step would be.
    Thanks Jaggs
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- I'm backed up.

    When you run Combofix, please observe this:
    Are you having any current malware problems?
     
  23. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Hello Bobbye Welcome back... and a Happy Belated Birthday... I have had no issues with malware that I know of... however, I have been having an issue with the CPU spiking to 100 % when reading e-mail on AOL... this happened after the Kill all fix... would that be another problem not related the the "redirect" Thanks Jaggs
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Nothing from the KillAll switch would have caused these. The only way to check the CPU is to see what processes are using it. We all have spikes now and then. Best way to to prepare for shutdown but don't shut down. Open the Task Manager> Double click on frame over Processes: at thie point you should only see use in taskmgr, System and System Idle. They should add up to 100% in the CPU. If you have any other processes at that time using more than 1 or 2 in the CPU column, put that process in a Google search and identify it.

    As for AOL mail, that's another department.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Thank you for the good wishes. Am paying for the day off though!
     
  25. Jaggs

    Jaggs TS Rookie Topic Starter Posts: 18

    Hello Bobbye Have done all that you have asked ( with a few "DUHs" on my part ):)
    Computer is working fine..Back to what it was if not better than before all the problems... Have cleaned out and created a new restore point... removed all the previous restore points...

    I can never thank you enough for the help... But if I ever do need help again... ;)

    Thanks again
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...