TechSpot

Internet Explorer redirects

By gdt55
Aug 20, 2010
  1. After I search using google or bing, when I click on the link to am redirected to another search engine.
    I used the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions.
    I am including the Anti-Malware log, and the DDS logs
    I have attached the GMER log and DDS Attach.txt log.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4451

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/20/2010 11:37:46 AM
    mbam-log-2010-08-20 (11-37-46).txt

    Scan type: Quick scan
    Objects scanned: 218707
    Time elapsed: 27 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by gtinker at 15:48:29.14 on Fri 08/20/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.170 [GMT -4:00]

    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    svchost.exe
    C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Common Files\AOL\1196737092\ee\AOLSoftware.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\gtinker\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Aim6]
    mRun: [HostManager] c:\program files\common files\aol\1196737092\ee\AOLSoftware.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
    mRun: [SM1BG] c:\windows\SM1BG.EXE
    mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
    mRun: [<NO NAME>]
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: myfairpoint.net
    Trusted Zone: turbotax.com
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activate.myfairpoint.net/sdccommon/download/FairPoint/tgctlcm.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196822536976
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-12-3 214664]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-12-3 486280]
    R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 163840]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-8 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-12-3 144704]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-22 24652]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-12-3 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-12-3 35272]
    S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2003-7-10 96256]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-12-3 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-12-3 40552]
    S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2007-12-17 144512]
    S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2007-12-17 536768]
    S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-12-3 606736]

    =============== Created Last 30 ================

    2010-08-18 01:18:40 0 d-----w- c:\docume~1\gtinker\applic~1\Malwarebytes
    2010-08-18 01:17:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-18 01:17:53 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
    2010-08-18 01:17:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-18 01:17:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-17 01:54:29 0 d-sh--w- c:\documents and settings\gtinker\PrivacIE
    2010-08-17 01:38:09 0 d-sh--w- c:\documents and settings\gtinker\IETldCache
    2010-08-16 11:39:13 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-08-16 11:39:09 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-08-16 11:39:08 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-08-16 11:38:53 0 d-----w- c:\windows\ie8updates
    2010-08-16 11:36:58 16896 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-08-16 11:32:07 0 dc-h--w- c:\windows\ie8
    2010-08-15 21:40:16 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-15 21:40:16 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
    2010-08-07 19:30:02 52736 --sha-r- c:\windows\system32\resutilsd.dll

    ==================== Find3M ====================

    2010-08-20 15:28:06 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-15 19:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-17 14:03:00 80384 ------w- c:\windows\system32\iccvid.dll
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2003-08-27 19:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
    2008-09-06 21:21:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

    ============= FINISH: 15:49:52.28 ===============
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm please to say you have some clean logs here- so we'll look further. There is something you need to check though: It looks like you have both the McAfee Security Suite which would have a firewall and also the paid version of ZoneAlarm. (ZAPRO) You should only run one software firewall, so you should disable or remove one of the firewalls.

    Is the redirect happening in IE? Firefox? Other? All? What type of Search sites are you getting? Are you also getting any popups?

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ===========================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please paste the Combofix report in the next reply. Okay to split it if too big for one post.
    Okay to attach the Eset scan.
     
  3. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    Thanks for your help Bobbye.
    I have the firewall in McAfee disabled, it currently indicates I am using Zone Alarm Pro.
    I am only using IE and it sends me to sites like;
    Freshdeals
    Asklots
    Mamma

    I have run Combofix and NOD32 as directed, logs below.
    Problem still exists, waiting on futher instructions.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # waol.exe=9.05.001
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=d3675695fd907d4994017abdf25c0a53
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-21 04:00:09
    # local_time=2010-08-21 12:00:09 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=5121 16776869 100 96 1520917 34359386 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # compatibility_mode=9217 16777214 75 70 22012340 26366140 0 0
    # scanned=251170
    # found=7
    # cleaned=0
    # scan_time=12550
    C:\System Volume Information\_restore{17E930B8-328C-4C73-BED8-2DB3D536E90D}\RP1\A0000009.exe a variant of Win32/Kryptik.FWW trojan 00000000000000000000000000000000 I
    E:\WINDOWS\Downloaded Program Files\SbCIe01f.dll a variant of Win32/Adware.BHO.SideStep application 00000000000000000000000000000000 I
    E:\WINDOWS\Downloaded Program Files\SbCIe026.dll a variant of Win32/Adware.BHO.SideStep application 00000000000000000000000000000000 I
    E:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    E:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    I:\C-Drive\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    I:\C-Drive\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I


    ComboFix 10-08-19.02 - gtinker 08/20/2010 19:43:18.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.307 [GMT -4:00]
    Running from: c:\documents and settings\gtinker\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\Cache

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
    .

    2010-08-19 00:27 . 2010-08-19 00:27 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
    2010-08-18 01:18 . 2010-08-18 01:18 -------- d-----w- c:\documents and settings\gtinker\Application Data\Malwarebytes
    2010-08-18 01:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-18 01:17 . 2010-08-18 01:17 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2010-08-18 01:17 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-18 01:17 . 2010-08-18 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-17 05:23 . 2010-08-17 05:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-08-17 01:54 . 2010-08-17 01:54 -------- d-sh--w- c:\documents and settings\gtinker\PrivacIE
    2010-08-17 01:38 . 2010-08-17 01:38 -------- d-sh--w- c:\documents and settings\gtinker\IETldCache
    2010-08-16 11:39 . 2010-06-24 12:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-08-16 11:39 . 2010-06-24 12:21 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-08-16 11:39 . 2010-06-24 12:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-08-16 11:38 . 2010-08-17 07:04 -------- d-----w- c:\windows\ie8updates
    2010-08-16 11:36 . 2010-06-18 11:39 16896 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-08-16 11:32 . 2010-08-16 11:36 -------- dc-h--w- c:\windows\ie8
    2010-08-15 21:40 . 2010-08-15 21:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
    2010-08-15 21:40 . 2010-08-15 21:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-07 19:30 . 2010-08-07 19:30 52736 --sha-r- c:\windows\system32\resutilsd.dll
    2010-08-02 23:59 . 2010-08-02 23:59 503808 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31a15308-n\msvcp71.dll
    2010-08-02 23:59 . 2010-08-02 23:59 499712 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31a15308-n\jmc.dll
    2010-08-02 23:59 . 2010-08-02 23:59 12800 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6d1a82d7-n\decora-d3d.dll
    2010-08-02 23:59 . 2010-08-02 23:59 348160 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31a15308-n\msvcr71.dll
    2010-08-02 23:59 . 2010-08-02 23:59 61440 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6d1a82d7-n\decora-sse.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-20 20:37 . 2007-12-04 02:40 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-08-20 20:25 . 2009-11-07 02:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WinZip
    2010-08-20 19:44 . 2008-01-02 11:45 46189830 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
    2010-08-14 13:24 . 2008-09-05 12:51 -------- d-----w- c:\program files\Common Files\Java
    2010-08-14 13:21 . 2008-09-05 12:52 -------- d-----w- c:\program files\Java
    2010-08-13 08:34 . 2010-08-14 13:13 4994048 ----a-w- c:\windows\Internet Logs\xDB1CB.tmp
    2010-08-11 00:40 . 2007-12-09 23:22 -------- d-----w- c:\program files\Dl_cats
    2010-07-24 12:47 . 2007-12-04 03:10 -------- d-----w- c:\program files\McAfee
    2010-07-17 09:00 . 2010-04-16 19:02 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-15 19:18 . 2007-12-04 03:11 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2010-07-11 14:13 . 2007-12-10 17:16 -------- d-----w- c:\program files\Common Files\Adobe
    2010-06-30 12:31 . 2003-03-31 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2003-03-31 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2003-03-31 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2003-03-31 12:00 80384 ------w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2007-12-04 01:32 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    2010-06-14 07:41 . 2006-09-13 05:09 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-05-28 00:55 . 2010-05-28 00:55 503808 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3f512b4e-n\msvcp71.dll
    2010-05-28 00:55 . 2010-05-28 00:55 499712 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3f512b4e-n\jmc.dll
    2010-05-28 00:55 . 2010-05-28 00:55 348160 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3f512b4e-n\msvcr71.dll
    2010-05-28 00:55 . 2010-05-28 00:55 12800 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-515ae19d-n\decora-d3d.dll
    2010-05-28 00:55 . 2010-05-28 00:55 61440 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-515ae19d-n\decora-sse.dll
    2003-08-27 19:19 . 2008-11-14 23:15 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HostManager"="c:\program files\Common Files\AOL\1196737092\ee\AOLSoftware.exe" [2008-06-24 41824]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
    "DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-09 1695744]
    "SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
    "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-03-19 615696]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "TraySantaCruz"="c:\windows\system32\tbctray.exe" [2001-12-16 290816]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\aol\\1196737092\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 3:02 PM 163840]
    R3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [7/10/2003 11:09 AM 96256]
    S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [12/17/2007 10:11 AM 144512]
    S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [12/17/2007 10:11 AM 536768]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 16:22]

    2010-07-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 16:22]
    .
    .
    ------- Supplementary Scan -------
    .
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: myfairpoint.net
    Trusted Zone: turbotax.com
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Aim6 - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-20 19:50
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2010-08-20 19:56:42
    ComboFix-quarantined-files.txt 2010-08-20 23:56

    Pre-Run: 58,711,859,200 bytes free
    Post-Run: 58,671,857,664 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 548A800DC697BAE81B2BDBCE1014475C
     
  4. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    Also I don't have popups with this problem.
    Sorry I missed that in your post.

    Thanks
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No problem. Sometimes popups come along- one less thing to worry about!

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      :Services
      :Reg
      
      :Files  
      E:\WINDOWS\Downloaded Program Files\SbCIe01f.dll 
      E:\WINDOWS\Downloaded Program Files\SbCIe026.dll 
      E:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe 
      E:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe 
      I:\C-Drive\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe 
      I:\C-Drive\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes..
    =================================
    There are 3 different drive letters with malware in Eset. We're moving malware entries from E and I here. But there was an infected Restore Point on C- we'll drop that off later.

    Can you give me some idea on how you use SUDS? And does it have a Cache to empty like temporary internet files in Java or IE? There are SUDS entries in the Combofix log and at this point, I'm not sure whether to include thm in the script I will have you run.
     
  6. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    I have no idea what SUDs is.
    Not part of any program I am using.
    I'll send the logs shortly
     
  7. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    Here is the log.
    Thanks for all your help.

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    E:\WINDOWS\Downloaded Program Files\SbCIe01f.dll moved successfully.
    E:\WINDOWS\Downloaded Program Files\SbCIe026.dll moved successfully.
    E:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe moved successfully.
    E:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe moved successfully.
    I:\C-Drive\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe moved successfully.
    I:\C-Drive\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Administrator.BH49801
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: All Users.WINDOWS
    ->Flash cache emptied: 0 bytes

    User: atinker
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Dana
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User.WINDOWS
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Gary Tinker
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: gtinker
    ->Temp folder emptied: 98304 bytes
    ->Temporary Internet Files folder emptied: 3893985 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 4366 bytes

    User: kath
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 256 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 4.00 mb


    OTM by OldTimer - Version 3.1.15.0 log created on 08222010_215129

    Files moved on Reboot...
    C:\Documents and Settings\gtinker\Local Settings\Temp\~DFC818.tmp moved successfully.
    File C:\WINDOWS\temp\ZLT06992.TMP not found!

    Registry entries deleted on Reboot...
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this: Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into your next reply.
    ====================
    Please empty the Java cache:
    Control Panel> Java> Temporary internet files> Settings> Delete.
    Be sure you have the most current version: Check this site .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Recommend you remove all of these Domains from the Trusted Zone. The security is lower in the zone and nothing needs to be put there:
    Control Panel> Internet Options> Security tab> Trusted Sites> Sites> Highlight each of the following> click Remove for each:
    intuit.com\ttlc
    myfairpoint.net
    turbotax.com

    Click on OK> Apply> OK

    How is the system running now?

    Go ahead and download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  9. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    Hi Bobbye,
    I ran the script in conbofix and pasted the log.
    Emptied the java cache, and deleted an old java app and confirmed I have the latest version installed.
    I also removed all of the domains in the trusted zone.
    Ran HijackThis and pasted the log in the next post..
    I no longer have redirects with IE. Everything seems to be fine.
    Thanks Much!

    ComboFix 10-08-23.01 - gtinker 08/23/2010 20:19:56.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.236 [GMT -4:00]
    Running from: c:\documents and settings\gtinker\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\gtinker\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 )))))))))))))))))))))))))))))))
    .

    2010-08-23 01:51 . 2010-08-23 01:51 -------- d-----w- C:\_OTM
    2010-08-21 00:23 . 2010-08-21 00:23 -------- d-----w- c:\program files\ESET
    2010-08-19 00:27 . 2010-08-19 00:27 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
    2010-08-18 01:18 . 2010-08-18 01:18 -------- d-----w- c:\documents and settings\gtinker\Application Data\Malwarebytes
    2010-08-18 01:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-18 01:17 . 2010-08-18 01:17 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2010-08-18 01:17 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-18 01:17 . 2010-08-18 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-17 05:23 . 2010-08-17 05:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-08-17 01:54 . 2010-08-17 01:54 -------- d-sh--w- c:\documents and settings\gtinker\PrivacIE
    2010-08-17 01:38 . 2010-08-17 01:38 -------- d-sh--w- c:\documents and settings\gtinker\IETldCache
    2010-08-16 11:39 . 2010-06-24 12:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-08-16 11:39 . 2010-06-24 12:21 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-08-16 11:39 . 2010-06-24 12:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-08-16 11:38 . 2010-08-17 07:04 -------- d-----w- c:\windows\ie8updates
    2010-08-16 11:36 . 2010-06-18 11:39 16896 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-08-16 11:32 . 2010-08-16 11:36 -------- dc-h--w- c:\windows\ie8
    2010-08-15 21:40 . 2010-08-15 21:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
    2010-08-15 21:40 . 2010-08-15 21:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-07 19:30 . 2010-08-07 19:30 52736 --sha-r- c:\windows\system32\resutilsd.dll
    2010-08-02 23:59 . 2010-08-02 23:59 503808 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31a15308-n\msvcp71.dll
    2010-08-02 23:59 . 2010-08-02 23:59 499712 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31a15308-n\jmc.dll
    2010-08-02 23:59 . 2010-08-02 23:59 12800 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6d1a82d7-n\decora-d3d.dll
    2010-08-02 23:59 . 2010-08-02 23:59 348160 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31a15308-n\msvcr71.dll
    2010-08-02 23:59 . 2010-08-02 23:59 61440 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6d1a82d7-n\decora-sse.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-24 00:03 . 2007-12-04 02:40 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-08-23 02:16 . 2008-01-02 11:45 33093057 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
    2010-08-20 20:25 . 2009-11-07 02:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WinZip
    2010-08-14 13:24 . 2008-09-05 12:51 -------- d-----w- c:\program files\Common Files\Java
    2010-08-14 13:21 . 2008-09-05 12:52 -------- d-----w- c:\program files\Java
    2010-08-13 08:34 . 2010-08-14 13:13 4994048 ----a-w- c:\windows\Internet Logs\xDB1CB.tmp
    2010-08-11 00:40 . 2007-12-09 23:22 -------- d-----w- c:\program files\Dl_cats
    2010-07-24 12:47 . 2007-12-04 03:10 -------- d-----w- c:\program files\McAfee
    2010-07-17 09:00 . 2010-04-16 19:02 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-15 19:18 . 2007-12-04 03:11 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2010-07-11 14:13 . 2007-12-10 17:16 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-06 15:41 . 2010-08-21 12:07 275784 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\WAOLFinder.exe
    2010-07-01 01:40 . 2010-08-21 12:07 319488 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_StraussUS\phx.dll
    2010-07-01 01:40 . 2010-08-21 12:07 319488 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_TaranaUS\phx.dll
    2010-07-01 00:37 . 2010-08-21 12:07 319488 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_RagarefreshUS\phx.dll
    2010-06-30 12:31 . 2003-03-31 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2003-03-31 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-22 05:03 . 2010-08-21 12:07 98304 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_TaranaUS\proxymgr.dll
    2010-06-22 05:03 . 2010-08-21 12:07 23040 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_TaranaUS\synccore.dll
    2010-06-21 19:32 . 2010-08-21 12:07 274432 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_TaranaUS\phobos.dll
    2010-06-21 19:32 . 2010-08-21 12:07 106496 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_TaranaUS\cerberus.dll
    2010-06-21 15:27 . 2003-03-31 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 21:02 . 2010-08-21 12:07 23040 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_RagarefreshUS\synccore.dll
    2010-06-17 21:02 . 2010-08-21 12:07 114688 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_RagarefreshUS\proxymgr.dll
    2010-06-17 14:03 . 2003-03-31 12:00 80384 ------w- c:\windows\system32\iccvid.dll
    2010-06-17 11:32 . 2010-08-21 12:07 274432 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_RagarefreshUS\phobos.dll
    2010-06-17 11:32 . 2010-08-21 12:07 106496 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_RagarefreshUS\cerberus.dll
    2010-06-16 19:39 . 2010-08-21 12:07 1615088 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_TaranaUS\cddbcontrol.dll
    2010-06-16 19:39 . 2010-08-21 12:07 1615088 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_StraussUS\cddbcontrol.dll
    2010-06-16 19:39 . 2010-08-21 12:07 1615088 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_RagarefreshUS\cddbcontrol.dll
    2010-06-16 07:11 . 2010-08-21 12:07 307200 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_StraussUS\phobos.dll
    2010-06-16 07:11 . 2010-08-21 12:07 106496 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_StraussUS\cerberus.dll
    2010-06-14 14:31 . 2007-12-04 01:32 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    2010-06-14 07:41 . 2006-09-13 05:09 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-05-28 00:55 . 2010-05-28 00:55 503808 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3f512b4e-n\msvcp71.dll
    2010-05-28 00:55 . 2010-05-28 00:55 499712 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3f512b4e-n\jmc.dll
    2010-05-28 00:55 . 2010-05-28 00:55 348160 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3f512b4e-n\msvcr71.dll
    2010-05-28 00:55 . 2010-05-28 00:55 12800 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-515ae19d-n\decora-d3d.dll
    2010-05-28 00:55 . 2010-05-28 00:55 61440 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-515ae19d-n\decora-sse.dll
    2003-08-27 19:19 . 2008-11-14 23:15 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-08-20_23.51.01 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-08-23 01:57 . 2010-08-23 01:57 16384 c:\windows\Temp\Perflib_Perfdata_6e0.dat
    + 2010-08-23 01:56 . 2010-08-23 01:56 16384 c:\windows\Temp\Perflib_Perfdata_100.dat
    - 2007-12-04 01:42 . 2010-08-20 21:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2007-12-04 01:42 . 2010-08-23 21:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2007-12-04 01:42 . 2010-08-20 21:00 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2010-08-21 01:43 . 2010-08-23 21:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2010-05-08 13:32 . 2010-08-20 20:10 223877 c:\windows\system32\inetsrv\MetaBase.bin
    + 2010-05-08 13:32 . 2010-08-23 02:00 223877 c:\windows\system32\inetsrv\MetaBase.bin
    + 2010-08-17 05:23 . 2010-08-23 21:57 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat
    - 2010-08-17 05:23 . 2010-08-20 21:00 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HostManager"="c:\program files\Common Files\AOL\1196737092\ee\AOLSoftware.exe" [2008-06-24 41824]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
    "DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-09 1695744]
    "SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
    "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-03-19 615696]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "TraySantaCruz"="c:\windows\system32\tbctray.exe" [2001-12-16 290816]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\aol\\1196737092\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 3:02 PM 163840]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/22/2007 11:12 PM 24652]
    S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [7/10/2003 11:09 AM 96256]
    S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [12/17/2007 10:11 AM 144512]
    S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [12/17/2007 10:11 AM 536768]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 16:22]

    2010-07-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 16:22]
    .
    .
    ------- Supplementary Scan -------
    .
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: myfairpoint.net
    Trusted Zone: turbotax.com
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-23 20:27
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-08-23 20:33:34
    ComboFix-quarantined-files.txt 2010-08-24 00:33
    ComboFix2.txt 2010-08-20 23:56

    Pre-Run: 55,684,624,384 bytes free
    Post-Run: 55,668,871,168 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 286032D003E2A10B204887C0818812A4
     
  10. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    Here is the HijackThis log;

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:57:57 PM, on 8/23/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\Common Files\AOL\1196737092\ee\AOLSoftware.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1196737092\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activate.myfairpoint.net/sdccommon/download/FairPoint/tgctlcm.cab
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196822536976
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CS3\Services\Tcpip\..\{35345092-B6FB-4F8E-A398-565C931D6E94}: NameServer = 192.168.2.1
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 9465 bytes
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry to take so long- but I went on a SUDS chase again. And I still wanted to identify the 17 AOL files you show in docs & settings.

    According to the entries I see, you have AOL as below:
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe>>> AOL Connectivity Service - starts an automatic function that restores the connection should you lose it while online. Negates having to go through the procedure of signing back on manually

    C:\Program Files\Common Files\AOL\1196737092\ee\AOLSoftware.exe>>> starts the AOL tray icon. Gives end-user's Internet connectivity status, the ability to launch a standalone dialer similar to Windows DUN and access to AOL diagnostic data.


    And you show the following versions in your AOL Profile:
    AOL StrausS>>> AOL 9.0 Security Edition (2004)
    AOL Ragarefresh>>> AOL Raga>>> v9 (2006)
    AOL Tarana>>> AOL v9.1 (2007)

    And each one has a particular function:
    One of these is cerberus.dll, an FTP Server. Another is cddbcontrol.dll which comes with Creative SoundBlaster. Another is phobos.dll which is known to be a vulnerability and cause stack overflows. And another is synccore.dll only identifies as a a component from the software America Online version 9.0.1

    The closest I could come to identifying "SUDS" was some kind of app that saves URLs and if it's a cache you should be able to delete the contents- same a Java, same as temporary internet files in IE. But you will have to search your system, in the AOL Profile for them.

    If these are a legitimate part of your Profile, I don't want to remove them. So I need you to advise me on what AOL version you're using, if you can find the chach in the Profile and better yet, advise me if you are sstill using AOL. If not, I'll move all the files for you.

    Check your History and see how long it's set to keep files, URLs
     
  12. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    Bobbye,
    I am only using AOL 9.1, the older versions are left over from when I changed hard drives. Drive E: used to be my C:
    I added a new drive as C: when I installed XP. I didn't format drive E and just used it to get to my old data.
    AOL is set to keep URLs the same as IE (7 days).
    If AOL is on drives E: or I: it is not being used.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- I missed this. See if this makes any sense to you: Goodness, it's clear as mud! SUDS comes from SOAP- now why didn't I think of that. And SOAP is a python client (Python is a scripting language) that provides a service proxy for Web Services. Clear, right? What I don't understand is why your user profile for AOL is on python.

    Well, my hunt tops here. Rule is: when you don't know> Don't! So I haven't moved any of the SUDS CACHE, but I sure recommend that you find it an empty it!! What bothers me is that 4 infections were found on SUDS CACHE setup. So I'd like you ro reboot first- not a restart. Take the system all the way down to Off. Then startup and repeat the Eset scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    There are also a few entries in Combofix I want to move:
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\Viewpoint\Common\ViewpointService.exe 
    c:\windows\Internet Logs\xDB1CB.tmp
    
    Folder::
    c:\program files\Dl_cats
    c:\windows\system32\drivers\srv.sys
    Registry::
    
    Driver::
    Viewpoint Manager Service
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    After I see these 2 logs, if there aren't any remaining problems, I'll have you remove the cleaning tools.
     
  14. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    Bobbye
    Thanks for all of your help! See logs below and next post.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # waol.exe=9.05.001
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=d3675695fd907d4994017abdf25c0a53
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-21 04:00:09
    # local_time=2010-08-21 12:00:09 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=5121 16776869 100 96 1520917 34359386 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # compatibility_mode=9217 16777214 75 70 22012340 26366140 0 0
    # scanned=251170
    # found=7
    # cleaned=0
    # scan_time=12550
    C:\System Volume Information\_restore{17E930B8-328C-4C73-BED8-2DB3D536E90D}\RP1\A0000009.exe a variant of Win32/Kryptik.FWW trojan 00000000000000000000000000000000 I
    E:\WINDOWS\Downloaded Program Files\SbCIe01f.dll a variant of Win32/Adware.BHO.SideStep application 00000000000000000000000000000000 I
    E:\WINDOWS\Downloaded Program Files\SbCIe026.dll a variant of Win32/Adware.BHO.SideStep application 00000000000000000000000000000000 I
    E:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    E:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    I:\C-Drive\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    I:\C-Drive\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=d3675695fd907d4994017abdf25c0a53
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-27 03:45:32
    # local_time=2010-08-26 11:45:32 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5121 16776869 100 96 2039390 34877859 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # compatibility_mode=9217 16777214 75 70 22530813 26884613 0 0
    # scanned=251298
    # found=11
    # cleaned=0
    # scan_time=11602
    C:\System Volume Information\_restore{17E930B8-328C-4C73-BED8-2DB3D536E90D}\RP1\A0000009.exe a variant of Win32/Kryptik.FWW trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\08222010_215129\E_Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\08222010_215129\E_Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\08222010_215129\E_WINDOWS\Downloaded Program Files\SbCIe01f.dll a variant of Win32/Adware.BHO.SideStep application 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\08222010_215129\E_WINDOWS\Downloaded Program Files\SbCIe026.dll a variant of Win32/Adware.BHO.SideStep application 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\08222010_215129\I_C-Drive\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\08222010_215129\I_C-Drive\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    E:\System Volume Information\_restore{17E930B8-328C-4C73-BED8-2DB3D536E90D}\RP10\A0002189.dll a variant of Win32/Adware.BHO.SideStep application 00000000000000000000000000000000 I
    E:\System Volume Information\_restore{17E930B8-328C-4C73-BED8-2DB3D536E90D}\RP10\A0002190.dll a variant of Win32/Adware.BHO.SideStep application 00000000000000000000000000000000 I
    E:\System Volume Information\_restore{17E930B8-328C-4C73-BED8-2DB3D536E90D}\RP10\A0002191.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
    E:\System Volume Information\_restore{17E930B8-328C-4C73-BED8-2DB3D536E90D}\RP10\A0002192.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
     
  15. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    ComboFix log

    ComboFix 10-08-23.01 - gtinker 08/27/2010 6:58.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.252 [GMT -4:00]
    Running from: c:\documents and settings\gtinker\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\gtinker\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    * Created a new restore point

    FILE ::
    "c:\program files\Viewpoint\Common\ViewpointService.exe"
    "c:\windows\Internet Logs\xDB1CB.tmp"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Dl_cats
    c:\program files\Dl_cats\35NXQ81.A00
    c:\program files\Dl_cats\35NXQ81.A01
    c:\program files\Dl_cats\35NXQ81.A02
    c:\program files\Dl_cats\DLCFCATS.INI
    c:\program files\Dl_cats\dlcfdefs.xml
    c:\program files\Viewpoint\Common\ViewpointService.exe
    c:\windows\Internet Logs\xDB1CB.tmp

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_VIEWPOINT_MANAGER_SERVICE
    -------\Service_Viewpoint Manager Service


    ((((((((((((((((((((((((( Files Created from 2010-07-27 to 2010-08-27 )))))))))))))))))))))))))))))))
    .

    2010-08-24 00:55 . 2010-08-24 00:55 -------- d-----w- c:\program files\Trend Micro
    2010-08-23 01:51 . 2010-08-23 01:51 -------- d-----w- C:\_OTM
    2010-08-21 00:23 . 2010-08-21 00:23 -------- d-----w- c:\program files\ESET
    2010-08-19 00:27 . 2010-08-19 00:27 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
    2010-08-18 01:18 . 2010-08-18 01:18 -------- d-----w- c:\documents and settings\gtinker\Application Data\Malwarebytes
    2010-08-18 01:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-18 01:17 . 2010-08-18 01:17 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2010-08-18 01:17 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-18 01:17 . 2010-08-18 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-17 05:23 . 2010-08-17 05:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-08-17 01:54 . 2010-08-17 01:54 -------- d-sh--w- c:\documents and settings\gtinker\PrivacIE
    2010-08-17 01:38 . 2010-08-17 01:38 -------- d-sh--w- c:\documents and settings\gtinker\IETldCache
    2010-08-16 11:39 . 2010-06-24 12:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-08-16 11:39 . 2010-06-24 12:21 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-08-16 11:39 . 2010-06-24 12:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-08-16 11:38 . 2010-08-17 07:04 -------- d-----w- c:\windows\ie8updates
    2010-08-16 11:36 . 2010-06-18 11:39 16896 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-08-16 11:32 . 2010-08-16 11:36 -------- dc-h--w- c:\windows\ie8
    2010-08-15 21:40 . 2010-08-15 21:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
    2010-08-15 21:40 . 2010-08-15 21:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-07 19:30 . 2010-08-07 19:30 52736 --sha-r- c:\windows\system32\resutilsd.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-27 10:51 . 2007-12-04 02:40 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-08-27 10:49 . 2008-01-02 11:45 64412210 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
    2010-08-25 00:19 . 2007-12-04 02:58 -------- d-----w- c:\program files\Common Files\aol
    2010-08-24 00:56 . 2010-08-24 00:56 388096 ----a-r- c:\documents and settings\gtinker\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-08-24 00:54 . 2008-09-05 12:52 -------- d-----w- c:\program files\Java
    2010-08-24 00:54 . 2008-09-05 12:51 -------- d-----w- c:\program files\Common Files\Java
    2010-08-20 20:25 . 2009-11-07 02:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WinZip
    2010-08-02 23:59 . 2010-08-02 23:59 503808 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31a15308-n\msvcp71.dll
    2010-08-02 23:59 . 2010-08-02 23:59 499712 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31a15308-n\jmc.dll
    2010-08-02 23:59 . 2010-08-02 23:59 12800 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6d1a82d7-n\decora-d3d.dll
    2010-08-02 23:59 . 2010-08-02 23:59 348160 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31a15308-n\msvcr71.dll
    2010-08-02 23:59 . 2010-08-02 23:59 61440 ----a-w- c:\documents and settings\gtinker\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6d1a82d7-n\decora-sse.dll
    2010-07-24 12:47 . 2007-12-04 03:10 -------- d-----w- c:\program files\McAfee
    2010-07-17 09:00 . 2010-04-16 19:02 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-15 19:18 . 2007-12-04 03:11 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2010-07-11 14:13 . 2007-12-10 17:16 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-06 15:41 . 2010-08-21 12:07 275784 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\WAOLFinder.exe
    2010-07-01 01:40 . 2010-08-21 12:07 319488 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_StraussUS\phx.dll
    2010-07-01 01:40 . 2010-08-21 12:07 319488 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_TaranaUS\phx.dll
    2010-07-01 00:37 . 2010-08-21 12:07 319488 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_RagarefreshUS\phx.dll
    2010-06-30 12:31 . 2003-03-31 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2003-03-31 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-22 05:03 . 2010-08-21 12:07 98304 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_TaranaUS\proxymgr.dll
    2010-06-22 05:03 . 2010-08-21 12:07 23040 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_TaranaUS\synccore.dll
    2010-06-21 19:32 . 2010-08-21 12:07 274432 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_TaranaUS\phobos.dll
    2010-06-21 19:32 . 2010-08-21 12:07 106496 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_TaranaUS\cerberus.dll
    2010-06-21 15:27 . 2003-03-31 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 21:02 . 2010-08-21 12:07 23040 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_RagarefreshUS\synccore.dll
    2010-06-17 21:02 . 2010-08-21 12:07 114688 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_RagarefreshUS\proxymgr.dll
    2010-06-17 14:03 . 2003-03-31 12:00 80384 ------w- c:\windows\system32\iccvid.dll
    2010-06-17 11:32 . 2010-08-21 12:07 274432 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_RagarefreshUS\phobos.dll
    2010-06-17 11:32 . 2010-08-21 12:07 106496 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_RagarefreshUS\cerberus.dll
    2010-06-16 19:39 . 2010-08-21 12:07 1615088 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_TaranaUS\cddbcontrol.dll
    2010-06-16 19:39 . 2010-08-21 12:07 1615088 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_StraussUS\cddbcontrol.dll
    2010-06-16 19:39 . 2010-08-21 12:07 1615088 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_RagarefreshUS\cddbcontrol.dll
    2010-06-16 07:11 . 2010-08-21 12:07 307200 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_StraussUS\phobos.dll
    2010-06-16 07:11 . 2010-08-21 12:07 106496 ------w- c:\documents and settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4517.12.4\TOD_StraussUS\cerberus.dll
    2010-06-14 14:31 . 2007-12-04 01:32 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    2010-06-14 07:41 . 2006-09-13 05:09 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2003-08-27 19:19 . 2008-11-14 23:15 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HostManager"="c:\program files\Common Files\AOL\1196737092\ee\AOLSoftware.exe" [2008-06-24 41824]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
    "DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-09 1695744]
    "SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
    "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-03-19 615696]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "TraySantaCruz"="c:\windows\system32\tbctray.exe" [2001-12-16 290816]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\aol\\1196737092\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [7/10/2003 11:09 AM 96256]
    S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [12/17/2007 10:11 AM 144512]
    S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [12/17/2007 10:11 AM 536768]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 16:22]

    2010-07-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 16:22]
    .
    .
    ------- Supplementary Scan -------
    .
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-27 07:15
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.EXE'(1324)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
    c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
    c:\windows\system32\inetsrv\inetinfo.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\HPZipm12.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    c:\windows\System32\snmp.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\RUNDLL32.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-08-27 07:48:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-27 11:48
    ComboFix2.txt 2010-08-24 00:33
    ComboFix3.txt 2010-08-20 23:56

    Pre-Run: 57,324,015,616 bytes free
    Post-Run: 57,255,231,488 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 8FD2D725E124DDBBDDD7911E4EAC73F8
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    What is the status of the system now? Are there any more redirects?

    Finish up with this: Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\Internet Logs\xDB1CB.tmp
    c:\windows\Temp\Perflib_Perfdata_6e0.dat
    c:\windows\Temp\Perflib_Perfdata_100.dat
    
    Folder::
    Registry::
    HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in to your next reply.
    ====================
    If the problems are gone and nothing else has shown up, I'll have you remove the cleaning tools.
     
  17. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    I'm not having any more redirects. Thanks so much for your help.
    Here is the ComboFix log.

    ComboFix 10-08-27.03 - gtinker 08/28/2010 17:15:43.4.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.286 [GMT -4:00]
    Running from: c:\documents and settings\gtinker\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\gtinker\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    FILE ::
    "c:\windows\Internet Logs\xDB1CB.tmp"
    "c:\windows\Temp\Perflib_Perfdata_100.dat"
    "c:\windows\Temp\Perflib_Perfdata_6e0.dat"
    .

    ((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-28 )))))))))))))))))))))))))))))))
    .

    2010-08-24 00:55 . 2010-08-24 00:55 -------- d-----w- c:\program files\Trend Micro
    2010-08-23 01:51 . 2010-08-23 01:51 -------- d-----w- C:\_OTM
    2010-08-21 00:23 . 2010-08-21 00:23 -------- d-----w- c:\program files\ESET
    2010-08-19 00:27 . 2010-08-19 00:27 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
    2010-08-18 01:18 . 2010-08-18 01:18 -------- d-----w- c:\documents and settings\gtinker\Application Data\Malwarebytes
    2010-08-18 01:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-18 01:17 . 2010-08-18 01:17 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2010-08-18 01:17 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-18 01:17 . 2010-08-18 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-17 05:23 . 2010-08-17 05:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-08-17 01:54 . 2010-08-17 01:54 -------- d-sh--w- c:\documents and settings\gtinker\PrivacIE
    2010-08-17 01:38 . 2010-08-17 01:38 -------- d-sh--w- c:\documents and settings\gtinker\IETldCache
    2010-08-16 11:39 . 2010-06-24 12:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-08-16 11:39 . 2010-06-24 12:21 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-08-16 11:39 . 2010-06-24 12:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-08-16 11:38 . 2010-08-17 07:04 -------- d-----w- c:\windows\ie8updates
    2010-08-16 11:36 . 2010-06-18 11:39 16896 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-08-16 11:32 . 2010-08-16 11:36 -------- dc-h--w- c:\windows\ie8
    2010-08-15 21:40 . 2010-08-15 21:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
    2010-08-15 21:40 . 2010-08-15 21:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-07 19:30 . 2010-08-07 19:30 52736 --sha-r- c:\windows\system32\resutilsd.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-28 15:35 . 2007-12-04 02:40 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-08-25 00:19 . 2007-12-04 02:58 -------- d-----w- c:\program files\Common Files\aol
    2010-08-24 00:54 . 2008-09-05 12:52 -------- d-----w- c:\program files\Java
    2010-08-24 00:54 . 2008-09-05 12:51 -------- d-----w- c:\program files\Common Files\Java
    2010-08-20 20:25 . 2009-11-07 02:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WinZip
    2010-07-24 12:47 . 2007-12-04 03:10 -------- d-----w- c:\program files\McAfee
    2010-07-17 09:00 . 2010-04-16 19:02 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-15 19:18 . 2007-12-04 03:11 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2010-07-11 14:13 . 2007-12-10 17:16 -------- d-----w- c:\program files\Common Files\Adobe
    2010-06-30 12:31 . 2003-03-31 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2003-03-31 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2003-03-31 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2003-03-31 12:00 80384 ------w- c:\windows\system32\iccvid.dll
    2010-06-14 07:41 . 2006-09-13 05:09 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2003-08-27 19:19 . 2008-11-14 23:15 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HostManager"="c:\program files\Common Files\AOL\1196737092\ee\AOLSoftware.exe" [2008-06-24 41824]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
    "DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-09 1695744]
    "SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
    "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-03-19 615696]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "TraySantaCruz"="c:\windows\system32\tbctray.exe" [2001-12-16 290816]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\aol\\1196737092\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 3:02 PM 163840]
    S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [7/10/2003 11:09 AM 96256]
    S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [12/17/2007 10:11 AM 144512]
    S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [12/17/2007 10:11 AM 536768]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 16:22]

    2010-07-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 16:22]
    .
    .
    ------- Supplementary Scan -------
    .
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-28 17:31
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1780)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
    c:\windows\system32\inetsrv\inetinfo.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\System32\snmp.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\RUNDLL32.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-08-28 17:50:55 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-28 21:50
    ComboFix2.txt 2010-08-27 11:48
    ComboFix3.txt 2010-08-24 00:33
    ComboFix4.txt 2010-08-20 23:56

    Pre-Run: 60,045,033,472 bytes free
    Post-Run: 60,873,359,360 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 1F02623C12C521F4E55FD4FDE2B64B10
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay- looks good. Don't forget to turn the security back on.

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  19. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    Here is the HiJacjThis log.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:30:10 PM, on 8/31/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Common Files\AOL\1196737092\ee\AOLSoftware.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1196737092\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activate.myfairpoint.net/sdccommon/download/FairPoint/tgctlcm.cab
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196822536976
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CS3\Services\Tcpip\..\{35345092-B6FB-4F8E-A398-565C931D6E94}: NameServer = 192.168.2.1
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 9241 bytes
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Looks good! If problems have been resolved, you can now remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin

    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      [o]Antivirus Software(only one)
      [o]Firewall (only one)
      [o]Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
    6. Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
    7. Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    8. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
     
  21. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    Bobbye,
    Thanks so much for your help. I started going through your instructions and when I got to download OTCleanIt, I noticed that the link didn't work. I when checked other links in your post and they didn't work either. Even links I used in your earlier posts.
    Did a setting get changed or do I still have a problem?
     
  22. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    I should have told you that a window pops up when I click on the link and after a little while I get the message "Internet Explorer cannot display the webpage".
    I tried to refresh but that didn't work.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    All of the links I left work unless one changed in the past couple of days. When you say a link doesn't work, what happens when you click on the link?

    In this section: Tips for added security and safer browsing:> the links are in bold blue type. The string of bold words underlined, in purple color are just for emphasize- thy are not links. Give me specific links and what happens when you click on them.
     
  24. gdt55

    gdt55 TS Rookie Topic Starter Posts: 67

    Bobbye,
    I'm sure all of the links you have sent me work correctly as I can use them when I am using AOL but not when using IE.
    Here is what happens using IE;
    I click on the link "OTCleanIt by OldTimer "
    A window pops up. I can see it is trying to connect. See attachment 1
    Then I get the "Internet Explorer cannot display the webpage" meesage as you can see in the attachment.
     

    Attached Files:

  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- the attachment is in .doc format. I don't open doc as it is a security risk for me.

    It sounds like you have the AOL Explorer set as the default browser.

    As far as I know, AOL Explorer is currently the name of the browser used in AOL and is available as an independent download or packaged with AIM Triton. When the browser starts up for the first time, it asks whether or not you would like to use it as the default browser and encourages users to display AIM Today content, if installed with AIM. Both of these are optional and can be denied.

    If you would like to have IE as the default browser, do this:

    Click on the Control Panel> Internet Options> Programs tab> check "Internet Explorer should check to see if it's my default browser"> then click on Apply>> when you do that, a box should pop up and tell you that IE is not the default browser and ask if you would like it to be the default. IF you would, check Yes> Apply> OK

    Then open your AOL and find the place that has the comparable setting for default and uncheck it> Apply> OK.

    If the links have been working using AOL, that's okay, unless a program or scan says IE has to be used. There's nothing wrong with your setting> it's a choice you made. Now I'm telling you that you can change that choice if you would like to.

    Making any browser the default just means that when you call up a site or page on a site on the internet, it's going to open in the default browser. This may have changed for you when you downloaded AIM and didn't realize that you had the choice.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...