GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Trojan downloader - Google link hijacker

View previous topic View next topic Go down

Trojan downloader - Google link hijacker

Post by AntSlice on Mon Dec 21, 2009 6:06 am

I'm not sure what the name of the virus is but before I found this site I ran Malwarebytes many times after renaming the executable and removed many trojans but they just keep coming. I also have McAfee through Comcast and I've run it a bunch and I even ran an online virus scan from MicroSoft at one point. I'll lose control over the computer and then regain it and then something else goes down...it's been a frustrating week. Right now both Malwarebytes and McAfee show a clean system but IE is having issues with non-secure websites loading (for some reason I can hit the secure ones but I'm using Firefox at the moment. I don't know what to do at this point.

I was able to get a Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:14 PM, on 12/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MSN Video Enhanced\MSNVE.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MSN Video Enhanced] "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00110000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (11.5)) - [You must be registered and logged in to see this link.]
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} (Photo Upload Plugin Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - [You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - [You must be registered and logged in to see this link.]
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/html - {b1aba221-a5fa-4a45-9c60-a86a27e182b2} - C:\WINDOWS\system32\mst123.dll
O21 - SSODL: puyokatih - {ec520845-f4ad-4e82-ae03-8334f9bf6006} - c:\windows\system32\jefotumo.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {ec520845-f4ad-4e82-ae03-8334f9bf6006} - c:\windows\system32\jefotumo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 11574 bytes


Any help will be greatly appreciated.

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Mon Dec 21, 2009 9:20 am

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

I ran it but it couldn't update...

Post by AntSlice on Tue Dec 22, 2009 3:26 pm

For some reason Malwarebytes couldn't update and I got an error message that said, "An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team.

Error code: 732 (0, 0)

I ran it anyway and it came up clean...here is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

12/22/2009 8:19:06 AM
mbam-log-2009-12-22 (08-19-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 290923
Time elapsed: 1 hour(s), 21 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Tue Dec 22, 2009 7:21 pm

Please download [You must be registered and logged in to see this link.] to your desktop and run it.

  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  • Call the .run file "redScan" and save it to your desktop. You will see the .run file on your desktop. Open Notepad, then click File > Open - locate the redScan file and open it in Notepad. Finally, copy all the results, and paste them here in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Wed Dec 23, 2009 3:33 am

Runscanner logfile

* = signed file
- = file not found

General info
------------
Computer name : DADDY-I
Creation time : 12/22/2009 8:23:30 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 8.0.6001.18702
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 3
RunScanner Version : 1.9.0.9
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

Running processes
-----------------
* C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
* C:\WINDOWS\System32\alg.exe (Microsoft Corporation)
* C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
C:\WINDOWS\System32\DSentry.exe (Dell - Advanced Desktop Engineering)
* C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
* C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
* C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
* C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
C:\WINDOWS\system32\LxrJD31s.exe
* C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
* c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (McAfee, Inc.)
* c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee, Inc.)
* C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
* C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (McAfee, Inc.)
* C:\WINDOWS\system32\dwwin.exe (Microsoft Corporation)
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
* C:\Program Files\MSN Video Enhanced\MSNVE.exe (Microsoft)
* C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (Juniper Networks)
* C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
* C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe (ScanSoft, Inc.)
* C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (McAfee, Inc.)
* C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
* C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation)
* C:\Documents and Settings\Jeff\Desktop\runscanner.exe (Runscanner.net)
* C:\WINDOWS\system32\services.exe (Microsoft Corporation)
* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)
* C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\System32\smss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation)

Unrated items
-------------
002 * C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
002 C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
002 C:\WINDOWS\System32\DSentry.exe (Dell - Advanced Desktop Engineering)
002 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
002 * C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
002 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
002 * C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe (ScanSoft, Inc.)
002 C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
002 C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
002 * C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
002 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
010 C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (InstallDriver Table Manager)
010 C:\Program Files\Intel\NCS\Sync\NetSvc.exe (Intel NCS NetService)
010 * C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (Juniper Network Connect Service)
010 C:\WINDOWS\system32\LxrJD31s.exe (Lexar JD31)
010 * c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (McAfee Network Agent)
010 * c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service)
010 * C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (McAfee Real-time Scanner)
010 * C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (McAfee Scanner)
010 * C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (McAfee Services)
010 * C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (McAfee SystemGuards)
010 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (NMIndexingService)
010 * C:\WINDOWS\system32\PnkBstrA.exe (PnkBstrA)
011 C:\WINDOWS\system32\drivers\drvmcdb.sys (drvmcdb)
011 C:\WINDOWS\system32\drivers\drvnddm.sys (drvnddm)
011 C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (DSproct)
011 * C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR ASPI Filter Driver)
011 * C:\WINDOWS\system32\Drivers\NEOFLTR_600_12023.SYS (Juniper Networks TDI Filter Driver (NEOFLTR_600_12023))
011 C:\WINDOWS\system32\Drivers\LxrJD31d.sys (LxrJD31d)
011 C:\WINDOWS\system32\drivers\MASPINT.sys (MASPINT)
011 * C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee Inc. mfeavfk)
011 * C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee Inc. mfebopk)
011 * C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee Inc. mfehidk)
011 * C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee Inc. mferkdk)
011 * C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee Inc. mfesmfk)
011 * C:\WINDOWS\System32\Drivers\Mpfp.sys (MPFP)
011 C:\WINDOWS\system32\drivers\MxlW2k.sys (MxlW2k)
011 C:\WINDOWS\System32\DRIVERS\omci.sys (OMCI WDM Device Driver)
011 C:\Program Files\PC Wizard 2004\pcwizard.sys (pcwe)
011 C:\WINDOWS\system32\drivers\sscdbhk5.sys (sscdbhk5)
011 C:\WINDOWS\system32\drivers\ssrtln.sys (ssrtln)
011 C:\WINDOWS\system32\dla\tfsnboio.sys (tfsnboio)
011 C:\WINDOWS\system32\dla\tfsncofs.sys (tfsncofs)
011 C:\WINDOWS\system32\dla\tfsndrct.sys (tfsndrct)
011 C:\WINDOWS\system32\dla\tfsndres.sys (tfsndres)
011 C:\WINDOWS\system32\dla\tfsnifs.sys (tfsnifs)
011 C:\WINDOWS\system32\dla\tfsnopio.sys (tfsnopio)
011 C:\WINDOWS\system32\dla\tfsnpool.sys (tfsnpool)
011 C:\WINDOWS\system32\dla\tfsnudf.sys (tfsnudf)
011 C:\WINDOWS\system32\dla\tfsnudfa.sys (tfsnudfa)
011 C:\WINDOWS\SYSTEM32\DRIVERS\VCdRom.sys (Virtual CD-ROM Device Driver)
031 C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}
031 C:\PROGRA~1\MSNMES~1\msgrapp.dll (Microsoft Corporation) {828030A1-22C1-4009-854F-8E305202313F}
042 GUID / CLSID not found {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
052 C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
061 C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions) {5CA3D70E-1895-11CF-8E15-001234567890}
061 C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll (Nero AG) {97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}
061 C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG) {B327765E-D724-4347-8B16-78AE18552FC3}
061 C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG) {7F1CF152-04F8-453A-B34C-E609530A9DC8}
061 C:\Program Files\Sonic\RecordNow!\shlext.dll (Sonic Solutions) {DEE12703-6333-4D4E-8F34-738C4DCC2E04}
061 C:\Program Files\Common Files\Folio Shared\fcshell4.dll (Folio) {39D328C0-C37A-11cf-BE99-0020AFD208B9}
061 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
062 C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG) {7D4D6379-F301-4311-BEBA-E26EB0561882}
069 C:\WINDOWS\system32\pdf995mon.dll
073 McDefragTask.job : c:\PROGRA~1\mcafee\mqc\QcConsol.exe (McAfee, Inc.)
073 McQcTask.job : c:\PROGRA~1\mcafee\mqc\QcConsol.exe (McAfee, Inc.)
100 Default_Page_URL HKCU : [You must be registered and logged in to see this link.]
100 ProxyServer HKCU : http=127.0.0.1:5555
100 ShellNext HKCU : [You must be registered and logged in to see this link.]
102 GUID / CLSID not found {32683183-48a0-441b-a342-7c2a440a9478}
104 C:\WINDOWS\system32\Dell\SystemProfiler\SysPro.ocx (Dell Computer Corp.) {01A88BB1-1174-41EC-ACCB-963509EAE56B}
104 * C:\WINDOWS\Downloaded Program Files\PhotoUploader5.ocx (The Facebook) {0CCA191D-13A6-4E29-B746-314DEE697D83}
104 C:\WINDOWS\DOWNLO~2\ipixx.ocx (Internet Pictures Corp.) {11260943-421B-11D0-8EAC-0000C07D88CF}
104 C:\WINDOWS\Downloaded Program Files\Photochannel.dll (PhotoChannel Networks) {26B2A5DA-BFD6-422F-A89A-28A54C74B12B}
104 GUID / CLSID not found {33564D57-0000-0010-8000-00AA00389B71}
104 GUID / CLSID not found {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
104 * C:\WINDOWS\Downloaded Program Files\contactx.dll (Facebook) {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C}
104 GUID / CLSID not found {7530BFB8-7293-4D34-9923-61A11451AFC5}
104 * C:\WINDOWS\Downloaded Program Files\PhotoUploader55.ocx (The Facebook) {8100D56A-5661-482C-BEE8-AFECE305D968}
104 GUID / CLSID not found {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
104 C:\WINDOWS\Downloaded Program Files\CONFLICT.2\Photochannel.dll (PhotoChannel Networks) {A1662FB6-39BE-41BB-ACDC-0448FB1B5817}
104 GUID / CLSID not found {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
104 GUID / CLSID not found {E3E02F12-2ADB-478C-8742-5F0819F9F0F4}
104 * C:\WINDOWS\DOWNLO~2\CONFLICT.1\JuniperSetup.ocx (Juniper Networks) {E5F5D008-DD2C-4D32-977D-1A0ADF03058B}
104 C:\WINDOWS\Downloaded Program Files\DigWebX2.dll (Microsoft Corporation) {FE5B9F54-7764-4C01-89F0-4862601EE954}
105 E&xport to Microsoft Excel : [You must be registered and logged in to see this link.]
105 Google Sidewiki... : [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
107 * C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
107 * C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
136 * C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
150 DisableSR : 1
170 Z : Z:\inst_32\autorun.exe
173 C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll (Nero AG) {73FCA462-9BD5-4065-A73F-A8E5F6904EF7}
173 * c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll (McAfee, Inc.) {01576F39-90DE-4D6E-A068-5B20C22BAAEE}
173 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
173 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
221 C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll (Nero AG) {73FCA462-9BD5-4065-A73F-A8E5F6904EF7}
221 * c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll (McAfee, Inc.) {01576F39-90DE-4D6E-A068-5B20C22BAAEE}
221 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
221 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
223 * C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
225 C:\Program Files\Common Files\Folio Shared\fcshell4.dll (Folio) {39D328C0-C37A-11cf-BE99-0020AFD208B9}
225 C:\Program Files\Common Files\Folio Shared\fcshell4.dll (Folio) {39D328C0-C37A-11cf-BE99-0020AFD208B9}
225 * C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
225 * C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
225 * c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll (McAfee, Inc.) {01576F39-90DE-4D6E-A068-5B20C22BAAEE}
225 * c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll (McAfee, Inc.) {01576F39-90DE-4D6E-A068-5B20C22BAAEE}
225 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
225 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
227 c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL (Novell, Inc., c/o Corel Corporation Limited) {C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}
227 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
231 C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll (Nero AG) NeroDigitalExt.NeroDigitalColumnHandler
251 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
253 c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL (Novell, Inc., c/o Corel Corporation Limited) {C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}

Missing files
-------------
003 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
008 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
009 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
010 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 C:\WINDOWS\system32\drivers\bvrp_pci.sys
011 C:\WINDOWS\system32\drivers\Changer.sys
011 System32\DRIVERS\wATV03nt.sys
011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
011 C:\WINDOWS\system32\ndisdrv.sys
011 C:\WINDOWS\system32\drivers\PCIDump.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 System32\DRIVERS\wanatw4.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys
051 c:\windows\system32\jefotumo.dll
060 c:\windows\system32\jefotumo.dll
061 deskpan.dll
071 dijuboru.dll
071 nogorike.dll
073 c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
104 C:\WINDOWS\DOWNLO~1\ltocx11n.ocx

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Wed Dec 23, 2009 5:35 am

Please delete this file:
C:\WINDOWS\system32\PnkBstrA.exe

Download [You must be registered and logged in to see this link.]

  • Load SuperAntiSpyware and click the Check for updates button.
  • Once the update is finished click the Scan your computer button.
  • Check Perform Complete Scan and then next.
  • SuperAntiSpyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log onto the forum.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Thu Dec 24, 2009 5:36 am

SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 12/23/2009 at 10:03 PM

Application Version : 4.32.1000

Core Rules Database Version : 4379
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 00:40:28

Memory items scanned : 546
Memory threats detected : 0
Registry items scanned : 9417
Registry threats detected : 2
File items scanned : 32310
File threats detected : 155

Trojan.Unclassified/Helper-DD
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}

Adware.Tracking Cookie
C:\Documents and Settings\Jeff\Cookies\jeff@content.yieldmanager[4].txt
C:\Documents and Settings\Jeff\Cookies\jeff@ad.yieldmanager[2].txt
C:\Documents and Settings\Jeff\Cookies\jeff@invitemedia[1].txt
C:\Documents and Settings\Jeff\Cookies\jeff@adserver.adtechus[1].txt
C:\Documents and Settings\Jeff\Cookies\jeff@content.yieldmanager[5].txt
C:\Documents and Settings\Jeff\Cookies\jeff@[You must be registered and logged in to see this link.]
C:\Documents and Settings\Jeff\Cookies\jeff@content.yieldmanager[3].txt
C:\Documents and Settings\Jeff\Cookies\jeff@ad.yieldmanager[3].txt
C:\Documents and Settings\Jeff\Cookies\jeff@ad.yieldmanager[1].txt
C:\Documents and Settings\Jeff\Cookies\jeff@statcounter[1].txt
C:\Documents and Settings\Jeff\Cookies\jeff@content.yieldmanager[2].txt
C:\Documents and Settings\Jeff\Cookies\jeff@[You must be registered and logged in to see this link.]
C:\Documents and Settings\Jeff\Cookies\jeff@ads.e-planning[1].txt
C:\Documents and Settings\Jeff\Cookies\jeff@ad2.doublepimp[1].txt
C:\Documents and Settings\Jeff\Cookies\jeff@click.cashengines[2].txt
C:\Documents and Settings\Jeff\Cookies\jeff@ads.pointroll[1].txt
C:\Documents and Settings\Jeff\Cookies\jeff@adbrite[1].txt
C:\Documents and Settings\Jeff\Cookies\jeff@at.atwola[2].txt
C:\Documents and Settings\Jeff\Cookies\jeff@invitemedia[2].txt
C:\Documents and Settings\Jeff\Cookies\jeff@imrworldwide[2].txt
C:\Documents and Settings\Jeff\Cookies\jeff@pointroll[2].txt
C:\Documents and Settings\Jeff\Cookies\jeff@questionmarket[1].txt
C:\Documents and Settings\Jeff\Cookies\jeff@revsci[2].txt
C:\Documents and Settings\Jeff\Cookies\jeff@statcounter[3].txt
C:\Documents and Settings\Jeff\Cookies\jeff@stopzilla[1].txt
C:\Documents and Settings\Jeff\Cookies\jeff@tacoda[1].txt
C:\Documents and Settings\Jeff\Cookies\jeff@zedo[1].txt
C:\Documents and Settings\Kids\Cookies\kids@doubleclick[1].txt
C:\Documents and Settings\Kids\Cookies\kids@2o7[1].txt
C:\Documents and Settings\Kids\Cookies\kids@ads.pointroll[2].txt
C:\Documents and Settings\Kids\Cookies\kids@atdmt[2].txt
C:\Documents and Settings\Kids\Cookies\kids@ehg-dig.hitbox[1].txt
C:\Documents and Settings\Kids\Cookies\kids@hitbox[2].txt
C:\Documents and Settings\Kids\Cookies\kids@msnportal.112.2o7[1].txt
C:\Documents and Settings\Kids\Cookies\kids@serving-sys[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@cdn4.specificclick[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@ads.yoyogames[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@www5.addfreestats[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@content.yieldmanager[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@content.yieldmanager[3].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@lucidmedia[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@server.cpmstar[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@insightexpressai[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@[You must be registered and logged in to see this link.]
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@[You must be registered and logged in to see this link.]
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@specificclick[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@sonyonlineentertainment.112.2o7[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@ads.bsgonlinegames[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@interclick[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@dynamic.media.adrevolver[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@tribalfusion[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@crackle[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@serving-sys[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@chitika[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@burstnet[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@ads.nebuadserving[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@oasn04.247realmedia[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@ads.widgetbucks[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@ads.scribefire[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@ad.yieldmanager[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@[You must be registered and logged in to see this link.]
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@adserver.adtechus[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@adopt.specificclick[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@dc.tremormedia[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@ads.pointroll[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@statse.webtrendslive[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@mediaplex[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@cdnh.tremormedia[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@bidsystem.adknowledge[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@cdnh.tremormedia[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@admarketplace[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@stats.adbrite[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@media.adrevolver[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@ads.ad4game[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@tds.checkclick-go[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@advertising[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@rotator.adjuggler[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@media.adrevolver[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@collective-media[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@popularscreensavers[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@specificmedia[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@realmedia[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@ehg-groupernetworks.hitbox[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@ads.quixsurf[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@dr.findlinks[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@banner509[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@banners.battleon[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@fastclick[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@statcounter[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@2o7[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@trafficmp[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@www2.mystats[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@www2.mystats[3].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@media.mtvnservices[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@ads.imarketservices[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@atdmt[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@247realmedia[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@a1.interclick[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@adlegend[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@adrevolver[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@apmebf[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@banners2.battleon[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@bridge1.admarketplace[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@bs.serving-sys[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@c7.zedo[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@casalemedia[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@doubleclick[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@enhance[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@hitbox[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@kontera[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@linksynergy[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@media6degrees[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@overture[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@paypal.112.2o7[1].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@revsci[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@videoegg.adbureau[2].txt
C:\Documents and Settings\Kids\Local Settings\Temp\Cookies\kids@zedo[1].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@serving-sys[1].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@revsci[2].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@ad.yieldmanager[2].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@msnservices.112.2o7[1].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@zedo[2].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@burstnet[1].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@collective-media[1].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@apmebf[2].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@bs.serving-sys[2].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@2o7[2].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@fastclick[1].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@tribalfusion[1].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@mediatraffic[1].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@msnportal.112.2o7[1].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@specificclick[2].txt
C:\Documents and Settings\Mornie\Local Settings\Temp\Cookies\mornie@insightexpressai[1].txt
C:\WINDOWS\Temp\Cookies\jeff@questionmarket[1].txt
C:\WINDOWS\Temp\Cookies\jeff@2o7[2].txt
C:\WINDOWS\Temp\Cookies\jeff@atwola[1].txt
C:\WINDOWS\Temp\Cookies\jeff@edge.ru4[2].txt
C:\WINDOWS\Temp\Cookies\mornie@[You must be registered and logged in to see this link.]
C:\WINDOWS\Temp\Cookies\mornie@[You must be registered and logged in to see this link.]
C:\WINDOWS\Temp\Cookies\mornie@questionmarket[1].txt
C:\WINDOWS\Temp\Cookies\mornie@roiservice[1].txt
C:\WINDOWS\Temp\Cookies\mornie@audible.adbureau[1].txt
C:\WINDOWS\Temp\Cookies\mornie@kanoodle[1].txt
C:\WINDOWS\Temp\Cookies\mornie@atwola[1].txt
C:\WINDOWS\Temp\Cookies\mornie@tribalfusion[1].txt
C:\WINDOWS\Temp\Cookies\mornie@bizrate[1].txt
C:\WINDOWS\Temp\Cookies\mornie@2o7[1].txt
C:\WINDOWS\Temp\Cookies\mornie@msnportal.112.2o7[2].txt
C:\WINDOWS\Temp\Cookies\mornie@thunderbolt.adjuggler[1].txt
C:\WINDOWS\Temp\Cookies\mornie@insightexpressai[2].txt
C:\WINDOWS\Temp\Cookies\mornie@sbuilder-s.adbureau[1].txt
C:\WINDOWS\Temp\Cookies\mornie@rotator.dex.adjuggler[1].txt
C:\WINDOWS\Temp\Cookies\mornie@247realmedia[1].txt
C:\WINDOWS\Temp\Cookies\mornie@adv.webmd[1].txt

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Thu Dec 24, 2009 5:39 am

For some reason I couldn't update the SuperAntiSpyware either...I get an error saying, "There was an error trying to retrieve definitions. Make sure your firewall is not blocking SUPERANITSPYWARE.EXE from accessing the Internet."

The log above is from running it without the update.

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Thu Dec 24, 2009 6:35 am

Please run the [You must be registered and logged in to see this link.]

  • Follow the Instruction [You must be registered and logged in to see this link.] for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Thu Dec 24, 2009 8:27 am

I couldn't run F-secure online scanner because internet explorer wasn't working (I was doing everything in Firefox) so I did a reset for IE (in the advanced tab under options) and now IE is working. It got me thinking about not being able to update the malware scanner programs so I tried to update them and both Malwarebytes and SuperantiSpyware were able to do updates!

I'm going to rerun the scans for both and see if anything pops up and then I'll do F-secure and post the results.

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Thu Dec 24, 2009 1:08 pm

F-Secure works in Firefox.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Thu Dec 24, 2009 7:35 pm

Here's the first one...

Malwarebytes' Anti-Malware 1.42
Database version: 3423
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/24/2009 12:33:43 PM
mbam-log-2009-12-24 (12-33-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 309114
Time elapsed: 1 hour(s), 25 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\uvc7jk640c (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Thu Dec 24, 2009 8:27 pm

SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 12/24/2009 at 01:20 PM

Application Version : 4.32.1000

Core Rules Database Version : 4408
Trace Rules Database Version: 2241

Scan type : Complete Scan
Total Scan Time : 00:44:03

Memory items scanned : 511
Memory threats detected : 0
Registry items scanned : 9322
Registry threats detected : 0
File items scanned : 32239
File threats detected : 0

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Thu Dec 24, 2009 11:24 pm

Report from F-scanner

Scanning Report
Thursday, December 24, 2009 13:36:34 - 16:22:04
Computer name: DADDY-II
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\


--------------------------------------------------------------------------------

2 malware found
Exploit.PDF-JS.Gen (spyware)
System (Disinfected)
TrackingCookie.Webtrends (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 56984
System: 5599
Not scanned: 7
Actions:
Disinfected: 2
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCMSC_MDUCSDAC5FEWQE0
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Sat Dec 26, 2009 2:48 am

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Sat Dec 26, 2009 10:40 pm

Malwarebytes' Anti-Malware 1.42
Database version: 3436
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/26/2009 3:39:03 PM
mbam-log-2009-12-26 (15-39-03).txt

Scan type: Quick Scan
Objects scanned: 140048
Time elapsed: 11 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Sun Dec 27, 2009 4:21 am

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Sun Dec 27, 2009 8:13 pm

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3 (UAC is disabled!)
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
McAfee SecurityCenter
``````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware Free Edition
HijackThis 2.0.2
Java(TM) 6 Update 17
Adobe Flash Player 10
Adobe Reader 7.0.8
Adobe Reader 9.2
Adobe Reader Japanese Fonts
CE Fonts Package For Adobe Reader
``````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Mon Dec 28, 2009 12:34 am

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Tue Dec 29, 2009 7:05 pm

It seems like there aren't any viruses or malware but for some reason Google links are still redirecting to ad sites in both IE and Firefox.

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Tue Dec 29, 2009 10:57 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Wed Dec 30, 2009 6:31 am

OTL logfile created on: 12/29/2009 10:25:19 PM - Run 2
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Jeff\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.00 Mb Total Physical Memory | 398.00 Mb Available Physical Memory | 52.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 1150 1350 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.85 Gb Total Space | 69.16 Gb Free Space | 29.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DADDY-II
Current User Name: Jeff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/29 17:25:37 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
PRC - [2009/12/19 17:01:37 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/19 17:01:37 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/12/16 16:26:56 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/11/12 16:33:10 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/11/10 23:08:18 | 00,417,792 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/09 22:03:36 | 00,423,280 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2006/10/16 18:40:00 | 01,197,648 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2006/10/11 11:45:12 | 00,075,304 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
PRC - [2006/04/15 07:18:42 | 00,071,168 | ---- | M] () -- C:\WINDOWS\SYSTEM32\LxrJD31s.exe
PRC - [2004/01/09 13:04:22 | 00,137,936 | ---- | M] (Microsoft) -- C:\Program Files\MSN Video Enhanced\MSNVE.exe
PRC - [2003/10/30 07:06:02 | 00,073,728 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\SYSTEM32\nvsvc32.exe
PRC - [2003/09/03 19:12:44 | 00,221,184 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
PRC - [2003/08/26 18:47:34 | 00,204,800 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\Media Experience\PCMService.exe
PRC - [2003/08/13 09:27:40 | 00,028,672 | ---- | M] (Dell - Advanced Desktop Engineering) -- C:\WINDOWS\SYSTEM32\DSentry.exe
PRC - [2003/08/06 00:04:00 | 00,114,741 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe


========== Modules (SafeList) ==========

MOD - [2009/12/29 17:25:37 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
MOD - [2006/10/04 21:07:12 | 00,144,936 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (PnkBstrA)
SRV - File not found [On_Demand | Stopped] -- -- (NBService)
SRV - [2009/12/19 17:01:37 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/09/23 16:36:06 | 00,051,168 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/08/09 22:03:36 | 00,423,280 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2007/04/23 11:43:54 | 00,310,008 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - [2007/04/23 11:43:54 | 00,166,648 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9)
SRV - [2007/04/23 11:43:46 | 01,010,424 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)
SRV - [2007/04/22 20:29:34 | 00,088,824 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9)
SRV - [2007/04/22 20:29:32 | 00,359,160 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9)
SRV - [2007/03/07 14:47:46 | 00,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2007/01/15 16:01:56 | 00,266,240 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2006/04/15 07:18:42 | 00,071,168 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\LxrJD31s.exe -- (LxrJD31s)
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/10/30 07:06:02 | 00,073,728 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\nvsvc32.exe -- (NVSvc)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/03/03 12:33:40 | 00,143,360 | ---- | M] (Intel(R) Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2009/12/16 16:27:00 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/12/16 16:26:58 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/16 16:26:56 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 11:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys -- (MPFP)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/04/13 11:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys -- (usb_rndisx)
DRV - [2008/04/13 11:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 11:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys -- (Secdrv)
DRV - [2007/08/09 22:07:04 | 00,063,024 | ---- | M] (Juniper Networks) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NEOFLTR_600_12023.sys -- (NEOFLTR_600_12023) Juniper Networks TDI Filter Driver (NEOFLTR_600_12023)
DRV - [2007/04/10 16:05:34 | 00,023,552 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2007/03/23 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20)
DRV - [2007/02/25 11:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
DRV - [2007/01/18 10:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\RimSerial.sys -- (RimVSerPort)
DRV - [2006/11/07 19:02:04 | 00,022,272 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\RimUsb.sys -- (RimUsb)
DRV - [2006/10/05 15:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/04/15 07:18:42 | 00,069,824 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\LxrJD31d.sys -- (LxrJD31d)
DRV - [2005/11/12 10:23:00 | 00,028,256 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MxlW2k.sys -- (MxlW2k)
DRV - [2004/08/03 22:29:49 | 00,019,455 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 22:29:47 | 00,012,063 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 22:29:45 | 00,023,615 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 22:29:43 | 00,033,599 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 22:29:42 | 00,019,551 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 22:29:41 | 00,029,311 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 22:29:37 | 00,012,415 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 22:29:37 | 00,012,127 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 22:29:37 | 00,011,775 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/03 22:29:36 | 00,161,020 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/01/06 20:06:32 | 00,004,224 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Program Files\PC Wizard 2004\pcwizard.sys -- (pcwe)
DRV - [2003/11/20 21:14:28 | 00,646,825 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52)
DRV - [2003/11/20 21:13:40 | 01,232,741 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)
DRV - [2003/11/20 21:12:56 | 00,059,717 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)
DRV - [2003/11/20 21:12:42 | 00,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt)
DRV - [2003/10/30 07:06:00 | 01,330,172 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)
DRV - [2003/08/06 00:04:00 | 00,100,373 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2003/08/06 00:04:00 | 00,098,068 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2003/08/06 00:04:00 | 00,083,284 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2003/08/06 00:04:00 | 00,034,837 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2003/08/06 00:04:00 | 00,025,685 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2003/08/06 00:04:00 | 00,014,229 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2003/08/06 00:04:00 | 00,006,357 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2003/08/06 00:04:00 | 00,004,117 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2003/08/06 00:04:00 | 00,002,233 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys -- (tfsndres)
DRV - [2003/07/31 02:21:00 | 00,084,576 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2003/07/14 10:28:40 | 00,005,621 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys -- (sscdbhk5)
DRV - [2003/07/14 10:28:22 | 00,023,219 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys -- (ssrtln)
DRV - [2003/06/20 01:56:00 | 00,040,448 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys -- (drvnddm)
DRV - [2003/06/18 13:52:18 | 00,578,176 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\smwdm.sys -- (smwdm)
DRV - [2003/03/04 10:56:26 | 00,145,408 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\e100b325.sys -- (E100B) Intel(R)
DRV - [2002/11/08 12:45:06 | 00,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/08/29 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\PTILINK.SYS -- (Ptilink)
DRV - [2002/08/29 04:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ROOTMDM.SYS -- (ROOTMODEM)
DRV - [2002/04/01 13:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\aeaudio.sys -- (aeaudio)
DRV - [2001/12/19 11:45:00 | 00,008,576 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\VCdRom.sys -- (vcdrom)
DRV - [2001/08/17 13:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 13:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 13:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 13:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 13:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 12:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 12:53:32 | 00,003,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\qv2kux.sys -- (QV2KUX)
DRV - [2001/08/17 12:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 12:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 12:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 12:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 12:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 12:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 12:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 12:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 12:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 12:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 11:11:06 | 00,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)
DRV - [2000/03/29 16:11:20 | 00,008,096 | ---- | M] (MicroStaff Co.,Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MASPINT.SYS -- (MASPINT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4C 50 9E D0 71 84 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.01
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:7
FF - prefs.js..extensions.enabledItems: {86009AEF-9162-4EBC-B698-FF71D7B6B049}:1.0
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/19 16:26:40 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/19 17:33:04 | 00,000,000 | ---D | M]

[2008/10/05 15:24:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Extensions
[2009/12/28 22:59:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\i0lozl9b.default\extensions
[2009/12/24 13:28:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\i0lozl9b.default\extensions\fsonlinescanner@f-secure.com
[2009/12/27 01:40:38 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/09/03 19:19:19 | 00,000,000 | ---D | M] (SeekService) -- C:\Program Files\Mozilla Firefox\extensions\{86009AEF-9162-4EBC-B698-FF71D7B6B049}

O1 HOSTS File: (734 bytes) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [dla] C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
O4 - HKLM..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSN Video Enhanced] C:\Program Files\MSN Video Enhanced\MSNVE.exe (Microsoft)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [StorageGuard] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [Sonic RecordNow!] File not found
O4 - HKCU..\Run: [Steam] File not found
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O16 - DPF: {00110000-B1BA-11CE-ABC6-F5B2E79D9E3F} [You must be registered and logged in to see this link.] (LEAD Main Control (11.5))
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} [You must be registered and logged in to see this link.] (SysProWmi Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} [You must be registered and logged in to see this link.] (iPIX ActiveX Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} [You must be registered and logged in to see this link.] (Photo Upload Plugin Class)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} [You must be registered and logged in to see this link.] (ContactExtractor Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} [You must be registered and logged in to see this link.] (Photo Upload Plugin Class)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (get_atlcom Class)
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} [You must be registered and logged in to see this link.] (JuniperSetupControlXP Class)
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} [You must be registered and logged in to see this link.] (DigWebHelper Class)
O16 - DPF: Garmin Communicator Plug-In [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.85.102 68.87.69.150
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O21 - SSODL: puyokatih - {ec520845-f4ad-4e82-ae03-8334f9bf6006} - C:\WINDOWS\System32\jefotumo.dll File not found
O22 - SharedTaskScheduler: {ec520845-f4ad-4e82-ae03-8334f9bf6006} - kupuhivus - C:\WINDOWS\System32\jefotumo.dll File not found
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 07:59:58 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\Z\Shell - "" = AutoRun
O33 - MountPoints2\Z\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\Z\Shell\AutoRun\command - "" = Z:\inst_32\autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/29 17:25:24 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
[2009/12/28 22:23:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Application Data\GARMIN
[2009/12/28 22:15:22 | 00,000,000 | ---D | C] -- C:\Program Files\DIFX
[2009/12/28 22:15:05 | 00,000,000 | ---D | C] -- C:\Program Files\Garmin
[2009/12/28 22:11:15 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Jeff\PrivacIE
[2009/12/28 22:01:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Local Settings\Application Data\Scansoft
[2009/12/24 13:36:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2009/12/23 20:55:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/12/23 20:54:50 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/12/23 20:54:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Application Data\SUPERAntiSpyware.com
[2009/12/23 20:54:02 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/12/22 20:22:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Local Settings\Application Data\Runscanner.net
[2009/12/22 20:21:55 | 01,643,776 | ---- | C] (Runscanner.net) -- C:\Documents and Settings\Jeff\Desktop\runscanner.exe
[2009/12/22 08:40:43 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/22 08:40:41 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/22 08:40:40 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/22 08:39:58 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jeff\Desktop\20mbam-setup.exe
[2009/12/19 18:48:32 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Jeff\Desktop\HijackThis.exe
[2009/12/19 17:04:23 | 00,157,696 | ---- | C] (The RaProducts Team: Paul McLain and Fred de Vries) -- C:\Documents and Settings\Jeff\Desktop\JavaRa.exe
[2009/12/19 17:01:53 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/19 17:01:53 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/19 17:01:53 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/19 17:01:53 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/19 16:54:49 | 16,672,544 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Jeff\Desktop\jre-6u17-windows-i586.exe
[2009/12/19 16:54:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\My Documents\Downloads
[2009/12/19 16:25:25 | 08,086,544 | ---- | C] (Mozilla) -- C:\Documents and Settings\Jeff\Desktop\Firefox Setup 3.5.6.exe
[2009/12/19 01:38:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/12/19 01:37:56 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/12/19 01:37:49 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/12/19 01:02:43 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Installer Clean Up
[2009/12/19 00:24:33 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2009/12/18 21:44:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/12/15 01:32:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/12/13 22:11:59 | 00,030,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ceqrvquc.sys
[2009/12/13 19:31:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/12/13 17:41:18 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2009/12/13 16:20:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2009/12/13 16:20:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2009/12/13 13:03:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Local Settings\Application Data\mopdjb
[2009/12/08 20:51:53 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/12/08 20:51:28 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/12/08 20:45:02 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/12/03 00:28:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/09/11 20:47:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/05/14 06:16:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/05/14 06:16:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2008/11/22 14:24:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2008/10/02 19:38:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2007/09/29 19:27:09 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/07/20 21:04:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/03/16 20:45:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/02/16 22:24:57 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/02/16 22:24:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Juniper Networks
[2007/02/16 22:14:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\MSNInstaller
[2007/02/16 22:14:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\MSN6
[2007/02/16 22:14:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2007/02/16 22:14:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
[2007/02/16 22:14:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Corel
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/29 18:00:00 | 00,000,296 | ---- | M] () -- C:\WINDOWS\tasks\gybwupgb.job
[2009/12/29 17:25:37 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
[2009/12/29 17:22:33 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2009/12/29 17:21:30 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/29 17:21:27 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2009/12/28 23:38:23 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Jeff\NTUSER.INI
[2009/12/28 23:38:22 | 12,058,624 | ---- | M] () -- C:\Documents and Settings\Jeff\ntuser.dat
[2009/12/28 23:16:21 | 00,109,752 | ---- | M] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/12/27 13:27:58 | 02,148,308 | -H-- | M] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\IconCache.db
[2009/12/27 13:10:45 | 00,843,187 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\SecurityCheck.exe
[2009/12/27 12:45:23 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/23 20:54:54 | 00,000,789 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/23 20:53:36 | 07,451,168 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\SUPERAntiSpyware.exe
[2009/12/22 20:22:00 | 01,643,776 | ---- | M] (Runscanner.net) -- C:\Documents and Settings\Jeff\Desktop\runscanner.exe
[2009/12/22 08:40:46 | 00,000,705 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/22 08:39:58 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jeff\Desktop\20mbam-setup.exe
[2009/12/21 06:00:00 | 00,000,392 | ---- | M] () -- C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (DADDY-Jeff).job
[2009/12/19 18:48:33 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Jeff\Desktop\HijackThis.exe
[2009/12/19 17:33:05 | 00,001,738 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/12/19 17:01:36 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/19 17:01:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/19 17:01:36 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/19 17:01:36 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/19 17:01:36 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/19 16:58:10 | 00,071,798 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\JavaRa.zip
[2009/12/19 16:55:21 | 16,672,544 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Jeff\Desktop\jre-6u17-windows-i586.exe
[2009/12/19 16:28:20 | 00,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2009/12/19 16:26:41 | 00,001,611 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/12/19 16:25:53 | 08,086,544 | ---- | M] (Mozilla) -- C:\Documents and Settings\Jeff\Desktop\Firefox Setup 3.5.6.exe
[2009/12/19 10:40:14 | 00,000,805 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\Shortcut to 22mbam.exe.lnk
[2009/12/19 09:54:46 | 00,505,894 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/19 09:54:46 | 00,444,450 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2009/12/19 09:54:46 | 00,072,326 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2009/12/19 03:16:45 | 00,383,224 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/19 02:21:59 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/19 00:25:19 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/18 15:54:30 | 00,000,682 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2009/12/15 01:44:14 | 00,000,338 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/12/14 08:34:00 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\yifuziwe
[2009/12/13 22:12:00 | 00,030,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ceqrvquc.sys
[2009/12/13 17:03:23 | 00,000,529 | -HS- | M] () -- C:\WINDOWS\System32\zayitala.exe
[2009/12/09 20:34:56 | 00,000,048 | ---- | M] () -- C:\WINDOWS\wpd99.drv
[2009/12/08 20:52:55 | 00,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/27 13:10:44 | 00,843,187 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\SecurityCheck.exe
[2009/12/23 20:54:54 | 00,000,789 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/23 20:53:35 | 07,451,168 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\SUPERAntiSpyware.exe
[2009/12/22 08:40:46 | 00,000,705 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/19 17:33:05 | 00,001,738 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/12/19 17:04:23 | 00,245,103 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\JavaRa.def
[2009/12/19 16:58:09 | 00,071,798 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\JavaRa.zip
[2009/12/19 10:40:14 | 00,000,805 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\Shortcut to 22mbam.exe.lnk
[2009/12/14 05:03:45 | 00,000,296 | ---- | C] () -- C:\WINDOWS\tasks\gybwupgb.job
[2009/12/13 17:03:23 | 00,000,529 | -HS- | C] () -- C:\WINDOWS\System32\zayitala.exe
[2009/12/08 20:52:55 | 00,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/07/06 21:26:21 | 00,045,132 | ---- | C] () -- C:\Documents and Settings\Jeff\Application Data\JuniperExtXP.exe
[2008/11/27 11:29:59 | 00,000,108 | ---- | C] () -- C:\WINDOWS\TLCAPPS.INI
[2008/10/08 20:42:37 | 00,012,998 | ---- | C] () -- C:\Documents and Settings\Jeff\Application Data\Comma Separated Values (Windows).CAL
[2008/01/09 21:20:59 | 00,000,123 | ---- | C] () -- C:\WINDOWS\AWOPR.INI
[2007/12/31 07:36:09 | 00,000,028 | ---- | C] () -- C:\WINDOWS\encore_launcher.ini
[2007/12/03 19:56:57 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2007/11/21 20:25:27 | 00,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/07/28 10:05:36 | 02,255,360 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2007/07/28 10:05:36 | 00,395,776 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2007/07/28 10:05:36 | 00,262,144 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2007/07/28 10:05:36 | 00,112,640 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2007/07/15 20:50:45 | 00,000,416 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/06/28 20:29:29 | 00,000,301 | ---- | C] () -- C:\WINDOWS\ARCADE.INI
[2007/04/02 20:43:16 | 00,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2007/02/24 11:14:31 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/02/21 23:20:36 | 00,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/02/16 21:57:48 | 00,002,508 | ---- | C] () -- C:\Documents and Settings\Jeff\Application Data\$_hpcst$.hpc
[2007/01/28 14:19:20 | 00,000,023 | ---- | C] () -- C:\WINDOWS\ZDPLUSSEARCH.INI
[2006/04/15 07:18:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\JDSecure31.INI
[2006/04/15 07:18:42 | 00,249,856 | ---- | C] () -- C:\WINDOWS\System32\LxrJD31.dll
[2006/04/15 07:18:42 | 00,069,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\LxrJD31d.sys
[2006/04/15 07:18:42 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\LxrJD20Sat.dll
[2006/02/24 12:45:06 | 00,000,170 | ---- | C] () -- C:\WINDOWS\HS.INI
[2006/01/11 14:13:17 | 00,000,636 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/05 10:12:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Textart.INI
[2005/08/09 22:14:05 | 00,001,536 | ---- | C] () -- C:\WINDOWS\EyeCand3.INI
[2005/07/18 22:33:43 | 00,000,048 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2005/07/18 22:33:12 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2005/07/09 20:52:35 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2005/07/09 20:52:34 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2005/04/16 16:56:51 | 00,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL
[2005/04/16 16:56:51 | 00,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini
[2005/02/24 19:37:01 | 00,000,168 | ---- | C] () -- C:\WINDOWS\Clipbook.INI
[2004/12/23 18:46:24 | 00,000,347 | ---- | C] () -- C:\WINDOWS\CoDUO.INI
[2004/12/16 11:53:32 | 00,000,635 | ---- | C] () -- C:\WINDOWS\MMTVMJ.INI
[2004/10/26 15:39:05 | 03,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/08/22 22:39:17 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/08/19 23:12:43 | 00,000,195 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI
[2004/08/19 15:42:43 | 00,001,278 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2004/07/24 22:00:35 | 00,000,745 | ---- | C] () -- C:\WINDOWS\CoD.INI
[2004/07/16 19:40:41 | 00,000,060 | ---- | C] () -- C:\WINDOWS\mgallery.ini
[2004/07/16 19:40:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\asym.ini
[2004/07/02 22:51:36 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/03/21 13:36:31 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/03/19 21:35:21 | 00,000,023 | ---- | C] () -- C:\WINDOWS\System32\natbox.ini
[2004/03/19 20:45:47 | 00,061,678 | ---- | C] () -- C:\Documents and Settings\Jeff\Application Data\PFP110JPR.{PB
[2004/03/19 20:45:47 | 00,012,358 | ---- | C] () -- C:\Documents and Settings\Jeff\Application Data\PFP110JCM.{PB
[2004/03/14 14:09:58 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/03/14 14:01:42 | 00,000,258 | ---- | C] () -- C:\WINDOWS\System32\BDEMERGE.INI
[2004/03/14 13:58:05 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/03/14 13:54:08 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/03/14 13:39:05 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/03/14 13:26:46 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/08/13 21:54:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/08/15 11:59:42 | 00,503,808 | ---- | C] () -- C:\WINDOWS\System32\ICCProfiles.dll
[2002/05/02 19:33:26 | 00,004,720 | ---- | C] () -- C:\WINDOWS\System32\zeon98.dll
[2001/12/07 09:09:26 | 00,577,536 | ---- | C] () -- C:\WINDOWS\System32\heclib50.dll
[1997/06/13 18:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[1979/12/31 23:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 1432 bytes -> C:\WINDOWS\System32\drivers\ceqrvquc.sys:changelist
< End of report >

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Wed Dec 30, 2009 6:33 am

OTL Extras logfile created on: 12/29/2009 5:26:38 PM - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Jeff\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.00 Mb Total Physical Memory | 320.00 Mb Available Physical Memory | 42.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 1150 1350 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.85 Gb Total Space | 69.24 Gb Free Space | 29.73% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DADDY-II
Current User Name: Jeff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJI PHOTO FILM CO.,LTD.)
Directory [FinePixPrint] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" /p "%1" (FUJI PHOTO FILM CO.,LTD.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Dynamix\Tribes2\GameData\Tribes2.exe" = C:\Dynamix\Tribes2\GameData\Tribes2.exe:*:Enabled:Tribes2 Launcher -- ()
"C:\Program Files\Valve\Steam\Steam.exe" = C:\Program Files\Valve\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\EA GAMES\MOHAA\moh_spearhead.exe" = C:\Program Files\EA GAMES\MOHAA\moh_spearhead.exe:*:Enabled:Medal of Honor Allied Assault(tm) Spearhead -- (Electronic Arts Inc.)
"C:\Program Files\Call of Duty\CoDMP.exe" = C:\Program Files\Call of Duty\CoDMP.exe:*:Enabled:CoDMP -- ()
"C:\Program Files\Call of Duty\CoDUOMP.exe" = C:\Program Files\Call of Duty\CoDUOMP.exe:*:Enabled:CoDUOMP -- ()
"C:\Program Files\Wolfenstein - Enemy Territory\ET.exe" = C:\Program Files\Wolfenstein - Enemy Territory\ET.exe:*:Enabled:ET -- ()
"C:\Program Files\Valve\Steam\SteamApps\antslice\counter-strike\hl.exe" = C:\Program Files\Valve\Steam\SteamApps\antslice\counter-strike\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)
"C:\Program Files\Valve\Steam\SteamApps\antslice\half-life 2\hl2.exe" = C:\Program Files\Valve\Steam\SteamApps\antslice\half-life 2\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\Valve\Steam\SteamApps\antslice\counter-strike source\hl2.exe" = C:\Program Files\Valve\Steam\SteamApps\antslice\counter-strike source\hl2.exe:*:Disabled:hl2 -- ()
"C:\Program Files\EA GAMES\MOHAA\moh_Breakthrough.exe" = C:\Program Files\EA GAMES\MOHAA\moh_Breakthrough.exe:*:Enabled:Medal of Honor Allied Assault(tm) Breakthrough -- (Electronic Arts Inc.)
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\EA GAMES\MOHAA\MOHAA.exe" = C:\Program Files\EA GAMES\MOHAA\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault(tm) -- (Electronic Arts Inc.)
"C:\WINDOWS\SYSTEM32\dpnsvr.exe" = C:\WINDOWS\SYSTEM32\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server -- (Microsoft Corporation)
"C:\WINDOWS\SYSTEM32\dxdiag.exe" = C:\WINDOWS\SYSTEM32\dxdiag.exe:*:Disabled:Microsoft DirectX Diagnostic Tool -- (Microsoft Corporation)
"C:\WINDOWS\SYSTEM32\mmc.exe" = C:\WINDOWS\SYSTEM32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Age of Empires II\empires2.EXE" = C:\Program Files\Microsoft Games\Age of Empires II\empires2.EXE:*:Enabled:Age of Empires II -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\AGE2_X1.ICD" = C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\AGE2_X1.ICD:*:Enabled:Age of Empires II Expansion -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Age of Empires\EMPIRESX.EXE" = C:\Program Files\Microsoft Games\Age of Empires\EMPIRESX.EXE:*:Enabled:Age of Empires, the Rise of Rome -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Age of Empires\EMPIRES.EXE" = C:\Program Files\Microsoft Games\Age of Empires\EMPIRES.EXE:*:Enabled:Age of Empires -- (Microsoft Corporation)
"C:\Program Files\Valve\Steam\SteamApps\antslice\half-life\hl.exe" = C:\Program Files\Valve\Steam\SteamApps\antslice\half-life\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)
"C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe" = C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy -- (Juniper Networks)
"C:\Program Files\Starcraft\starcraft.exe" = C:\Program Files\Starcraft\starcraft.exe:*:Enabled:Starcraft -- (Blizzard Entertainment)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\age2_x1.exe" = C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\age2_x1.exe:*:Enabled:Age of Empires II Expansion -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour -- File not found
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Disabled:Skype -- File not found
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe:*:Enabled:SUPERAntiSpyware Free Edition -- (SUPERAntiSpyware.com)
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)
"C:\Documents and Settings\Jeff\Local Settings\Temp\WZSE5.TMP\recover.exe" = C:\Documents and Settings\Jeff\Local Settings\Temp\WZSE5.TMP\recover.exe:*:Disabled:Firmware Recovery Program -- File not found
"C:\Program Files\LeechFTP\Leechftp.exe" = C:\Program Files\LeechFTP\Leechftp.exe:*:Disabled:LeechFTP -- (jan debis)
"C:\WINDOWS\SYSTEM32\dplaysvr.exe" = C:\WINDOWS\SYSTEM32\dplaysvr.exe:*:Disabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\WINDOWS\SYSTEM32\dpvsetup.exe" = C:\WINDOWS\SYSTEM32\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\WINDOWS\Explorer.EXE" = C:\WINDOWS\Explorer.EXE:*:Disabled:Windows Messenger -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{04410044-9149-45C6-A806-F2BF9CFCE762}" = Microsoft Encarta Encyclopedia Standard 2004
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0BD13838-9985-4B14-BF6A-65DD35D5B0C9}" = HEC-RAS 3.1.1
"{0DEA94ED-915A-4834-A87E-388D012C8E02}" = Medal of Honor Allied Assault
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP460" = Canon MP460
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1B4865AF-FB54-4A69-8F84-113E6DAD161B}" = MSN Video Enhanced
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.4.1
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{32F66A20-7614-11D4-BD11-00104BD3F987}" = MathPlayer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3C527E13-C82E-464D-B417-9A2067DA31EA}" = Microsoft Office Live Meeting 2005
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{4F1CECBC-670F-4daa-81D6-944B12450917}" = DIGReqEx
"{54F90B55-BEB3-4F0D-8802-228822FA5921}" = WordPerfect Office 11
"{56CFA833-F44F-4199-8C58-7F8B38F2BC7B}" = Medal of Honor Pacific Assault(tm)
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5D81D227-790A-43D8-BD30-6A7935CD6837}" = MadOnion.com/PCMark2002
"{60859BF2-5151-473C-8F76-7F3A232CF7E7}" = MM Number Heroes
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}" = Roxio Media Manager
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69BA7792-853B-45A3-A29F-539C0D7A2A62}" = Myst Uru - Complete Chronicles
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{788B97E8-D825-419A-8558-1C0B344C5371}" = Costco Photo Organizer
"{7914BE1E-F186-4790-B8F4-9F63C52A41C1}" = Medal of Honor Allied Assault(tm) Spearhead
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{815050E5-F545-11D4-9569-004095812ACC}" = Serious Sam: The First Encounter
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition
"{823A68CC-3049-4A6B-8F63-7DC85E4BB1C9}" = Medal of Honor Allied Assault(tm) Breakthrough
"{824539D7-D27E-4CC3-B36F-6404B5EB726B}" = Medal of Honor Pacific Assault(tm) Patch2
"{8795CBED-55E2-4693-9F14-84EC446935BE}" = SpeechRedist
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{934E9442-D305-4ACF-AD87-A6C11D677CB9}" = ImageMixer VCD2 for FinePix
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{96F702F3-7CA4-41B5-A70A-4F348DF99A9A}" = Myst IV - Revelation
"{98605CAA-5F52-44EC-8AF7-2EC1A4C35F2D}" = BlackBerry Desktop Software 4.2.2
"{98DF85D9-96C0-4F57-A92E-C3539477EF5E}" = DVDSentry
"{9F05B89E-2873-11D5-9E9D-0050DA1EA555}" = Myst III: Exile
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A376CC14-A32D-4D4D-889E-5546BCC4B595}" = Alien Arena 2006
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A4D490D0-CF24-47AB-B8B3-BE19366D80C8}" = Actiontec Gateway/Router
"{A662E280-64A8-4CF5-8407-13D0808602B3}" = Call of Duty - United Offensive
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel(R) PROSet
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.8
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-5A76-5A64-7E8A45000001}" = Adobe Reader Japanese Fonts
"{AC76BA86-7AD7-CE00-F668-7E8A450000A7}" = CE Fonts Package For Adobe Reader
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B8C54AB1-7E1A-40E8-B794-EDB6E8921F3A}" = Dell Support Center
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1E693A4-B1D5-4DCD-B68D-2087835B7184}" = ScanSoft OmniPage SE 4.0
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}" = MSN Messenger 7.5
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DF9046D6-5F1F-40B6-9782-3DC2D902D391}" = Medal of Honor Allied Assault(tm) Breakthrough Patch v2.40
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{EFA2E54B-CE1F-4879-BBB4-DFCC5627F7FA}" = ContentBuilder 2.0
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement
"{FC98FBE9-E931-494C-8717-497185371033}" = Nero 7
"{FF377A7C-0A0F-4A0E-B921-4888DC4C0ACE}" = Nitro PDF Professional
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Age of Empires" = Microsoft Age of Empires
"Age of Empires 2.0" = Microsoft Age of Empires II
"Age of Empires Gold 1.0" = Microsoft Age of Empires Gold
"Age of Empires II: The Conquerors Expansion 1.0" = Microsoft Age of Empires II: The Conquerors Expansion
"BlackBerry_{98605CAA-5F52-44EC-8AF7-2EC1A4C35F2D}" = BlackBerry Desktop Software 4.2.2
"Call of Duty" = Call of Duty
"Canon MP460 User Registration" = Canon MP460 User Registration
"CanonMyPrinter" = Canon My Printer
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2008-01-24
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"ETF" = ETF
"FileZilla" = FileZilla (remove only)
"HijackThis" = HijackThis 2.0.2
"HL2CTF Beta v1.5" = HL2CTF Beta v1.5
"Home" = Total 3D Home Deluxe
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Infobase Library" = Infobase Library
"InstallShield_{60859BF2-5151-473C-8F76-7F3A232CF7E7}" = Mighty Math Number Heroes
"InstallShield_{A662E280-64A8-4CF5-8407-13D0808602B3}" = Call of Duty - United Offensive
"Intel(R) 537EP V9x DF PCI Modem" = Intel(R) 537EP V9x DF PCI Modem
"IntelliCAD v.6.2.36.4 Standard Edition" = IntelliCAD v.6.2.36.4 Standard Edition
"InterActual Player" = InterActual Player
"IrfanView" = IrfanView (remove only)
"JDSecure" = JD Secure 3.1
"Juniper Network Connect 5.3.0" = Juniper Networks Network Connect 5.3.0
"Juniper Network Connect 5.4.0" = Juniper Networks Network Connect 5.4.0
"Juniper Network Connect 5.5.0" = Juniper Networks Network Connect 5.5.0
"Juniper Network Connect 6.0.0" = Juniper Networks Network Connect 6.0.0
"LeechFTP" = LeechFTP
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Memorex 6136 U Scanner Driver" = Memorex 6136 U Scanner Driver
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"MP Navigator 3.0" = Canon MP Navigator 3.0
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MWASPI" = MicroStaff WINASPI
"Neoteris_Secure_Application_Manager" = Juniper Networks Secure Application Manager
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"PC Wizard 2004_is1" = PC Wizard 2004.1.632
"Pdf995" = Pdf995
"PdfEdit995" = PdfEdit995
"PrintMaster 7.00" = PrintMaster 7.00
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"RootsMagic_is1" = RootsMagic 3.0
"RRTW32.EXE" = Reader Rabbit's Toddler
"Schizm - mysterious journey" = Schizm - mysterious journey
"Sensible Sudoku" = Sensible Sudoku
"Serif DrawPlus 3.0" = Serif DrawPlus 3.0
"Shockwave" = Shockwave
"SiSoftware Sandra Standard 2004.SP1 (Win32 x86)_is1" = SiSoftware Sandra Standard 2004.SP1 (CNET Edition)
"SpongeBob SquarePants Typing" = SpongeBob SquarePants Typing
"Starcraft" = Starcraft
"Steam" = Steam
"Steam App 440" = Team Fortress 2
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"Tribes 2" = Tribes 2
"True Combat: Elite" = True Combat: Elite 0.49
"UT2004" = Unreal Tournament 2004
"Warcraft II BNE" = Warcraft II BNE
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Webshots Desktop" = Webshots Desktop
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = The GIMP 2.2.9
"WinGTK-2_is1" = GTK+ 2.6.9 runtime environment
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wolfenstein - Enemy Territory" = Wolfenstein - Enemy Territory
"WordPerfect Key Demo" = WordPerfect Key 8.1 Demo
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Zombie Panic!_is1" = Zombie Panic! 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3599052180-2898635982-2628205105-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Advanced WP Office Password Recovery" = Advanced WP Office Password Recovery (remove only)
"Move Media Player" = Move Media Player
"Steam App 2120" = Dark Messiah Singleplayer Demo
"Steam App 3850" = BloodRayne 2 Demo

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/24/2009 6:00:23 AM | Computer Name = DADDY-II | Source = NativeWrapper | ID = 5000
Description =

Error - 12/24/2009 5:31:39 PM | Computer Name = DADDY-II | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 2492 (0x9bc) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume2\Jeff\Computer\downloads\tribes2_gsi.exe

by C:\DOCUME~1\Jeff\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe 4(0)(0) 4(0)(0)

7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 12/24/2009 5:40:36 PM | Computer Name = DADDY-II | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 2656 (0xa60) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume2\Documents and Settings\Jeff\Desktop\Games\tribes2\tribes2_gsi.exe

by C:\DOCUME~1\Jeff\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe 4(0)(0) 4(0)(0)

7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 12/24/2009 7:26:28 PM | Computer Name = DADDY-II | Source = NativeWrapper | ID = 5000
Description =

Error - 12/26/2009 6:00:19 AM | Computer Name = DADDY-II | Source = NativeWrapper | ID = 5000
Description =

Error - 12/26/2009 6:40:46 PM | Computer Name = DADDY-II | Source = NativeWrapper | ID = 5000
Description =

Error - 12/27/2009 6:00:22 AM | Computer Name = DADDY-II | Source = NativeWrapper | ID = 5000
Description =

Error - 12/27/2009 4:27:47 PM | Computer Name = DADDY-II | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x2300381e.

Error - 12/27/2009 4:29:04 PM | Computer Name = DADDY-II | Source = NativeWrapper | ID = 5000
Description =

Error - 12/29/2009 2:38:34 AM | Computer Name = DADDY-II | Source = NativeWrapper | ID = 5000
Description =

[ System Events ]
Error - 12/26/2009 6:01:01 AM | Computer Name = DADDY-II | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Microsoft .NET Framework 1.1 Service Pack 1 Security Update
for Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows 7, and
Windows Server 2008 R2 (KB953297).

Error - 12/26/2009 6:40:47 PM | Computer Name = DADDY-II | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Microsoft .NET Framework 1.1 Service Pack 1 Security Update
for Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows 7, and
Windows Server 2008 R2 (KB953297).

Error - 12/27/2009 4:27:09 AM | Computer Name = DADDY-II | Source = Service Control Manager | ID = 7000
Description = The PnkBstrA service failed to start due to the following error: %%2

Error - 12/27/2009 6:01:10 AM | Computer Name = DADDY-II | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Microsoft .NET Framework 1.1 Service Pack 1 Security Update
for Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows 7, and
Windows Server 2008 R2 (KB953297).

Error - 12/27/2009 4:29:05 PM | Computer Name = DADDY-II | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Microsoft .NET Framework 1.1 Service Pack 1 Security Update
for Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows 7, and
Windows Server 2008 R2 (KB953297).

Error - 12/29/2009 12:59:36 AM | Computer Name = DADDY-II | Source = Service Control Manager | ID = 7000
Description = The PnkBstrA service failed to start due to the following error: %%2

Error - 12/29/2009 1:03:30 AM | Computer Name = DADDY-II | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{FFFD7AC5-4DB8-4ABF-AA77-1313920FD23C}. The
backup browser is stopping.

Error - 12/29/2009 2:38:35 AM | Computer Name = DADDY-II | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Microsoft .NET Framework 1.1 Service Pack 1 Security Update
for Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows 7, and
Windows Server 2008 R2 (KB953297).

Error - 12/29/2009 8:21:49 PM | Computer Name = DADDY-II | Source = Service Control Manager | ID = 7000
Description = The PnkBstrA service failed to start due to the following error: %%2

Error - 12/29/2009 8:26:07 PM | Computer Name = DADDY-II | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{FFFD7AC5-4DB8-4ABF-AA77-1313920FD23C}. The
backup browser is stopping.


< End of report >

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Wed Dec 30, 2009 8:14 pm

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Thu Dec 31, 2009 1:58 am

I had to run it from a flash drive that I changed back to an .exe file right before I ran the run command because whatever was on my system kept deleting the file whenever I copied it over even with different names. It even deleted it off my flash drive as soon as it came up in windows explorer...

here's the log file...

ComboFix 09-12-29.06 - Jeff 12/30/2009 17:28:44.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.410 [GMT -7]
Running from: f:\new folder\file2.exe
Command switches used :: /stepdel
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Thumbs.db
c:\windows\Install.txt
c:\windows\system32\Install.txt
c:\windows\system32\twain.dll
c:\windows\system32\zayitala.exe
c:\windows\Tasks\gybwupgb.job

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_WINSTS


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-31 00:37 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-12-31 00:37 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-12-29 06:16 . 2009-12-29 06:16 109752 ----a-w- c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-29 05:23 . 2009-12-29 05:23 -------- d-----w- c:\documents and settings\Jeff\Application Data\GARMIN
2009-12-29 05:15 . 2009-12-29 05:15 -------- d-----w- c:\program files\DIFX
2009-12-29 05:15 . 2009-12-29 05:15 -------- d-----w- c:\program files\Garmin
2009-12-29 05:11 . 2009-12-29 05:11 -------- d-sh--w- c:\documents and settings\Jeff\PrivacIE
2009-12-29 05:01 . 2009-12-29 05:01 -------- d-----w- c:\documents and settings\Jeff\Local Settings\Application Data\Scansoft
2009-12-24 20:36 . 2009-12-24 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-12-24 03:55 . 2009-12-24 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-24 03:54 . 2009-12-24 03:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-24 03:54 . 2009-12-24 03:54 -------- d-----w- c:\documents and settings\Jeff\Application Data\SUPERAntiSpyware.com
2009-12-24 03:54 . 2009-12-24 03:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-23 03:22 . 2009-12-23 03:22 -------- d-----w- c:\documents and settings\Jeff\Local Settings\Application Data\Runscanner.net
2009-12-22 15:40 . 2009-12-03 23:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 15:40 . 2009-12-03 23:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 15:40 . 2009-12-22 15:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 08:38 . 2009-12-19 08:38 -------- d-----w- c:\windows\system32\XPSViewer
2009-12-19 08:37 . 2009-12-19 08:37 -------- d-----w- c:\program files\MSBuild
2009-12-19 08:37 . 2009-12-19 08:37 -------- d-----w- c:\program files\Reference Assemblies
2009-12-19 08:02 . 2009-12-19 08:02 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-12-19 07:24 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-12-14 05:11 . 2009-12-14 05:12 30784 ----a-w- c:\windows\system32\drivers\ceqrvquc.sys
2009-12-14 00:41 . 2009-12-19 05:06 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-13 23:17 . 2009-12-13 23:17 -------- d-----w- c:\documents and settings\Mornie\Application Data\Malwarebytes
2009-12-13 23:04 . 2009-12-13 23:04 -------- d-----w- c:\documents and settings\Mornie\Local Settings\Application Data\KLANMSBN
2009-12-13 23:03 . 2009-12-13 23:03 -------- d-sh--w- c:\documents and settings\Mornie\IECompatCache
2009-12-13 20:03 . 2009-12-13 20:06 -------- d-----w- c:\documents and settings\Jeff\Local Settings\Application Data\mopdjb
2009-12-09 03:51 . 2009-12-09 03:51 -------- d-----w- c:\program files\iPod
2009-12-09 03:51 . 2009-12-09 03:52 -------- d-----w- c:\program files\iTunes
2009-12-09 03:45 . 2009-12-09 03:46 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 19:31 . 2009-12-24 08:21 52224 ----a-w- c:\documents and settings\Jeff\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-27 19:31 . 2009-12-24 03:55 117760 ----a-w- c:\documents and settings\Jeff\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-20 00:33 . 2007-02-17 06:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-20 00:04 . 2007-02-17 06:21 -------- d-----w- c:\program files\Java
2009-12-20 00:01 . 2009-08-23 21:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-19 09:21 . 2007-08-11 14:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-19 08:02 . 2009-12-19 08:02 3584 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-12-19 08:02 . 2008-06-10 03:57 -------- d-----w- c:\program files\MSECache
2009-12-19 07:26 . 2007-02-17 06:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-19 05:06 . 2007-02-17 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-12-19 05:03 . 2007-02-17 06:36 -------- d-----w- c:\program files\Real
2009-12-19 05:03 . 2007-02-17 06:05 -------- d-----w- c:\program files\Common Files\Real
2009-12-19 05:01 . 2009-11-01 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-19 05:01 . 2009-11-02 00:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-19 04:44 . 2007-02-17 06:18 -------- d-----w- c:\program files\Google
2009-12-14 00:03 . 2009-12-14 00:03 0 ---ha-w- c:\windows\system32\BITAB.tmp
2009-12-13 23:13 . 2007-02-17 05:14 -------- d-----w- c:\documents and settings\Mornie\Application Data\Skype
2009-12-10 03:34 . 2005-07-19 05:33 48 ----a-w- c:\windows\wpd99.drv
2009-12-09 03:51 . 2007-07-15 04:46 -------- d-----w- c:\program files\Common Files\Apple
2009-12-09 03:38 . 2009-12-09 03:38 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-09 03:35 . 2008-07-12 14:04 -------- d-----w- c:\program files\Safari
2009-12-09 03:27 . 2009-12-09 03:27 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-12-05 05:34 . 2008-09-28 00:19 -------- d-----w- c:\documents and settings\Jeff\Application Data\Move Networks
2009-12-02 05:33 . 2007-02-17 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-11-24 03:44 . 2008-10-18 16:56 -------- d-----w- c:\program files\McAfee
2009-11-21 15:51 . 2002-08-29 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-07 05:51 . 2009-11-07 05:51 152576 ----a-w- c:\documents and settings\Jeff\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-07 05:51 . 2009-11-07 05:51 79488 ----a-w- c:\documents and settings\Jeff\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-01 22:13 . 2009-11-01 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-01 22:13 . 2009-11-01 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-11-01 19:19 . 2008-08-07 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-01 19:19 . 2009-11-01 19:18 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-11-01 19:18 . 2008-08-07 03:29 -------- d-----w- c:\program files\NOS
2009-10-29 07:45 . 2004-02-07 00:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 04:09 . 2009-10-27 04:09 97228 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2002-08-29 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2002-08-29 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2002-08-29 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"MSN Video Enhanced"="c:\program files\MSN Video Enhanced\MSNVE.exe" [2004-01-09 137936]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-30 4800512]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Dynamix\\Tribes2\\GameData\\Tribes2.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"c:\\Program Files\\Call of Duty\\CoDMP.exe"=
"c:\\Program Files\\Call of Duty\\CoDUOMP.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\antslice\\counter-strike\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\antslice\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\antslice\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dxdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\antslice\\half-life\\hl.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Starcraft\\starcraft.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\LeechFTP\\Leechftp.exe"=
"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

R1 NEOFLTR_600_12023;Juniper Networks TDI Filter Driver (NEOFLTR_600_12023);c:\windows\SYSTEM32\DRIVERS\NEOFLTR_600_12023.sys [8/9/2007 10:07 PM 63024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\SYSTEM32\DRIVERS\VCdRom.sys [11/27/2008 11:25 AM 8576]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S3 pcwe;pcwe;c:\program files\PC Wizard 2004\pcwizard.sys [1/6/2004 8:06 PM 4224]
S3 pmxscan;Memorex USB Kernel;c:\windows\SYSTEM32\DRIVERS\usbscan.sys [9/4/2004 7:49 PM 15104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-18 18:22]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-18 18:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {00110000-B1BA-11CE-ABC6-F5B2E79D9E3F} - [You must be registered and logged in to see this link.]
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - [You must be registered and logged in to see this link.]
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - [You must be registered and logged in to see this link.]
DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\i0lozl9b.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Jeff\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-Sonic RecordNow! - (no file)
HKCU-Run-Steam - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
SharedTaskScheduler-{ec520845-f4ad-4e82-ae03-8334f9bf6006} - c:\windows\system32\jefotumo.dll
SSODL-puyokatih-{ec520845-f4ad-4e82-ae03-8334f9bf6006} - c:\windows\system32\jefotumo.dll
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Nero\Nero 7\\nero\uninstall\UNNERO.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-30 18:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3599052180-2898635982-2628205105-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2640)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\UPnPUI.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\FakeAvRenderer.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\ROXIPP41.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\program files\Nero\Nero 7\Nero BackItUp\NBShell.dll
c:\program files\Nero\Nero 7\Nero BackItUp\MFC71U.DLL
c:\program files\WinRAR\rarext.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\Common Files\Folio Shared\fcshell4.dll
c:\program files\Common Files\Folio Shared\FcCtrl4.dll
c:\program files\Common Files\Folio Shared\nfomgr4.dll
c:\program files\Common Files\Folio Shared\FcsENU4.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrJD31s.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\windows\System32\nvsvc32.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-30 18:54:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-31 01:54

Pre-Run: 74,217,738,240 bytes free
Post-Run: 74,343,956,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - A0DFCB7165D6AF2BDD0929E70F290B17


Last edited by AntSlice on Thu Dec 31, 2009 2:04 am; edited 1 time in total (Reason for editing : Add explanation at front)

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Thu Dec 31, 2009 2:54 am

So the link thing seems to be better but there's still something that won't allow the combofix executable to get loaded on my computer...very weird. (I wanted to see if that was cleared up too)

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Thu Dec 31, 2009 3:18 am

Please download [You must be registered and logged in to see this link.] and save to your desktop.
[You must be registered and logged in to see this link.]

  • Be sure to print out the instructions provided on the same page.
  • Restart your computer in "Safe Mode".
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Thu Dec 31, 2009 6:50 am

I couldn't get it to run... If had an error that read: "Unable to load nsak.sys. Error (0x00000001)"

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Thu Dec 31, 2009 7:05 am

Please download the latest version of Kaspersky GetSystemInfo (GSI) from [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Please close all other applications running on your system.
  • Please double click GetSystemInfo.exe to open it.
  • Click the Settings button.
  • Set it to Maximum
  • IMPORTANT! Then please click Customize - choose Driver / Ports tab and
  • Uncheck Scan Ports.
  • Click Create Report to run it.
  • It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to [You must be registered and logged in to see this link.] and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Thu Dec 31, 2009 7:54 am

I just copied and pasted the url from the page it directed me to...I'm assuming that's what you want.

[You must be registered and logged in to see this link.]

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Thu Dec 31, 2009 9:23 pm

Please delete the following two files:

C:\WINDOWS\SYSTEM32\UniClear.exe
C:\WINDOWS\SYSTEM32\ICCProfiles.dll

==

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by AntSlice on Sat Jan 02, 2010 12:22 am

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
McAfee SecurityCenter
``````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware Free Edition
HijackThis 2.0.2
Java(TM) 6 Update 17
Adobe Flash Player 10
Adobe Reader 7.0.8
Adobe Reader 9.2
Adobe Reader Japanese Fonts
CE Fonts Package For Adobe Reader
``````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
McAfee VIRUSS~1 mcods.exe
mcafee VIRUSS~1 mcvsshld.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

AntSlice
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-12-19
OS : Windows XP
Points : 25683
# Likes : 0

View user profile

Back to top Go down

Re: Trojan downloader - Google link hijacker

Post by Dr Jay on Sat Jan 02, 2010 12:25 am

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro
Points : 144830
# Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum