Major Adware Issue

View previous topic View next topic Go down

Major Adware Issue

Post by randomguy56 on 18th November 2008, 10:53 pm

A few days ago, when trying to get ahold of a ROM, I ended up getting a nasty case of Adware. Now because of it, my computer runs slower, everytime I try to use links on google it redirects me to ads, and my computer crashes a lot more often. Apparently, from a scan I did I have numerous other malware issues, but this is the one giving me most trouble. Can someone help me with this?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:37 PM, on 11/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Documents and Settings\Brandon Lederhouse\Desktop\Hijack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Brandon Lederhouse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: karna.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10657 bytes

randomguy56
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-11-18
OS OS : Windows XP
Points Points : 29440
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Major Adware Issue

Post by Belahzur on 18th November 2008, 11:00 pm

Hello. I suspect you have a nasty rootkit on board.


  • Download combofix from here, use one of the links from the bottom section - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Major Adware Issue

Post by randomguy56 on 18th November 2008, 11:19 pm

Slight issue with this. When I downloaded hijackthis, the first two links given didn't work for me, so I had to use the backup links. This time, I decided to download it directly from the bottom links, but when I ran it it mentioned something to the effect that it was slightly out of date and going to run in reduced efficency mode. I decided that I want a peak proformance out of this, so I then stopped the program, and decided to try one of the first two links again. Neither of them worked, but for some reason, now when I try to run ComboFix again, it keeps giving me an error stating:

You cannot rename ComboFix as

Please use another name, preferbaly made up of alphanumeric characters


I'm am starting to suspect that I'm simply thick. What on earth am I doing wrong here?

P.S. the error message actually spelled preferably like that.

randomguy56
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-11-18
OS OS : Windows XP
Points Points : 29440
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Major Adware Issue

Post by Belahzur on 18th November 2008, 11:30 pm

Hello. Yep, you have the rootkit I suspected.
CF is updated daily, I'll ask the admin to add a link for my own.

I have uploaded an updated copy for you. The file is renamed to get around the rootkit restrictions.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Major Adware Issue

Post by randomguy56 on 19th November 2008, 8:30 pm

Got the ComboFix log, however it might be slightly inaccurate because for some reason, it had an issue making the log. As a result, I had to run it 3 times before it worked properly, so the log probably isn't going to reflect all of the things it did.

ComboFix 08-11-18.02 - Brandon Lederhouse 2008-11-18 23:03:02.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.599 [GMT -5:00]
Running from: c:\documents and settings\Brandon Lederhouse\Desktop\C0mb0-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Brandon Lederhouse\Cookies\esajaqu.com
c:\documents and settings\Brandon Lederhouse\Cookies\iqylepinam.com
c:\documents and settings\Brandon Lederhouse\Cookies\obihamediq.vbs
c:\documents and settings\Brandon Lederhouse\Local Settings\Temporary Internet Files\tenehi.bat
c:\windows\brastk.exe
c:\windows\karna.dat
c:\windows\system32\_scui.cpl
c:\windows\system32\brastk.exe
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\drivers\TDSSxeuu.sys
c:\windows\system32\karna.dat
c:\windows\system32\TDSSehys.log
c:\windows\system32\TDSSirxy.dll
c:\windows\system32\TDSSktkl.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSocun.dll
c:\windows\system32\TDSSqein.dll
c:\windows\system32\TDSSrojf.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSwrwn.log
c:\windows\system32\TDSSwupe.dat
c:\windows\system32\wini10894.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-18 18:07 . 2008-11-18 18:07 d-------- C:\-Combo--Fix-
2008-11-18 17:23 . 2008-11-18 17:23 d-------- c:\program files\AVG
2008-11-18 17:23 . 2008-11-18 17:33 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-17 19:58 . 2008-11-17 19:58 d-------- c:\program files\AntivirusPro2009
2008-11-17 19:58 . 2008-11-17 19:58 19,265 --a------ c:\documents and settings\All Users\Application Data\ocohac.bat
2008-11-17 19:58 . 2008-11-17 19:58 18,969 --a------ c:\documents and settings\Brandon Lederhouse\Application Data\zacinycuk.scr
2008-11-17 19:58 . 2008-11-17 19:58 18,784 --a------ c:\documents and settings\Brandon Lederhouse\Application Data\wucaxuq.com
2008-11-17 19:58 . 2008-11-17 19:58 17,961 --a------ c:\windows\system32\fuhujaru._sy
2008-11-17 19:58 . 2008-11-17 19:58 17,055 --a------ c:\program files\Common Files\kapeder.dat
2008-11-17 19:58 . 2008-11-17 19:58 16,958 --a------ c:\windows\uzaq.lib
2008-11-17 19:58 . 2008-11-17 19:58 16,791 --a------ c:\windows\eqokija.bat
2008-11-17 19:58 . 2008-11-17 19:58 16,452 --a------ c:\documents and settings\Brandon Lederhouse\Application Data\qorifak.exe
2008-11-17 19:58 . 2008-11-17 19:58 15,598 --a------ c:\documents and settings\Brandon Lederhouse\Application Data\cefukixyta.vbs
2008-11-17 19:58 . 2008-11-17 19:58 10,943 --a------ c:\documents and settings\Brandon Lederhouse\Application Data\eguhute.dll
2008-11-16 23:20 . 2008-11-16 23:20 d-------- c:\program files\Lavasoft
2008-11-16 23:20 . 2008-11-16 23:22 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-16 23:18 . 2008-11-16 23:18 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-16 23:07 . 2008-11-16 23:07 324 --a------ c:\documents and settings\Brandon Lederhouse\nah_log.dat
2008-11-16 22:55 . 2008-11-16 22:55 79,872 --a------ c:\documents and settings\Brandon Lederhouse\nah_qnhv.exe
2008-11-15 12:31 . 2008-11-15 12:31 d-------- c:\documents and settings\Brandon Lederhouse\Application Data\QQ Games Plugin
2008-11-15 12:30 . 2008-11-15 12:30 d-------- c:\documents and settings\Brandon Lederhouse\Application Data\Tencent
2008-11-15 12:29 . 2008-11-15 12:29 d-------- c:\program files\Tencent
2008-11-15 12:29 . 2008-11-15 12:29 21 --a------ c:\windows\atid.ini
2008-11-15 12:28 . 2008-11-15 12:28 d-------- c:\program files\Common Files\Software Update Utility
2008-11-15 12:28 . 2008-11-15 12:28 d-------- c:\program files\AIM Toolbar
2008-11-15 12:28 . 2008-11-15 12:28 d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-15 12:28 . 2008-11-15 12:28 d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-04 15:25 . 2008-11-04 15:25 d---s---- c:\documents and settings\Brandon Lederhouse\UserData
2008-11-03 05:13 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll
2008-11-03 05:13 . 2008-07-18 22:07 210,976 --a------ c:\windows\system32\muweb.dll
2008-11-03 05:13 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-02 23:29 . 2008-11-02 23:29 d-------- c:\program files\Microsoft SQL Server Compact Edition
2008-11-02 23:28 . 2008-11-02 23:30 d-------- c:\documents and settings\Brandon Lederhouse\Contacts
2008-11-02 23:23 . 2008-11-02 23:24 d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-02 23:22 . 2008-11-03 08:07 d-------- c:\program files\Windows Live
2008-11-02 23:22 . 2008-11-02 23:22 d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-02 00:19 . 2008-11-02 00:19 d-------- c:\program files\Audacity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 00:32 --------- d-----w c:\documents and settings\Brandon Lederhouse\Application Data\U3
2008-11-17 03:56 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-17 03:56 --------- d-----w c:\program files\Blubster
2008-11-15 17:30 --------- d-----w c:\program files\AIM6
2008-11-15 17:29 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-15 17:28 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-13 04:21 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 13:06 --------- d-----w c:\program files\Microsoft Works
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-27 05:48 --------- d-----w c:\program files\iTunes
2008-09-27 05:48 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-27 05:47 --------- d-----w c:\program files\iPod
2008-09-27 05:36 --------- d-----w c:\program files\Bonjour
2008-09-27 05:35 --------- d-----w c:\program files\QuickTime
2008-09-27 05:34 --------- d-----w c:\program files\Common Files\Apple
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-09 17:45 258,352 ----a-w c:\windows\system32\unicows.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 16:42 1,106,944 ------w c:\windows\system32\dllcache\msxml3.dll
2008-08-30 01:06 1,350,664 ----a-w c:\windows\system32\msxml6.dll
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-28 10:04 333,056 ------w c:\windows\system32\dllcache\srv.sys
2008-08-19 09:38 18,432 ------w c:\windows\system32\dllcache\iedw.exe
.

randomguy56
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-11-18
OS OS : Windows XP
Points Points : 29440
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Major Adware Issue

Post by randomguy56 on 19th November 2008, 8:30 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{03402f96-3dc7-4285-bc50-9e81fefafe43}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CLASSES_ROOT\clsid\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
[HKEY_CLASSES_ROOT\AIMTb.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{f8ec99b3-c2ca-4a5f-9505-c049766dc883}]
[HKEY_CLASSES_ROOT\AIMTb.AOLTBSearch]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{61539ecd-cc67-4437-a03c-9aaccbd14326}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2007-12-19 486856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-19 68856]
"Google Update"="c:\documents and settings\Brandon Lederhouse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"nah_Shell"="c:\documents and settings\Brandon Lederhouse\nah_qnhv.exe" [2008-11-16 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-09 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-11 185896]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"nwiz"="nwiz.exe" [2008-02-22 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2008-02-22 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-07-09 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-13 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-19 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19866:TCP"= 19866:TCP:BitComet 19866 TCP
"19866:UDP"= 19866:UDP:BitComet 19866 UDP

R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2007-12-19 28184]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-18 231704]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\DRIVERS\datunidr.sys [2007-08-23 5376]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-12-25 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-19 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Brandon Lederhouse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 22:24]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-brastk - c:\windows\system32\brastk.exe
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Brandon Lederhouse\Application Data\Mozilla\Firefox\Profiles\d2mlq1us.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - [You must be registered and logged in to see this link.]
FF -: plugin - c:\documents and settings\Brandon Lederhouse\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdnu.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-18 23:05:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-18 23:06:21
ComboFix-quarantined-files.txt 2008-11-19 04:06:17

Pre-Run: 15,058,223,104 bytes free
Post-Run: 15,045,279,744 bytes free

228 --- E O F --- 2008-11-13 08:12:21

randomguy56
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-11-18
OS OS : Windows XP
Points Points : 29440
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Major Adware Issue

Post by Belahzur on 19th November 2008, 9:08 pm

It's okay, CF tells us what it did last time it ran. I'm glad you tried more than once and stuck at it. Smile
One last round should kill it off.

Now open a new notepad file.
Copy and paste everything inside the quote box into the notepad file:

KILLALL::

Driver::
Viewpoint Manager Service

File::
c:\documents and settings\All Users\Application Data\ocohac.bat
c:\documents and settings\Brandon Lederhouse\Application Data\zacinycuk.scr
c:\documents and settings\Brandon Lederhouse\Application Data\wucaxuq.com
c:\windows\system32\fuhujaru._sy
c:\program files\Common Files\kapeder.dat
c:\windows\uzaq.lib
c:\windows\eqokija.bat
c:\documents and settings\Brandon Lederhouse\Application Data\qorifak.exe
c:\documents and settings\Brandon Lederhouse\Application Data\cefukixyta.vbs
c:\documents and settings\Brandon Lederhouse\Application Data\eguhute.dll
c:\documents and settings\Brandon Lederhouse\nah_log.dat
c:\documents and settings\Brandon Lederhouse\nah_qnhv.exe

Folder::
c:\program files\AntivirusPro2009
c:\program files\Viewpoint

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nah_Shell"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Major Adware Issue

Post by randomguy56 on 22nd November 2008, 1:58 am

ComboFix 08-11-19.08 - Brandon Lederhouse 2008-11-20 23:14:55.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.443 [GMT -5:00]
Running from: c:\documents and settings\Brandon Lederhouse\Desktop\C0mb0-Fix.exe
Command switches used :: c:\documents and settings\Brandon Lederhouse\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\ocohac.bat
c:\documents and settings\Brandon Lederhouse\Application Data\cefukixyta.vbs
c:\documents and settings\Brandon Lederhouse\Application Data\eguhute.dll
c:\documents and settings\Brandon Lederhouse\Application Data\qorifak.exe
c:\documents and settings\Brandon Lederhouse\Application Data\wucaxuq.com
c:\documents and settings\Brandon Lederhouse\Application Data\zacinycuk.scr
c:\documents and settings\Brandon Lederhouse\nah_log.dat
c:\documents and settings\Brandon Lederhouse\nah_qnhv.exe
c:\program files\Common Files\kapeder.dat
c:\windows\eqokija.bat
c:\windows\system32\fuhujaru._sy
c:\windows\uzaq.lib
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ocohac.bat
c:\documents and settings\Brandon Lederhouse\Application Data\cefukixyta.vbs
c:\documents and settings\Brandon Lederhouse\Application Data\eguhute.dll
c:\documents and settings\Brandon Lederhouse\Application Data\qorifak.exe
c:\documents and settings\Brandon Lederhouse\Application Data\wucaxuq.com
c:\documents and settings\Brandon Lederhouse\Application Data\zacinycuk.scr
c:\documents and settings\Brandon Lederhouse\nah_log.dat
c:\documents and settings\Brandon Lederhouse\nah_qnhv.exe
c:\program files\AntivirusPro2009
c:\program files\AntivirusPro2009\AntivirusPro2009.cfg
c:\program files\AntivirusPro2009\AntivirusPro2009.exe
c:\program files\AntivirusPro2009\AVEngn.dll
c:\program files\AntivirusPro2009\data\daily.cvd
c:\program files\AntivirusPro2009\htmlayout.dll
c:\program files\AntivirusPro2009\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro2009\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro2009\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro2009\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro2009\pthreadVC2.dll
c:\program files\AntivirusPro2009\Uninstall.exe
c:\program files\AntivirusPro2009\wscui.cpl
c:\program files\Common Files\kapeder.dat
c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Viewpoint\Common\VistaBoot.sdll
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll
c:\program files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VETscriptInterpreter.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VETscriptInterpreter.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt
c:\windows\eqokija.bat
c:\windows\system32\fuhujaru._sy
c:\windows\uzaq.lib

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 )))))))))))))))))))))))))))))))
.

2008-11-20 21:58 . 2008-11-20 21:58 105 --a------ c:\windows\UMXADDIN.INI
2008-11-20 21:57 . 2008-11-20 21:57 d-------- c:\program files\NewSoft
2008-11-20 21:57 . 2003-01-03 01:28 74 --------- c:\windows\PMINI.ini
2008-11-20 21:53 . 2008-11-20 21:53 d--h----- C:\CanonMP
2008-11-20 21:52 . 2008-11-20 21:52 d-------- c:\windows\StartHtmico
2008-11-20 21:52 . 2008-11-20 21:53 d-------- c:\windows\MP780,750
2008-11-19 17:17 . 2008-11-19 17:17 d-------- c:\program files\TubeTilla
2008-11-18 18:07 . 2008-11-18 18:07 d-------- C:\-Combo--Fix-
2008-11-18 17:23 . 2008-11-18 17:23 d-------- c:\program files\AVG
2008-11-18 17:23 . 2008-11-18 17:33 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-16 23:20 . 2008-11-16 23:20 d-------- c:\program files\Lavasoft
2008-11-16 23:20 . 2008-11-16 23:22 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-16 23:18 . 2008-11-16 23:18 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-15 12:31 . 2008-11-15 12:31 d-------- c:\documents and settings\Brandon Lederhouse\Application Data\QQ Games Plugin
2008-11-15 12:30 . 2008-11-15 12:30 d-------- c:\documents and settings\Brandon Lederhouse\Application Data\Tencent
2008-11-15 12:29 . 2008-11-15 12:29 d-------- c:\program files\Tencent
2008-11-15 12:29 . 2008-11-15 12:29 21 --a------ c:\windows\atid.ini
2008-11-15 12:28 . 2008-11-15 12:28 d-------- c:\program files\Common Files\Software Update Utility
2008-11-15 12:28 . 2008-11-15 12:28 d-------- c:\program files\AIM Toolbar
2008-11-15 12:28 . 2008-11-15 12:28 d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-15 12:28 . 2008-11-15 12:28 d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-04 15:25 . 2008-11-04 15:25 d---s---- c:\documents and settings\Brandon Lederhouse\UserData
2008-11-03 05:13 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll
2008-11-03 05:13 . 2008-07-18 22:07 210,976 --a------ c:\windows\system32\muweb.dll
2008-11-03 05:13 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-02 23:29 . 2008-11-02 23:29 d-------- c:\program files\Microsoft SQL Server Compact Edition
2008-11-02 23:28 . 2008-11-02 23:30 d-------- c:\documents and settings\Brandon Lederhouse\Contacts
2008-11-02 23:23 . 2008-11-02 23:24 d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-02 23:22 . 2008-11-03 08:07 d-------- c:\program files\Windows Live
2008-11-02 23:22 . 2008-11-02 23:22 d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-02 00:19 . 2008-11-02 00:19 d-------- c:\program files\Audacity

randomguy56
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-11-18
OS OS : Windows XP
Points Points : 29440
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Major Adware Issue

Post by randomguy56 on 22nd November 2008, 1:59 am

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-21 02:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-21 02:57 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-11-21 02:55 --------- d-----w c:\program files\Canon
2008-11-19 22:16 --------- d-----w c:\program files\Blubster
2008-11-18 00:32 --------- d-----w c:\documents and settings\Brandon Lederhouse\Application Data\U3
2008-11-15 17:30 --------- d-----w c:\program files\AIM6
2008-11-15 17:29 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-15 17:28 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-03 13:06 --------- d-----w c:\program files\Microsoft Works
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-27 05:48 --------- d-----w c:\program files\iTunes
2008-09-27 05:48 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-27 05:47 --------- d-----w c:\program files\iPod
2008-09-27 05:36 --------- d-----w c:\program files\Bonjour
2008-09-27 05:35 --------- d-----w c:\program files\QuickTime
2008-09-27 05:34 --------- d-----w c:\program files\Common Files\Apple
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-19 22:17:36 7,358 ----a-r c:\windows\Installer\{5701A652-0DCF-40FE-8040-5C09368EEFD6}\controlPanelIcon.exe
- 2007-12-31 23:37:19 53,248 ----a-r c:\windows\Installer\{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}\_17B2407FE16E_4666_99A0_2FFCA0A8D3BA.exe
+ 2008-11-21 02:57:08 53,248 ----a-r c:\windows\Installer\{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}\_17B2407FE16E_4666_99A0_2FFCA0A8D3BA.exe
- 2007-12-31 23:37:19 4,710 ----a-r c:\windows\Installer\{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}\Op.exe
+ 2008-11-21 02:57:08 4,710 ----a-r c:\windows\Installer\{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}\Op.exe
+ 2003-10-22 12:43:32 229,376 ----a-r c:\windows\MP780,750\uninstall.exe
+ 1997-11-17 07:26:18 468,992 ----a-w c:\windows\twain_32\CNQSG\CEFPIX.DLL
+ 1997-11-17 07:30:30 87,552 ----a-w c:\windows\twain_32\CNQSG\Cfpapi.dll
+ 1997-11-07 09:55:36 112,128 ----a-w c:\windows\twain_32\CNQSG\cfpJpeg.dll
+ 2001-03-03 06:34:12 49,152 ----a-w c:\windows\twain_32\CNQSG\ExtDDI.dll
+ 2001-08-23 21:25:28 1,706,800 ----a-w c:\windows\twain_32\CNQSG\gdiplus.dll
+ 1996-04-26 10:21:40 20,992 ----a-w c:\windows\twain_32\CNQSG\Hiffl32.dll
+ 1996-04-26 10:24:40 83,968 ----a-w c:\windows\twain_32\CNQSG\Iffjpg32.dll
+ 1996-04-26 10:23:30 25,600 ----a-w c:\windows\twain_32\CNQSG\Iffpcx32.dll
+ 1995-07-17 07:13:22 118,272 ----a-w c:\windows\twain_32\CNQSG\Ifftif32.dll
+ 2000-03-08 09:28:14 270,336 ----a-w c:\windows\twain_32\CNQSG\libtiff.dll
+ 2004-03-04 19:01:10 1,966,080 ----a-w c:\windows\twain_32\CNQSG\pafcv2.dll
+ 2003-05-12 22:00:00 110,592 ----a-w c:\windows\twain_32\CNQSG\paftopdf.dll
+ 2003-04-28 19:32:00 151,552 ----a-w c:\windows\twain_32\CNQSG\PCAT.dll
+ 2004-09-25 00:01:48 1,257,472 ----a-w c:\windows\twain_32\CNQSG\SGST.exe
+ 2004-07-05 22:05:06 81,920 ----a-w c:\windows\twain_32\CNQSG\SGSTRES.dll
+ 2002-05-24 08:04:20 389,180 ----a-w c:\windows\twain_32\CNQSG\Ucs32P.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{03402f96-3dc7-4285-bc50-9e81fefafe43}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CLASSES_ROOT\clsid\{03402f96-3dc7-4285-bc50-9e81fefafe43}]
[HKEY_CLASSES_ROOT\AIMTb.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{f8ec99b3-c2ca-4a5f-9505-c049766dc883}]
[HKEY_CLASSES_ROOT\AIMTb.AOLTBSearch]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{61539ecd-cc67-4437-a03c-9aaccbd14326}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2007-12-19 486856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-19 68856]
"Google Update"="c:\documents and settings\Brandon Lederhouse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-09 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-11 185896]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"nwiz"="nwiz.exe" [2008-02-22 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2008-02-22 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-07-09 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-13 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-19 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19866:TCP"= 19866:TCP:BitComet 19866 TCP
"19866:UDP"= 19866:UDP:BitComet 19866 UDP

R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2007-12-19 28184]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-18 231704]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\DRIVERS\datunidr.sys [2007-08-23 5376]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80b14ae0-a6c2-11dd-8c5c-001d09aeeb80}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-21 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Brandon Lederhouse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 22:24]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-20 23:22:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\Brandon Lederhouse\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\Java\jre1.6.0_04\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-11-20 23:29:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-21 04:29:15
ComboFix2.txt 2008-11-19 04:06:22

Pre-Run: 10,637,684,736 bytes free
Post-Run: 10,745,290,752 bytes free

283 --- E O F --- 2008-11-13 08:12:21

randomguy56
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-11-18
OS OS : Windows XP
Points Points : 29440
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Major Adware Issue

Post by Belahzur on 22nd November 2008, 1:40 pm

Hello.
Looks much better.
I see QQ. This is sometimes installed by chinese malware.

Did you install this? If you did, no problems. If not, uninstall it. Smile

How is the machine now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Major Adware Issue

Post by Doctor Inferno on 2nd December 2008, 2:24 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104640
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum