Inactive gala directory bug

gghartman · 2010/04/18

[Inactive] gala directory bug

not sure where my post from this past friday went to but it seems to be gone from the listings so will try again.

machine working on is xp home with spysweeper, malwarebytes and antivir. client used google the other day and all of a sudden it was redirected to using gala directory search which upon research i find this to be a bug. scanned with all protective sft and got rid of 575 bugs but still unable to get google to function not only google search but yahoo and msn searches not functioning. unable to get even google to reinstall after uninstalling it. got rid of all registry entries pertaining to gala search but no go. with yahoo and msn when typing in a search variable and it list hits when you click on a hit it just comes up with page cannot be displayed. have done all i could find on searching for the gala bug but not sure what key is still stopping searches.

ideas would be appreciated.....greg

Admin. · 2010/04/18

It was probably deleted. You have been a member since 2002, so you should be well aware of the Rules that govern this forum.

gghartman · 2010/04/18

admin

i wish you would have told me you deleted my post then. i know the rules but not looking for someone to look at a huge output from running the dds thing. this machine is clean as a new born baby what i am now missing has to be some registry entry that is still lingering that is preventing google or any other search function to run. just thought someone might know what that registry entry might be.

broni · 2010/04/18

this machine is clean as a new born baby
Click to expand...

Since you're getting redirections, it surely is not clean, so please follow Arie's reply.

gghartman · 2010/04/21

okay finally got the information from running the dds.scr program. again not sure what is stopping access to google.com and search.yahoo.com but when using the search function web page comes up saying problems occured and then a link to diagnose the problem but there is no problem with the internet connection just using any search function.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/16/2005 4:19:39 PM
System Uptime: 4/16/2010 4:35:49 PM (114 hours ago)

Motherboard: Dell Inc. | | 0M3918
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 18.548 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1064&SUBSYS_01811028&REV_03\4&10416D21&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1064&SUBSYS_01811028&REV_03\4&10416D21&0&40F0
Service: E100B

==== System Restore Points ===================

RP1715: 2/6/2010 2:02:00 PM - System Checkpoint
RP1716: 2/7/2010 3:49:47 PM - System Checkpoint
RP1717: 2/8/2010 4:45:03 PM - System Checkpoint
RP1718: 2/9/2010 5:14:41 PM - System Checkpoint
RP1719: 2/10/2010 7:08:37 AM - Software Distribution Service 3.0
RP1720: 2/11/2010 7:21:34 AM - System Checkpoint
RP1721: 2/12/2010 8:05:23 AM - System Checkpoint
RP1722: 2/13/2010 8:36:47 AM - System Checkpoint
RP1723: 2/14/2010 11:23:40 AM - System Checkpoint
RP1724: 2/15/2010 11:36:46 AM - System Checkpoint
RP1725: 2/16/2010 3:13:25 PM - System Checkpoint
RP1726: 2/17/2010 3:35:45 PM - System Checkpoint
RP1727: 2/18/2010 3:36:47 PM - System Checkpoint
RP1728: 2/19/2010 4:35:44 PM - System Checkpoint
RP1729: 2/20/2010 5:59:44 PM - System Checkpoint
RP1730: 2/22/2010 8:03:41 AM - System Checkpoint
RP1731: 2/23/2010 8:24:50 AM - System Checkpoint
RP1732: 2/24/2010 7:01:17 AM - Software Distribution Service 3.0
RP1733: 2/25/2010 7:36:14 AM - System Checkpoint
RP1734: 2/26/2010 8:06:13 AM - System Checkpoint
RP1735: 2/27/2010 8:19:42 AM - System Checkpoint
RP1736: 2/28/2010 8:29:10 AM - System Checkpoint
RP1737: 3/1/2010 8:56:10 AM - System Checkpoint
RP1738: 3/2/2010 9:06:16 AM - System Checkpoint
RP1739: 3/3/2010 10:33:18 AM - System Checkpoint
RP1740: 3/4/2010 11:37:23 AM - System Checkpoint
RP1741: 3/5/2010 12:46:19 PM - System Checkpoint
RP1742: 3/6/2010 1:01:27 PM - System Checkpoint
RP1743: 3/7/2010 2:37:24 PM - System Checkpoint
RP1744: 3/8/2010 3:08:16 PM - System Checkpoint
RP1745: 3/9/2010 3:31:43 PM - System Checkpoint
RP1746: 3/10/2010 3:49:07 PM - System Checkpoint
RP1747: 3/11/2010 7:27:43 AM - Software Distribution Service 3.0
RP1748: 3/12/2010 9:24:13 AM - System Checkpoint
RP1749: 3/13/2010 10:10:08 AM - System Checkpoint
RP1750: 3/14/2010 12:15:22 PM - System Checkpoint
RP1751: 3/15/2010 1:15:24 PM - System Checkpoint
RP1752: 3/16/2010 2:24:13 PM - System Checkpoint
RP1753: 3/17/2010 2:27:32 PM - System Checkpoint
RP1754: 3/18/2010 3:09:24 PM - System Checkpoint
RP1755: 3/19/2010 4:49:11 PM - System Checkpoint
RP1756: 3/21/2010 4:02:11 PM - System Checkpoint
RP1757: 3/22/2010 7:48:32 AM - System Checkpoint
RP1758: 3/23/2010 8:11:45 AM - System Checkpoint
RP1759: 3/24/2010 8:24:51 AM - System Checkpoint
RP1760: 3/25/2010 9:11:45 AM - System Checkpoint
RP1761: 3/26/2010 10:20:16 AM - System Checkpoint
RP1762: 3/27/2010 11:34:41 AM - System Checkpoint
RP1763: 3/28/2010 1:10:41 PM - System Checkpoint
RP1764: 3/29/2010 1:11:34 PM - System Checkpoint
RP1765: 3/30/2010 2:04:01 PM - System Checkpoint
RP1766: 3/31/2010 7:05:48 AM - Software Distribution Service 3.0
RP1767: 4/1/2010 7:29:54 AM - System Checkpoint
RP1768: 4/2/2010 8:14:52 AM - System Checkpoint
RP1769: 4/3/2010 9:45:38 AM - System Checkpoint
RP1770: 4/4/2010 10:34:24 AM - System Checkpoint
RP1771: 4/5/2010 11:12:50 AM - System Checkpoint
RP1772: 4/6/2010 12:03:45 PM - System Checkpoint
RP1773: 4/7/2010 12:06:54 PM - System Checkpoint
RP1774: 4/8/2010 12:35:31 PM - System Checkpoint
RP1775: 4/9/2010 8:41:02 AM - Installed Windows Defender
RP1776: 4/9/2010 10:44:33 AM - Removed Java(TM) 6 Update 13
RP1777: 4/9/2010 10:45:36 AM - Installed Java(TM) 6 Update 19
RP1778: 4/10/2010 12:32:06 PM - System Checkpoint
RP1779: 4/11/2010 1:34:03 PM - System Checkpoint
RP1780: 4/12/2010 2:46:38 PM - System Checkpoint
RP1781: 4/13/2010 3:14:42 PM - System Checkpoint
RP1782: 4/14/2010 3:15:40 PM - System Checkpoint
RP1783: 4/14/2010 3:21:46 PM - Software Distribution Service 3.0
RP1784: 4/15/2010 10:10:44 AM - Installed Java(TM) 6 Update 20
RP1785: 4/16/2010 11:09:41 AM - System Checkpoint
RP1786: 4/17/2010 12:04:12 PM - System Checkpoint
RP1787: 4/18/2010 12:40:11 PM - System Checkpoint
RP1788: 4/19/2010 12:41:04 PM - System Checkpoint
RP1789: 4/20/2010 2:04:00 PM - System Checkpoint

==== Hosts File Hijack ======================

Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 www.getavplusnow.com
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure.paysecuresystem.com
Hosts: 74.125.45.100 paysoftbillsolution.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 93.186.119.129 www.google.com
Hosts: 93.186.119.129 google.com
Hosts: 93.186.119.129 google.com.au
Hosts: 93.186.119.129 www.google.com.au
Hosts: 93.186.119.129 google.be
Hosts: 93.186.119.129 www.google.be
Hosts: 93.186.119.129 google.com.br
Hosts: 93.186.119.129 www.google.com.br
Hosts: 93.186.119.129 google.ca
Hosts: 93.186.119.129 www.google.ca
Hosts: 93.186.119.129 google.ch
Hosts: 93.186.119.129 www.google.ch
Hosts: 93.186.119.129 google.de
Hosts: 93.186.119.129 www.google.de
Hosts: 93.186.119.129 google.dk
Hosts: 93.186.119.129 www.google.dk
Hosts: 93.186.119.129 google.fr
Hosts: 93.186.119.129 www.google.fr
Hosts: 93.186.119.129 google.ie
Hosts: 93.186.119.129 www.google.ie
Hosts: 93.186.119.129 google.it
Hosts: 93.186.119.129 www.google.it
Hosts: 93.186.119.129 google.co.jp
Hosts: 93.186.119.129 www.google.co.jp
Hosts: 93.186.119.129 google.nl
Hosts: 93.186.119.129 www.google.nl
Hosts: 93.186.119.129 google.no
Hosts: 93.186.119.129 www.google.no
Hosts: 93.186.119.129 google.co.nz
Hosts: 93.186.119.129 www.google.co.nz
Hosts: 93.186.119.129 google.pl
Hosts: 93.186.119.129 www.google.pl
Hosts: 93.186.119.129 google.se
Hosts: 93.186.119.129 www.google.se
Hosts: 93.186.119.129 google.co.uk
Hosts: 93.186.119.129 www.google.co.uk
Hosts: 93.186.119.129 google.co.za
Hosts: 93.186.119.129 www.google.co.za
Hosts: 93.186.119.129 www.google-analytics.com
Hosts: 93.186.119.129 www.bing.com
Hosts: 93.186.119.129 search.yahoo.com
Hosts: 93.186.119.129 www.search.yahoo.com
Hosts: 93.186.119.129 uk.search.yahoo.com
Hosts: 93.186.119.129 ca.search.yahoo.com
Hosts: 93.186.119.129 de.search.yahoo.com
Hosts: 93.186.119.129 fr.search.yahoo.com
Hosts: 93.186.119.129 au.search.yahoo.com

==== Installed Programs ======================

5600
5600_Help
5600Trb
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.0
AiO_Scan
AiOSoftware
Apple Application Support
Apple Software Update
Ask Toolbar
Avira AntiVir Personal - Free Antivirus
Banctec Service Agreement
BufferChm
CCleaner
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Printer Software Uninstall
Dell System Restore
DellSupport
Destinations
DeviceManagementQFolder
DocProc
eSupportQFolder
Fax
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP Product Assistant
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
HPProductAssistant
InstallMgr
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
Java Auto Updater
Java(TM) 6 Update 20
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Search Enhancement Pack
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSN
MSN Toolbar
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
NewCopy
NGIS
NGISCT
NGISRD
ProductContext
QuickTime
Readme
RealPlayer Basic
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Shockwave
SolutionCenter
Spy Sweeper
Spy Sweeper Core
Status
TrayApp
UHaulMessenger
Unload
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WordPerfect Office 12
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

4/16/2010 9:04:54 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
4/16/2010 9:04:54 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\RUSS\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
4/16/2010 9:04:54 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
4/15/2010 10:10:34 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

DDS (Ver_10-03-17.01) - NTFSx86
Run by RUSS at 10:35:42.21 on Wed 04/21/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2549 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: CleanUp Antivirus *On-access scanning enabled* (Updated) {6B8A9096-38A7-4F16-AA8C-8661EC8637DB}
FW: CleanUp Antivirus *enabled* {A75B0B5B-6B1A-4812-90B7-F18A91263CFE}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\RUSS\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe "
mRun: [OSCD_Creator] "c:\dell\PreODM.EXE "
mRun: [RealTray] "c:\program files\real\realplayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe "
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe "
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe "
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe "
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
mRunOnce: [OSCD_Creator] "c:\dell\PreODM.EXE" /2
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: adobe.com\www
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196804057531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: djuka: {ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c} - c:\windows\system32\wbchha.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
IFEO: image file execution options -
IFEO: install.exe -
IFEO: mrt.exe - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-16 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-16 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-16 60936]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2010-4-12 1201640]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-16 11608]

=============== Created Last 30 ================

2010-04-16 20:43:18 0 d-----w- c:\program files\Ask.com
2010-04-16 14:12:15 0 d-----w- c:\windows\system32\NtmsData
2010-04-16 14:07:38 0 d-----w- c:\docume~1\russ\applic~1\Avira
2010-04-16 14:05:26 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-16 14:05:23 0 d-----w- c:\program files\Avira
2010-04-16 14:05:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-04-15 18:01:14 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-15 15:11:31 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-12 15:46:55 0 d-----w- c:\program files\MSSOAP
2010-04-12 15:46:30 1563008 ----a-w- c:\windows\WRSetup.dll
2010-04-12 15:46:30 0 d-----w- c:\program files\Webroot
2010-04-12 15:46:30 0 d-----w- c:\docume~1\russ\applic~1\Webroot
2010-04-12 15:46:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2010-04-12 15:40:40 164 ----a-w- c:\windows\install.dat
2010-04-09 15:46:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-09 14:20:27 0 d-----w- c:\program files\CCleaner
2010-04-08 17:44:15 0 d-sh--w- c:\docume~1\alluse~1\applic~1\CUXXA
2010-04-08 17:42:38 0 d-sh--w- c:\docume~1\alluse~1\applic~1\3cb78cb

==================== Find3M ====================

2010-03-30 05:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 16:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 14:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2009-10-15 08:37:07 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-08-25 20:02:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

============= FINISH: 10:36:22.66 ===============

broni · 2010/04/21

Download HostsXpert ( http://www.majorgeeks.com/Hoster_d4626.html ) and then follow the steps below:

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click Restore MS Hosts File and then click OK.
* Click the X to exit the program

Restart computer.

================================================================

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

RESTART COMPUTER

STEP 3. Download HijackThis:
http://free.antivirus.com/hijackthis/
by clicking on Installer under Version 2.0.4
Install, and run it.
Post HijackThis log.
NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

gghartman · 2010/04/21

broni

okay now im confused. i got the report requested and now you want me to do this other step. did you find something in the report ??? please tell me its not an easy thing to keep running back to this client because of the distance between us.

like i said before i have run malwarebytes, antivir and spysweeper and nothing is found anymore. malwarebytes did last week find 500+ bugs and removed them and a rescan found nothing more.

just need to know what you may have found before i drive the distance to this client......greg

broni · 2010/04/21

Well, so far, we know, your "hosts" file has been compromised and there are also leftovers from CleanUp Antivirus.
We need to run additional tools/scans to see, what else is there and then we can start cleaning process.
Since MBAM was run last week, I'd like to see fresh scan, plus all other steps listed in my previous reply.
If you have to go to your client, I suggest you bring the computer home, because it may take a while to make sure, the computer is clean.
Additionally, I'm not here 24/7, so you can't expect immediate replies.

gghartman · 2010/04/21

broni

actually i wondered about the hosts file when i couldnt find it. thought that was strange. what you suggest bringing the machine home would be a good thing but its a business client so if i need to do that it will have to be on the weekend when their not open. also actually just ran malwarebytes when i was at clients this morning nothing was found. i will try and do these things requested as soon as possible.....greg

broni · 2010/04/21

No problem

gghartman · 2010/04/26

broni

i ran the gmer and it took 3 hours to finish but when i tried to save it came up not responding and i had to hard boot. didnt rerun couldnt sit there another 3 hours.

did run hijackthis and here is the log file. forgot to run the hostxpert program which i am kicking myself right now but will get to that maybe tomorrow....greg

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:17:51 PM, on 4/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = file://c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = file://c:\windows\system32\blank.htm
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 93.186.119.129 www.google.com
O1 - Hosts: 93.186.119.129 google.com
O1 - Hosts: 93.186.119.129 google.com.au
O1 - Hosts: 93.186.119.129 www.google.com.au
O1 - Hosts: 93.186.119.129 google.be
O1 - Hosts: 93.186.119.129 www.google.be
O1 - Hosts: 93.186.119.129 google.com.br
O1 - Hosts: 93.186.119.129 www.google.com.br
O1 - Hosts: 93.186.119.129 google.ca
O1 - Hosts: 93.186.119.129 www.google.ca
O1 - Hosts: 93.186.119.129 google.ch
O1 - Hosts: 93.186.119.129 www.google.ch
O1 - Hosts: 93.186.119.129 google.de
O1 - Hosts: 93.186.119.129 www.google.de
O1 - Hosts: 93.186.119.129 google.dk
O1 - Hosts: 93.186.119.129 www.google.dk
O1 - Hosts: 93.186.119.129 google.fr
O1 - Hosts: 93.186.119.129 www.google.fr
O1 - Hosts: 93.186.119.129 google.ie
O1 - Hosts: 93.186.119.129 www.google.ie
O1 - Hosts: 93.186.119.129 google.it
O1 - Hosts: 93.186.119.129 www.google.it
O1 - Hosts: 93.186.119.129 google.co.jp
O1 - Hosts: 93.186.119.129 www.google.co.jp
O1 - Hosts: 93.186.119.129 google.nl
O1 - Hosts: 93.186.119.129 www.google.nl
O1 - Hosts: 93.186.119.129 google.no
O1 - Hosts: 93.186.119.129 www.google.no
O1 - Hosts: 93.186.119.129 google.co.nz
O1 - Hosts: 93.186.119.129 www.google.co.nz
O1 - Hosts: 93.186.119.129 google.pl
O1 - Hosts: 93.186.119.129 www.google.pl
O1 - Hosts: 93.186.119.129 google.se
O1 - Hosts: 93.186.119.129 www.google.se
O1 - Hosts: 93.186.119.129 google.co.uk
O1 - Hosts: 93.186.119.129 www.google.co.uk
O1 - Hosts: 93.186.119.129 google.co.za
O1 - Hosts: 93.186.119.129 www.google.co.za
O1 - Hosts: 93.186.119.129 www.google-analytics.com
O1 - Hosts: 93.186.119.129 www.bing.com
O1 - Hosts: 93.186.119.129 search.yahoo.com
O1 - Hosts: 93.186.119.129 www.search.yahoo.com
O1 - Hosts: 93.186.119.129 uk.search.yahoo.com
O1 - Hosts: 93.186.119.129 ca.search.yahoo.com
O1 - Hosts: 93.186.119.129 de.search.yahoo.com
O1 - Hosts: 93.186.119.129 fr.search.yahoo.com
O1 - Hosts: 93.186.119.129 au.search.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [OSCD_Creator] "c:\Dell\PreODM.EXE "
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe "
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe "
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe "
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [OSCD_Creator] "C:\Dell\PreODM.EXE" /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe "
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196804057531
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: djuka - {ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c} - C:\WINDOWS\system32\wbchha.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 11192 bytes

broni · 2010/04/26

Since MBAM was run last week, I'd like to see fresh scan
Click to expand...

Regarding GMER...did you?

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.
Click to expand...

Also....

Download HostsXpert ( http://www.majorgeeks.com/Hoster_d4626.html ) and then follow the steps below:

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click Restore MS Hosts File and then click OK.
* Click the X to exit the program

Restart computer.

gghartman · 2010/04/26

broni

no like i said i forgot to run the restoring of the host file will get to that hopefully tomorrow. as far as the gmer honestly i cant afford to spend another 3 hours running this program. if this is a rootkit detector can i not run sophos version much quicker.

did the hijack log not show anything to point in right direction ???

broni · 2010/04/26

I'm sorry, but we can either proceed my way, or I can't help you.
Malware removal process takes time and I can't speed it up, or something will go wrong.
You don't want things go wrong, do you?

gghartman · 2010/04/26

like i said before its 50 miles for me to get to this client and ive already done that a number of times and im not getting paid for all these trips or the time involved. to once again sit there for 3 hours to run the gmer program and then if it locks up again another 3 in safe mode. thats not time well spent in my opinion. i have a business and honestly i could have rebuilt 3 machines including data backup with the time ive spent on this one bug. ive been doing computers for a long time but this one gala bug is the first ive seen of it. every other bug is removed and i was hoping to find why this one is being so stubborm but again i cant spend this amount of time on one call. im losing my butt money wise on this one. apparently theres nothing you want to tell me thats in the hijack log and apparently running another rootkit program that i use all the time and runs a whole lot faster isnt good enough. so i think i will make arrangements with the client to pick his machine up this friday and rebuild it this weekend and boom he has a brand new machine. ive done everything correctly on this bug with the research i did before asking for help here but something is still hanging around. i dont see it in the logs ive sent you nothing points to search-gala or anything close to it. so again thanks for the help but like when i was in corp america its not a smart thing to waste so much time on one problem when reimagining will fix the problem in a very short time.

thanks.....greg

broni · 2010/04/26

its not a smart thing to waste so much time on one problem when reimagining will fix the problem in a very short time
Click to expand...

If you have that option, go ahead.

HJT is not a tool, which discover rootkits. HJT is rather ancient tool at this moment and I use it for very limiter purposes.
There is nothing else I can say, beside, that malware removal takes time.

I'm not sure, what exactly do you expect me to do. Pull a miracle?

gghartman · 2010/04/26

nope i know theres no miracle with some of these things. i know that even if the other bugs ive been working on for some time now it take a couple hours to remove them and making sure nothing remains in the registry. i know that i was just hoping that maybe someone has seen this gala directory bug and might know why it did that still causes even google web site not to come up. ive done everything the web research has said to look for and do. ive rescanned for all variations of gala in the registry and on the drive nothing is there but it obviously made some imprint to a key that isnt easily seen.

not expecting miracles at all like i said i have done this for a very long time myself and i know miracles dont happen it takes a lot of work. there also comes a time when time and cost have to come into play and the time and cost ive spent on this 1 call is not a smart thing to do when rebuilding the machine is the quickest and easiest answer. i do know if i see this gala bug again i will just back up the data and rebuld the machine. like i said time and cost for me has to come into consideration here. im already in the red on this 1 call and at least with my rebuilding the machine i will at least break even. this clients machine has never in 5 years ever been worked on before so its time it gets an overhaul.

i do appreciate your efforts.....greg

broni · 2010/04/26

Look, I fully understand your situation, which is kind of "catch 22" issue.
You have a distant customer, who doesn't want to pay for your time and on the other hand, as you seem to be aware of, cleaning up computer takes time.

You can eventually try Combofix listed below, but if we're dealing with the newest TDSS rootkit, GMER will have to be run anyway, since, at this point, it's the only tool, which will detect such kind of infection.

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

gghartman · 2010/04/26

one step here says if it asks to install recovery console i dont believe that can be done on xp home that only comes with xp pro. i might be wrong but i believe thats a pro ability.

if this is a new bug and if you havent seen it before my guess it probably is cuz its a real good one. this bad guys are getting good thats for sure. what i am hoping is if i rebuild the machine then put back on antivir which scans web pages as they are opened and warns of bug then put back on spysweeper which to my testing is the best one out there for stopping bugs from ever coming into the machine, spywareblaster, malwarebytes and superantispyware hopefully this machine will be as protected as possible although you know as well as i do that the only 100 % in anything is death and taxes but this would be very close to fully protected. i dont install any 3rd firewall because i have found that the prompts they some times ask of one most times confuses client more than anything and then all of a sudden i.e. or express doesnt work. client has a hardware firewall and xp's so that in most cases should be enough.

running the gmer scares me cuz it froze just trying to save the report after 3 hours of running it. machine im working on is a p4-3.0ghz with 2.5g memory so i was surprised at how long it was taking and then to fail really upset me. ill have to think about whether i can afford time and money wise to continue troubleshooting this one bug. like i said i was hoping someone had seen it before but i guess like me you havent. its a good one thats for sure.....greg

broni · 2010/04/26

Recovery console can be installed on any XP version.

I'm not saying, you necessary have the newest TDSS rootkit. I just warned you about that possibility.
I've seen plenty of it, but the GMER is the only scan, which will show me, which actual file was modified by the infection.

Log in or Sign up

Inactive gala directory bug

gghartman Inactive Thread Starter

Admin. Administrator Administrator Staff

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive gala directory bug

gghartman Inactive Thread Starter

Admin. Administrator Administrator Staff

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

gghartman Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches