Solved Google redirect and internet time zone not accessible

snarky · 2010/01/19

[Resolved] Google redirect and internet time zone not accessible

Hi. Please see if you can help me with my virus/malware problems.
I have used every free scanner (virus, spyware, malware) program I can, and I still have not been able to get rid of this Google re-directer.

Programs I have used for this/these issue(s):

HJT
Malwarebytes
Spybot S&D
Ad-Aware
Avast
AVG
Housecall
Windows Advanced System Care
CCleaner

Additional things I have done:

I have also removed certain files from registry (smss32, is2010 etc)
Further, I have tried to locate suspicious running processes in task manager; but there appear to be none that are suspicious.

I did have smss32 and the Internet Security 2010 issues and these "appear" to have been cleared up; that is they are not to be found anywhere in my registry. I had to manually delete some of these files from the registry as the spyware programs were not removing all files.

The problem:

1) I try to follow links on Google only to get re-directed to other site(s); this is on both Firefox and Internet Explorer.
2) Not sure if it is related, but when i try to adjust the clock time (it is a bit off), I am not permitted to use the Internet Time tab as it is grayed out and thus cannot synchronize.
3)Generally, the system is running slow

I am guessing you want a HJT log; but I won't submit anything until asked. I am completely unfamiliar with DDS and combofix.

Additional details:

The virus/malware is on a Dell laptop computer running windows xp. It is not my computer so I do not know exactly what the user was doing when it occurred nor any other particulars other than she uses social sites (facebook etc) a lot.

Please advise,
Snarky

PeteC · 2010/01/19

Welcome to WindowsBBS

Please read this as indicated at the head of the forum and post the logs requested in this thread.

I am guessing you want a HJT log
Click to expand...

No, this is no longer sufficient - please run DDS and post both logs here.

snarky · 2010/01/19

Thank you for your speedy reply.
Here are the files you have requested (DDS & ATTACH)

DDS

DDS (Ver_09-12-01.01) - NTFSx86
Run by Margaret Courtney at 10:00:46.42 on Tue 01/19/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.116 [GMT -4:00]

AV: avast! antivirus 4.8.1368 [VPS 100119-0] *On-access scanning enabled* (Updated)

{7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Margaret Courtney\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar =
uDefault_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=0061012
uSearchMigratedDefaultURL =

hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe

Search
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot -

search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search

enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common

files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program

files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows

live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows

live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dlcgmon.exe] "c:\program files\dell aio 810\dlcgmon.exe "
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [DLCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCGtime.dll,_RunDLLEntry@16
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} -

c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} -

file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://www.imgag.com/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} - hxxp://update.hpphoto.com/download/HPSWUpdate.ocx
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\margar~1\applic~1\mozilla\firefox\profiles\0os1cxer.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.google.mozilla.com/firefox
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-19 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-16 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-16 20560]

=============== Created Last 30 ================

2010-01-19 13:28:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-19 10:46:27 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-19 10:43:30 0 dc-h--w-

c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-19 00:37:49 3246 ----a-w- c:\windows\system32\wbem\Outlook_01ca989fa001839a.mof
2010-01-17 00:40:34 0 d-----w- c:\docume~1\margar~1\applic~1\Malwarebytes
2010-01-17 00:40:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-17 00:40:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-17 00:40:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-17 00:40:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 00:21:53 0 d-----w- c:\program files\Trend Micro
2010-01-16 23:48:36 0 d--h--w- c:\windows\PIF
2010-01-16 20:50:04 0 d-----w- c:\docume~1\margar~1\applic~1\IObit
2010-01-16 20:50:02 0 d-----w- c:\program files\IObit
2010-01-16 02:02:57 0 d-----w- C:\spoolerlogs
2010-01-13 00:55:55 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-12-27 13:37:33 0 d-----w- c:\program files\Sigmatel
2009-12-27 13:37:32 339968 ----a-w- c:\windows\stsystra.exe
2009-12-27 13:37:32 1052672 ----a-w- c:\windows\system32\stlang.dll
2009-12-27 13:37:30 4882432 ----a-w- c:\windows\system32\stacgui.cpl
2009-12-27 12:39:18 0 d-----w- c:\program files\VideoLAN
2009-12-27 12:00:08 0 d-----w- c:\program files\OpenAL
2009-12-27 12:00:06 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-27 12:00:06 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-27 11:59:54 0 d-----w- c:\program files\Osmos
2009-12-27 10:21:44 0 d-----w- c:\documents and settings\margaret courtney\Tracing
2009-12-27 10:18:25 0 d-----w- c:\program files\Microsoft
2009-12-27 10:17:41 0 d-----w- c:\program files\Windows Live SkyDrive
2009-12-27 10:10:14 0 d-----w- c:\program files\common files\Windows Live
2009-12-26 23:42:30 0 dc-h--w- c:\windows\ie8
2009-12-26 20:45:07 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys

==================== Find3M ====================

2010-01-15 22:35:18 26190 ----a-w- c:\docume~1\margar~1\applic~1\wklnhst.dat
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-19 14:04:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008101920081020\index.dat

============= FINISH: 10:04:26.50 ===============

ATTACH

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/18/2006 10:42:36 PM
System Uptime: 1/19/2010 6:48:44 AM (4 hours ago)

Motherboard: Dell Inc. | | 0RJ272
Processor: Intel(R) Pentium(R) M processor 1.70GHz | Microprocessor |

1186/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 53 GiB total, 38.381 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP947: 1/16/2010 7:01:48 PM - System Checkpoint
RP948: 1/16/2010 8:06:27 PM - Removed AVG Free 8.5
RP949: 1/16/2010 10:26:18 PM - after hijackthis and malaware jan 16 2010 10pm
RP950: 1/19/2010 2:18:37 AM - System Checkpoint

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player 11.5
Advanced SystemCare 3
avast! Antivirus
BufferChm
CameraDrivers
CameraUserGuides
Cards_Calendar_OrderGift_DoMorePlugout
CCleaner (remove only)
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell AIO 810
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.2
Dell System Restore
Dell Wireless WLAN Card
DellConnect
DeviceDiscovery
DeviceManagementQFolder
Digital Line Detect
eSupportQFolder
Google Earth
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Imaging Device Functions 9.0
HP Photosmart Cameras 9.0
HP Photosmart Essential 2.5
HP Photosmart Essential 3.0
HP Product Assistant
HP Solution Center 9.0
HP Update
hpicamDrvQFolder
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
InstantShareDevicesMFC
Intel(R) Graphics Media Accelerator Driver for Mobile
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java(TM) 6 Update 15
Java(TM) 6 Update 5
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Search Enhancement Pack
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Helper
Mozilla Firefox (3.5.7)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
OpenAL
OpenOffice.org Installer 1.0
PanoStandAlone
PowerDVD 5.5
PSSWCORE
QuickSet
Rhapsody Player Engine
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
SierraHome Print Artist 12.0
SigmaTel Audio
Smart Menus (Windows Live Toolbar)
SolutionCenter
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Status
Synaptics Pointing Device Driver
TrayApp
Ulead Photo Express 4.0 My Scrapbook Edition
UnloadSupport
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URL Assistant
VideoToolkit01
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.3
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

1/18/2010 11:36:54 PM, error: DCOM [10005] - DCOM got error "%1058"

attempting to start the service SeaPort with arguments "-Service" in order to run

the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
1/18/2010 10:54:36 PM, error: Service Control Manager [7034] - The Java Quick

Starter service terminated unexpectedly. It has done this 1 time(s).
1/17/2010 2:41:13 PM, error: Service Control Manager [7009] - Timeout (30000

milliseconds) waiting for the Application Layer Gateway Service service to

connect.
1/17/2010 2:41:13 PM, error: Service Control Manager [7000] - The Application

Layer Gateway Service service failed to start due to the following error: The

service did not respond to the start or control request in a timely fashion.
1/16/2010 9:25:51 AM, error: Service Control Manager [7022] - The HP CUE

DeviceDiscovery Service service hung on starting.
1/16/2010 9:24:25 AM, error: Ftdisk [49] - Configuring the Page file for crash

dump failed. Make sure there is a page file on the boot partition and that is large

enough to contain all physical memory.
1/16/2010 9:08:52 PM, error: Service Control Manager [7034] - The avast! Web

Scanner service terminated unexpectedly. It has done this 1 time(s).
1/16/2010 8:59:53 PM, error: Service Control Manager [7026] - The following

boot-start or system-start driver(s) failed to load: IntelIde
1/16/2010 6:19:10 PM, error: Service Control Manager [7009] - Timeout (30000

milliseconds) waiting for the avast! Web Scanner service to connect.
1/16/2010 6:19:10 PM, error: Service Control Manager [7000] - The avast! Web

Scanner service failed to start due to the following error: The service did not

respond to the start or control request in a timely fashion.
1/16/2010 4:31:28 PM, error: Ftdisk [45] - The system could not sucessfully load

the crash dump driver.
1/16/2010 4:31:15 PM, error: Dhcp [1002] - The IP address lease 192.168.2.10

for the Network Card with network address 0016CF692D4C has been denied by

the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
1/15/2010 9:06:49 PM, error: Service Control Manager [7034] - The Print

Spooler service terminated unexpectedly. It has done this 3 time(s).
1/15/2010 8:46:35 PM, error: Service Control Manager [7031] - The Print

Spooler service terminated unexpectedly. It has done this 2 time(s). The

following corrective action will be taken in 60000 milliseconds: Restart the

service.
1/15/2010 10:03:53 PM, error: Service Control Manager [7031] - The Print

Spooler service terminated unexpectedly. It has done this 1 time(s). The

following corrective action will be taken in 60000 milliseconds: Restart the

service.

==== End Of File ===========================

PeteC · 2010/01/19

You must appreciate that we are all volunteers here - Moderators included and are not on the BBS 24/7.

Your logs will be looked at by one of our trained malware analysts in due course - all logs are dealt with in the order in which they are posted. It may take a day or so before your logs reach the top of the pile.

You cannot expect an instant response from a BBS.

snarky · 2010/01/19

Hi Pete,

Thank you for the reply. I really haven't had to have any posts moderated in a long time; I guess I have forgotten how long it can take. I was just worried that something was wrong on that (infected) system and the post(s) were not getting through.

If my demeanor seems at all pushy, it wasn't intended to; Please accept my apologies.
I just wanted to make sure it was getting through was all.

I really do appreciate all of you volunteers and the assistance you provide.

cheers,

PeteC · 2010/01/19

No problem - just bear in mind ....

As a new member with less than 10 posts any post you make which contains a URL requires approval (moderation) before it is visible.
Click to expand...

snarky · 2010/01/19

Google redirect and Internet Time Zone not accessible

"PeteC said: ↑

No problem - just bear in mind ....As a new member with less than 10 posts any post you make which contains a URL requires approval (moderation) before it is visible.
Click to expand...

Ahh, that explains it!
Only 6 more to go now.

Thanks again,
cheers

broni · 2010/01/19

Please, make sure to disable "word wrap" in Notepad, because logs are hard to read.

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

snarky · 2010/01/19

Hi broni, thank you so much for the help.

I did run the Combofix program and that alone "appears" to have corrected the issues; that is, so far no redirects and the internet time is now available to be selected! Still seems a little slow to me, but its not my computer...so maybe its just a little slow to begin with?

(by the way combofix asked me if i wanted to use an updated combofix progam that was available, I said no because i wasn't told to do so...just to let you know, there does appear to be an updated one).

Here is my combofix

ComboFix 10-01-18.03 - Margaret Courtney 01/19/2010 16:09:51.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.199 [GMT -4:00]
Running from: c:\documents and settings\Margaret Courtney\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100119-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-19 18:18 . 2010-01-19 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-19 18:18 . 2010-01-19 18:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-19 18:18 . 2010-01-19 18:18 -------- d-----w- c:\documents and settings\Margaret Courtney\Application Data\SUPERAntiSpyware.com
2010-01-19 18:16 . 2010-01-19 18:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-19 13:28 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-19 10:46 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-19 10:43 . 2010-01-19 10:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-19 10:42 . 2010-01-19 10:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-17 00:40 . 2010-01-17 00:40 -------- d-----w- c:\documents and settings\Margaret Courtney\Application Data\Malwarebytes
2010-01-17 00:40 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-17 00:40 . 2010-01-17 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-17 00:40 . 2010-01-17 00:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 00:40 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-17 00:21 . 2010-01-17 00:21 -------- d-----w- c:\program files\Trend Micro
2010-01-16 23:48 . 2010-01-16 23:48 -------- d--h--w- c:\windows\PIF
2010-01-16 21:21 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-16 21:21 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-16 21:21 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-16 21:21 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-16 21:21 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-16 21:21 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-16 21:21 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-16 21:21 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-16 21:19 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-16 21:19 . 2010-01-16 21:19 -------- d-----w- c:\program files\Alwil Software
2010-01-16 20:50 . 2010-01-16 20:50 -------- d-----w- c:\documents and settings\Margaret Courtney\Application Data\IObit
2010-01-16 20:50 . 2010-01-16 20:50 -------- d-----w- c:\program files\IObit
2010-01-16 02:02 . 2010-01-16 02:02 -------- d-----w- C:\spoolerlogs
2010-01-16 00:11 . 2010-01-16 00:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-13 00:55 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-12-27 13:37 . 2009-12-27 13:37 -------- d-----w- c:\program files\Sigmatel
2009-12-27 13:37 . 2006-03-23 04:52 1052672 ----a-w- c:\windows\system32\stlang.dll
2009-12-27 13:37 . 2005-03-22 21:20 339968 ----a-w- c:\windows\stsystra.exe
2009-12-27 12:41 . 2010-01-08 02:55 -------- d-----w- c:\documents and settings\Margaret Courtney\Application Data\vlc
2009-12-27 12:39 . 2009-12-27 12:39 -------- d-----w- c:\program files\VideoLAN
2009-12-27 12:00 . 2009-12-27 12:00 -------- d-----w- c:\program files\OpenAL
2009-12-27 12:00 . 2009-12-27 12:00 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-27 12:00 . 2009-12-27 12:00 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-27 11:59 . 2009-12-27 12:00 -------- d-----w- c:\program files\Osmos
2009-12-27 10:21 . 2010-01-06 01:51 -------- d-----w- c:\documents and settings\Margaret Courtney\Tracing
2009-12-27 10:19 . 2009-12-27 10:19 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-12-27 10:19 . 2009-12-27 10:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-12-27 10:18 . 2009-12-27 10:18 -------- d-----w- c:\program files\Microsoft
2009-12-27 10:17 . 2009-12-27 10:17 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-27 10:16 . 2009-12-27 10:20 -------- d-----w- c:\program files\Windows Live
2009-12-27 10:10 . 2009-12-27 10:10 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-26 23:42 . 2009-12-26 23:44 -------- dc-h--w- c:\windows\ie8
2009-12-26 20:45 . 2008-04-13 19:45 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 18:19 . 2010-01-19 18:19 52224 ----a-w- c:\documents and settings\Margaret Courtney\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-19 18:19 . 2010-01-19 18:19 117760 ----a-w- c:\documents and settings\Margaret Courtney\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-19 11:48 . 2010-01-19 11:48 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-19 11:48 . 2010-01-19 11:48 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-19 11:48 . 2010-01-19 11:48 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-19 11:48 . 2010-01-19 11:48 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-19 11:48 . 2010-01-19 11:48 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-19 11:48 . 2010-01-19 11:48 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-19 11:46 . 2010-01-19 11:46 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-19 11:46 . 2010-01-19 11:46 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-19 11:46 . 2010-01-19 11:45 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-19 11:45 . 2010-01-19 11:45 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-19 11:45 . 2010-01-19 11:45 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-19 11:45 . 2010-01-19 11:45 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-19 11:45 . 2010-01-19 11:45 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-19 10:42 . 2007-02-22 13:54 -------- d-----w- c:\program files\Lavasoft
2010-01-19 03:35 . 2007-02-22 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-18 21:11 . 2007-02-22 13:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-17 00:17 . 2006-10-20 17:16 -------- d-----w- c:\program files\Dl_cats
2010-01-17 00:10 . 2009-02-11 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-15 22:35 . 2006-10-19 02:01 26190 ----a-w- c:\documents and settings\Margaret Courtney\Application Data\wklnhst.dat
2009-12-27 12:52 . 2006-10-12 14:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-27 10:20 . 2006-12-19 02:23 -------- d-----w- c:\program files\Windows Live Toolbar
2009-12-27 10:17 . 2006-10-19 02:39 99288 ----a-w- c:\documents and settings\Margaret Courtney\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-27 03:43 . 2009-05-09 16:18 -------- d-----w- c:\program files\iMesh Applications
2009-12-26 20:39 . 2006-10-12 14:42 -------- d-----w- c:\program files\Google
2009-12-26 20:36 . 2009-05-16 23:30 -------- d-----w- c:\program files\AskBarDis
2009-12-26 20:16 . 2006-10-12 14:34 -------- d-----w- c:\program files\MUSICMATCH
2009-12-07 14:10 . 2010-01-19 10:43 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-10-29 07:45 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
1999-04-30 20:00 . 2007-02-16 21:19 98304 ------w- c:\program files\internet explorer\plugins\UPjpeg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI "= "c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet "= "c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dlcgmon.exe "= "c:\program files\Dell AIO 810\dlcgmon.exe" [2005-10-21 425984]
"SigmatelSysTrayApp "= "stsystra.exe" [2005-03-22 339968]
"avast! "= "c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"DLCGCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2010-01-06 19:33 2335952 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-07-17 02:29 389120 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 01:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-03-13 12:34 81920 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 08:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd "=2 (0x2)
"SeaPort "=2 (0x2)
"JavaQuickStarterService "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\WINDOWS\\system32\\dplaysvr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/19/2010 6:46 AM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/16/2010 5:21 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/16/2010 5:21 PM 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 9:19 AM 1181328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-19 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 11:45]

2010-01-19 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 11:45]

2010-01-19 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 11:45]

2010-01-19 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 11:45]

2010-01-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 11:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Margaret Courtney\Application Data\Mozilla\Firefox\Profiles\0os1cxer.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.google.mozilla.com/firefox
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 16:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dlcgcoms.exe
.
**************************************************************************
.
Completion time: 2010-01-19 16:29:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-19 20:29

Pre-Run: 40,938,860,544 bytes free
Post-Run: 40,936,710,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0AF5B91EB67C13E90ECBBF4E843887F7

And here is my HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:05 PM, on 1/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=0061012
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe "
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphoto.com/download/HPSWUpdate.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - http://mail.google.com/mail/images/card_left.gif

--
End of file - 7649 bytes

Thanks again and please advise on any further steps.

snarky · 2010/01/19

Google redirect and Internet Time Zone not accessible

Hi broni,

Just wanted to let you know that i did submit those logs an hour ago, but it takes time as I have not yet provided 10 posts on this forum.

As you will see when my log gets approved, it "appears" as though things are fixed. The system is still somewhat slow; but it may be slow anyhow seeing its only a 512mb ram system...and im not familiar with this computer.
Other than the speed, i have not yet been redirected to any other websites while using google(tested both browsers (ie & FF) on about 10-20 sites). My internet time tab is also accessible once again.

I had a few questions if you would not mind either answering them or providing me with a pertinent link...if u have the time, if not i understand.

Why were there no suspicious looking processes in the task manager even though there was obviously malware of some nature present?

What kind of things were you specifically looking for in my DDS that told you that i should run the combofix; or is Combofix kind of a present day 'cureall' for infested systems?

Lastly, I have fixed a lot of peoples computers with viruses and spyware etc. Usually, I just try a few programs combined with a scan & removal through the processes/startup and/or adjusting values in regedit (if I know what virus/files to look for). Why was this so different? Is there anywhere you can point me to get me started in answering these questions?

Thats all, thanks again; I hope my logs show up for you soon.

Cheers

broni · 2010/01/19

Let me go through your logs first and then I'll try answer your questions.

broni · 2010/01/19

i have not yet been redirected to any other websites while using google(tested both browsers (ie & FF) on about 10-20 sites). My internet time tab is also accessible once again.
Click to expand...

Excellent

but it may be slow anyhow seeing its only a 512mb ram
Click to expand...

Surely another 512MB of RAM would help, but let's see how the computer is, when we're done with cleaning.

Why were there no suspicious looking processes in the task manager even though there was obviously malware of some nature present?
Click to expand...

That's what the best bad guys do. They hide well, so only special tools can detect them.

What kind of things were you specifically looking for in my DDS that told you that i should run the combofix; or is Combofix kind of a present day 'cureall' for infested systems?
Click to expand...

When I deal with redirection, I usually run Combo first, because, most likely, it'll show me some hidden stuff running on the computer, which regular AV and antimalware programs won't see.

Lastly, I have fixed a lot of peoples computers with viruses and spyware etc. Usually, I just try a few programs combined with a scan & removal through the processes/startup and/or adjusting values in regedit (if I know what virus/files to look for). Why was this so different? Is there anywhere you can point me to get me started in answering these questions?
Click to expand...

I believe, I answered first part of your question in my last comment.
If you're interested in a subject, your best bet are antimalware schools, lot of practice and staying on a top of the subject (new bad guys arrive daily).
As for schools, see here: http://www.uniteagainstmalware.com/schools.php

Now, I'm onto your logs. Stay tuned

broni · 2010/01/19

combofix asked me if i wanted to use an updated combofix progam that was available
Click to expand...

My bad. I just edited my instructions, so, if Combofix will ever ask you to update, please do so.

===================================================================

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Restart computer.

=================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.

snarky · 2010/01/19

Hi Broni,

It took an awful long time to accomplish; but it is done.

Kaspersky Scan Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, January 19, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, January 19, 2010 23:10:25
Records in database: 3335086
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 63532
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:06:51

No threats found. Scanned area is clean.

Selected area has been scanned.

So it looks like the system is clean of malware, trojans and all the other good stuff. Still too slow for my tastes..it gets bogged down with browsers for instance.

I want to thank you profusely for helping me get this person's computer back to normal!

I did a bit of research and found that this was a "rootkit" that I had, Then checking my combofix report I see its name is either catchme or catchme 0.3.1398. I also found that rootkits are really rather nasty when used maliciously. Pretty scary though interesting.

Now i'll know where to come when get nominated to fix other people's computers <wink>.

Thanks again,
Cheers

broni · 2010/01/19

Hold your horses
I still need to take a look at HJT log.

broni · 2010/01/19

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Open JavaRa.exe again and select Search For Updates.

Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

=================================================================

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.
NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

==============================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
- O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
- O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
- O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
- O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
- O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
- O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe "
- O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
- O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
- O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [unless you have paid version]
- O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [unless you have paid version]

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

snarky · 2010/01/20

Google redirect and Internet Time Zone not accessible

Hi. Sorry that took so long; it was late and couldn't get to it till now.

Here it is:

HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:48 AM, on 1/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=0061012
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphoto.com/download/HPSWUpdate.ocx
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - http://mail.google.com/mail/images/card_left.gif

--
End of file - 6278 bytes

broni · 2010/01/20

Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

[SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

snarky · 2010/01/20

Google redirect and Internet Time Zone not accessible

Broni, my friend; you did it!
The computer is working well and even faster than it was last night!

Is there something i am supposed to do to change this from [active] to [resolved] or do you guys handle that?

I had one last question...was there any way to tell where that rootkit came from? Does it leave any sort of information about the product it was hidden in or the site it came from...or even the date it entered the computer?

Again, profuse thanks and my heartfelt gratitude, not only was I able to help this lady out, I was also able to learn a great deal in the process!
You did a great job and I thank you for it!

cheers

broni · 2010/01/20

You're very welcome

Is there something i am supposed to do to change this from [active] to [resolved] or do you guys handle that?
Click to expand...

In malware forum, only I can do this (I will).

was there any way to tell where that rootkit came from?
Click to expand...

No way

Happy surfing

Log in or Sign up

Solved Google redirect and internet time zone not accessible

snarky Inactive Thread Starter

PeteC SuperGeek Staff

snarky Inactive Thread Starter

PeteC SuperGeek Staff

snarky Inactive Thread Starter

PeteC SuperGeek Staff

snarky Inactive Thread Starter

broni Moderator Malware Analyst

snarky Inactive Thread Starter

snarky Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

broni Moderator Malware Analyst

snarky Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

snarky Inactive Thread Starter

broni Moderator Malware Analyst

snarky Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Google redirect and internet time zone not accessible

snarky Inactive Thread Starter

PeteC SuperGeek Staff

snarky Inactive Thread Starter

PeteC SuperGeek Staff

snarky Inactive Thread Starter

PeteC SuperGeek Staff

snarky Inactive Thread Starter

broni Moderator Malware Analyst

snarky Inactive Thread Starter

snarky Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

broni Moderator Malware Analyst

snarky Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

snarky Inactive Thread Starter

broni Moderator Malware Analyst

snarky Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches