HJT Log - browser hijack can't be found in Security Cleanup

HJT Log - browser hijack can't be found in Security Cleanup http://www.dslreports.com/forum/r22484643 en Sun, 29 Nov 2009 03:50:19 EDT Sun, 29 Nov 2009 03:50:19 EDT Re: HJT Log - browser hijack can't be found http://www.dslreports.com/forum/remark,22503961 TheJoker :

quote:
I have run OTcleaniT to clean up left over files

That was premature, You should not have done that yet as we are not quite finished. If there had been a problem after running ComboFix, you could have deleted some of the backups that would have been needed.

quote:
I have disabled and renabled system restore to create a new point. Then turned it off again due to using Acronis for my restore medium.

Even though you use Acronis True Image, I would still recommend leaving System Restore turned on. If you are concerned about the space it may take, you can right-click on My Computer, go to the System Restore tab, and lower the maximum amount of drive space that the backups can occupy.
If you backup with Acronis manually, you can also remove all but the most recent Restore Point to save room on the backup by running Disk Cleanup (cleanmgr) from Start > Run, selecting the More Options tab, clicking "Clean up" at the bottom in the System Restore section, and clicking OK. Before you do that, I would manually create a new Restore Point.

But you should not remove or reset your Restore Points while you are still cleaning the system, because if a problem does occur and you need it, even an infected Restore Point can end up being better than no Restore Point at all.

quote:
Tgbsstarter.exe is used by The Green Bow VPN software and I checked it and it was fine.

That's what I thought it was. But I still need the results from the VirusTotal scan if you don't mind, as that information will help other Helpers identify the item in future logs.

Using Windows Explorer, delete the following file if still there:
c:\temp\bqvnzebg.exe

You can also delete the rest of the folder contents, but the one above has to go. If unable to delete it, please let me know.

Go to start > run and copy and paste next command in the field:
ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
If OTCleanIt removed Combofix.exe, you will need to download the file again to properly uninstall it.

Please post the VirusTotal log from scanning Tgbsstarter.exe if you don't mind.

How is the system running now?
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22503961 Fri, 05 Jun 2009 19:17:44 EDT Re: HJT Log - browser hijack can't be found http://www.dslreports.com/forum/remark,22500572 Mellow : ComboFix 09-06-01.03 - Shawn 06/03/2009 15:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1592 [GMT -5:00]
Running from: c:\temp\Comfix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\kungsfkcmbpfqp.sys
c:\windows\system32\kungsflltlwbwq.dll
c:\windows\system32\kungsfommjdvjk.dat
c:\windows\system32\kungsftdabdmoq.dat
c:\windows\system32\kungsfttkilglj.dll
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kungsfdruhbapa

((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-03 20:31 . 2009-06-03 20:31 -------- d-----w- c:\program files\ERUNT
2009-06-03 20:30 . 2009-06-03 20:30 791393 ----a-w- c:\temp\erunt-setup.exe
2009-06-03 20:21 . 2009-06-03 20:21 -------- d-----w- C:\32788R22FWJFW
2009-06-03 18:12 . 2009-06-03 17:07 3129946 ----a-r- c:\temp\Comfix.exe
2009-06-03 16:19 . 2009-06-03 16:19 286208 ----a-w- c:\temp\bqvnzebg.exe
2009-06-03 15:09 . 2009-06-03 15:09 152576 ----a-w- c:\documents and settings\Shawn\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-03 15:08 . 2009-06-03 15:08 607640 ----a-w- c:\temp\jxpiinstall-6u13-fcs-bin-b03-windows-i586-09_mar_2009.exe
2009-06-03 15:02 . 2009-06-03 15:02 3584 ----a-r- c:\documents and settings\Shawn\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-03 15:02 . 2009-06-03 15:02 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-06-03 15:01 . 2009-06-03 15:01 359656 ----a-w- c:\temp\msicuu2.exe
2009-06-01 21:22 . 2009-06-01 21:21 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-01 21:21 . 2009-06-02 19:26 -------- d-----w- c:\documents and settings\Shawn\.housecall6.6
2009-06-01 16:47 . 2009-06-01 16:03 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-01 16:18 . 2009-06-01 16:18 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-01 16:17 . 2009-06-01 15:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-01 16:03 . 2009-06-01 16:03 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-01 16:03 . 2009-06-01 16:03 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-01 16:03 . 2009-06-01 16:03 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-01 16:03 . 2009-06-01 16:03 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-01 16:03 . 2009-06-01 16:03 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-01 16:02 . 2009-06-01 16:02 294240 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-01 16:02 . 2009-06-01 16:02 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-01 15:51 . 2009-06-01 15:51 -------- d-----w- c:\program files\Trend Micro
2009-06-01 15:49 . 2009-06-01 15:49 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-01 15:49 . 2009-06-01 15:49 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-01 15:49 . 2009-06-01 15:49 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-01 15:49 . 2009-06-01 15:49 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-01 15:48 . 2009-06-01 15:48 540536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-01 15:47 . 2009-06-01 15:47 559464 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-01 15:46 . 2009-06-01 15:46 2352456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-01 15:45 . 2009-06-01 15:45 -------- d-----w- c:\program files\Windows Defender
2009-06-01 15:44 . 2009-06-01 15:44 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-01 15:43 . 2009-06-01 15:43 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-01 15:43 . 2009-06-01 15:43 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-01 15:41 . 2009-06-01 15:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-01 15:41 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-01 15:41 . 2009-06-01 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-01 15:41 . 2009-06-01 15:41 -------- d-----w- c:\program files\Lavasoft
2009-06-01 15:38 . 2009-06-01 15:38 812344 ----a-w- c:\temp\HJTInstall.exe
2009-06-01 15:37 . 2009-06-01 15:38 9615808 ----a-w- c:\temp\windows-kb890830-v2.10.exe
2009-06-01 15:36 . 2009-06-01 15:36 897920 ----a-w- c:\temp\WGAPluginInstall.exe
2009-06-01 15:36 . 2009-06-01 15:39 37452296 ----a-w- c:\temp\Ad-AwareAE.exe
2009-05-30 20:50 . 2009-05-30 20:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-30 20:46 . 2009-05-30 20:46 -------- d-----w- c:\documents and settings\Shawn\Application Data\Malwarebytes
2009-05-30 20:46 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 20:46 . 2009-05-30 20:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-30 20:46 . 2009-05-30 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-30 20:46 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 20:46 . 2009-05-30 20:46 3371384 ----a-w- c:\temp\mbam-setup.exe
2009-05-29 23:22 . 2009-05-29 23:22 -------- d-----w- c:\documents and settings\Shawn\Local Settings\Application Data\Ahead
2009-05-29 23:21 . 2009-05-29 23:23 -------- d-----w- c:\documents and settings\Shawn\Application Data\Ahead
2009-05-29 23:18 . 2009-05-29 23:22 -------- d-----w- c:\program files\Common Files\Ahead
2009-05-29 23:18 . 2009-05-29 23:18 -------- d-----w- c:\program files\Nero
2009-05-29 23:08 . 2006-07-12 14:05 131097968 ----a-w- c:\temp\Nero-7.2.3.2b_eng_no_yt.exe
2009-05-29 21:51 . 2009-05-29 21:52 2188108 ----a-w- c:\temp\GrabIt172b4.exe
2009-05-14 23:13 . 2009-05-14 23:13 1356385 ----a-w- c:\temp\wrar39b1.exe
2009-05-14 22:56 . 2009-05-14 22:56 141 ----a-w- c:\temp\ShemesDotComRegistrySettings.reg
2009-05-12 18:16 . 2009-05-12 18:16 -------- d-----w- c:\documents and settings\Shawn\Local Settings\Application Data\MetaGeek,_LLC
2009-05-12 17:01 . 2009-05-12 17:01 45126 ----a-r- c:\documents and settings\Shawn\Application Data\Microsoft\Installer\{5768CE3D-9D7C-4B19-94DC-9944A361FED7}\_6FEFF9B68218417F98F549.exe
2009-05-12 17:01 . 2009-05-12 17:01 45126 ----a-r- c:\documents and settings\Shawn\Application Data\Microsoft\Installer\{5768CE3D-9D7C-4B19-94DC-9944A361FED7}\_1191AC8AACB6050FB5E6C7.exe
2009-05-12 17:01 . 2009-05-12 17:01 -------- d-----w- c:\program files\MetaGeek
2009-05-11 17:12 . 2009-05-11 19:25 -------- d-----w- c:\temp\MAS Rate updates

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 15:46 . 2008-05-19 19:29 167376 ----a-w- c:\documents and settings\Shawn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-03 15:11 . 2008-05-23 15:57 -------- d-----w- c:\program files\Java
2009-06-03 15:09 . 2009-01-16 14:51 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-03 15:02 . 2009-01-06 16:11 -------- d-----w- c:\program files\MSECache
2009-06-02 19:15 . 2008-05-19 23:05 -------- d-----w- c:\program files\ESET
2009-06-02 18:27 . 2008-05-21 21:25 -------- d-----w- c:\program files\Trillian
2009-06-01 17:56 . 2008-05-19 19:49 168168 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 20:48 . 2008-05-23 22:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-30 20:28 . 2008-05-23 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-30 18:05 . 2009-02-10 19:17 -------- d-----w- c:\documents and settings\Shawn\Application Data\GrabIt
2009-05-29 21:53 . 2009-02-10 19:16 -------- d-----w- c:\program files\GrabIt
2009-05-14 23:16 . 2008-05-19 18:51 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-04-24 19:56 . 2008-10-06 16:11 -------- d-----w- c:\program files\Elecard
2009-04-24 19:55 . 2008-10-06 16:04 -------- d-----w- c:\program files\Common Files\Elecard
2009-04-15 21:46 . 2009-04-15 21:46 176014 ----a-r- c:\documents and settings\Shawn\Application Data\Microsoft\Installer\{C1DEDB47-08BA-401A-BCD3-F2AD312A3CA7}\_C44B4A650DB013CEBD4473.exe
2009-04-15 21:46 . 2009-04-15 21:46 176014 ----a-r- c:\documents and settings\Shawn\Application Data\Microsoft\Installer\{C1DEDB47-08BA-401A-BCD3-F2AD312A3CA7}\_2B8A38F77CC3911AA9AA88.exe
2009-04-15 21:46 . 2009-04-15 21:46 -------- d-----w- c:\program files\Ad Words Digger
2009-04-13 19:34 . 2008-05-14 20:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-13 19:34 . 2009-04-13 19:34 -------- d-----w- c:\program files\Xirrus
2009-04-08 18:23 . 2009-04-08 17:55 -------- d-----w- c:\documents and settings\Shawn\Application Data\OfficeUpdate12
2009-04-08 18:02 . 2008-05-19 18:51 -------- d-----w- c:\program files\Microsoft Works
2009-04-08 17:41 . 2009-04-08 17:41 -------- d-----w- c:\program files\MSBuild
2009-04-08 17:41 . 2009-04-08 17:41 -------- d-----w- c:\program files\Reference Assemblies
2009-04-08 17:15 . 2009-04-08 17:15 -------- d-----w- c:\program files\Windows Mobile Feb. 2008 DST Updates
2009-03-16 23:42 . 2009-03-16 23:42 524288 ----a-w- c:\windows\opuc.dll
2009-03-16 23:42 . 2009-04-08 17:55 264704 ------w- c:\documents and settings\Shawn\Application Data\OfficeUpdate12\oudetect.dll
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"Spark"="c:\program files\Spark\Spark.exe" [2007-11-14 106496]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-06-30 1106386]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-06-30 1848150]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-06-30 126976]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-01 518488]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-03 148888]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\shawn\\Desktop\\Config_AP.exe"=
"c:\\Program Files\\FlashFXP\\flashfxp.exe"= c:\\Program Files\\FlashFXP\\FlashFXP.exe
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\MIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Temp\\Coccinella_Messenger-0.96.10Win\\Coccinella Messenger-0.96.10Win\\Coccinella Messenger-0.96.10.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/1/2009 11:17 AM 64160]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/13/2008 3:52 PM 33800]
R1 TgbVPN;TheGreenBow VPN Client;c:\windows\system32\drivers\TgbVPN.sys [4/23/2008 8:12 AM 121856]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 3:49 PM 472320]
R2 TgbIke Starter;TgbIke Starter;c:\windows\system32\TgbStarter.exe [7/22/2008 9:09 AM 123176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1005904]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [4/19/2007 10:09 AM 99200]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 7:37 AM 26624]
S3 usbkey;USB Dongle;c:\windows\system32\drivers\Usbkey.sys [10/8/2008 4:34 PM 40352]
S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows;c:\windows\system32\DRIVERS\vpnva.sys --> c:\windows\system32\DRIVERS\vpnva.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:47]

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://packnship.mailmovers.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {99F835C1-BF8B-4397-A5AB-B1C23CF86A95} = 68.87.73.242,68.87.71.226
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Shawn\Application Data\Mozilla\Firefox\Profiles\g4qm4tzb.shawn\
FF - prefs.js: browser.startup.homepage - hxxp://www.dslreports.com/forums|»www.woot.com/Default.aspx"" >www.fredmiranda.com/forum/|»:···lt.aspx" >www.surfingoc.com/forum/index.ph···ult.aspx
FF - component: c:\documents and settings\Shawn\Application Data\Mozilla\Firefox\Profiles\g4qm4tzb.shawn\extensions\piclens@cooliris.com\components\piclensstub.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-06-03 15:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1120)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-06-03 15:44
ComboFix-quarantined-files.txt 2009-06-03 20:44

Pre-Run: 31,066,669,056 bytes free
Post-Run: 31,066,406,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

218 --- E O F --- 2009-05-16 19:59

Malwarebytes' Anti-Malware 1.37
Database version: 2222
Windows 5.1.2600 Service Pack 3

6/3/2009 11:29:49 PM
mbam-log-2009-06-03 (23-29-49).txt

Scan type: Quick Scan
Objects scanned: 87844
Time elapsed: 9 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:21 AM, on 6/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spark\Spark.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\TgbStarter.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »packnship.mailmovers.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Spark] C:\Program Files\Spark\Spark.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: »192.168.0.155
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - »acs.pandasoftware.com/activescan···ubie.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - »download.eset.com/special/eos/On···nner.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - »192.168.0.155/bl_camera.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »fpdownload2.macromedia.com/get/s···lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99F835C1-BF8B-4397-A5AB-B1C23CF86A95}: NameServer = 68.87.73.242,68.87.71.226
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: TgbIke Starter - Sistech - C:\WINDOWS\system32\TgbStarter.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7667 bytes

I have run OTcleaniT to clean up left over files

I have disabled and renabled system restore to create a new point. Then turned it off again due to using Acronis for my restore medium.

I ran system cleanup and cleared out all my cache's on IE and firefox.

Tgbsstarter.exe is used by The Green Bow VPN software and I checked it and it was fine.
--
SurfingOC.com / GsdPhotography.com]]> http://www.dslreports.com/forum/remark,22500572 Fri, 05 Jun 2009 10:09:25 EDT Re: HJT Log - browser hijack can't be found http://www.dslreports.com/forum/remark,22498403 TheJoker : I'm glad you seem to have fixed your problem, but as lilhurricane said, we still need to be sure. :)

ComboFix should not be run on your own. While that would have been my next step, it's a powerful tool not intended by the author to be used except under the guidance of a trained helper. Improper use of it can leave you with an unbootable system.

Since you did run ComboFix, please post the log from it, along with the previously requested information.

Even if there is nothing else to be removed with ComboFix (and there may be), it will still need to be properly uninstalled when we are finished.

quote:
I have been working on this issue for the past 3 days learning and figuring out how to fix it. Sure I could have gone back to a backup, but the fun is trying to figure out how to fix it

If you want to learn how to remove malware, and help others, there are several forums that offer training, including Spywareinfo Forum, which Calamity Jane recommended to me several years ago, and also Malware Removal University.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22498403 Thu, 04 Jun 2009 21:23:40 EDT Re: HJT Log - browser hijack can't be found http://www.dslreports.com/forum/remark,22495531 lilhurricane : When you perform the guidelines here for pre-clean requirements, and start a help thread - you are embarking on a journey.

You're one part of the effort to confirm safe passage on the internet, and your "helper" is the other. It's teamwork at it's finest.

Our expectations - from start to finish are that we leave you safe and clean, and educated on how to prevent re-infection.
This is a free service we offer, and our volunteers are unpaid. They do it because they truly enjoy helping people.

Please follow all of the requests made by your Helper, including submitting to the Forum all log results.
This helps others who frequent this forum to learn or who are seeking answers as well, to see what is going on.

We need to ascertain that everything is truly "ok".

Note that many of the utilities utilized require a formal uninstall process to return your system to a normal operating state.

It's work - yes, but it's necessary.

Therefore, we ask you please see this through till your "helper" deems you "clean". You can do it!
--
~Safe Hex~ Team Discovery ~ Project Hope ~ Like A Hurricane~]]> http://www.dslreports.com/forum/remark,22495531 Thu, 04 Jun 2009 12:12:23 EDT Re: HJT Log - browser hijack can't be found http://www.dslreports.com/forum/remark,22495489 Mellow : I was able to fix my issue. I will post here so anyone searching can have something to go off of to help them. I had the kungsf* rootkit installed on my system.

Here are the systems I had:
Disk Management failed to bring up root drive
Disk Defragmenter could not start
Windows Update Failed
Misc browser hijacks for both IE7 and Firefox 3.0.10

Solution:
Ran Gmer to find the rootkit
Used combofix to remove rootkit
Ran panda's online scan
Ran malware bytes in safe mode
Ran spybot in safe mode
Ran ad-aware in safe mode

System is back to normal now with windows update working as well as disk defrag and disk management and no more browser redirects, and HJT comes back clean along with all other scans.

Thanks to Thejoker for helping, I have been working on this issue for the past 3 days learning and figuring out how to fix it. Sure I could have gone back to a backup, but the fun is trying to figure out how to fix it :)
--
SurfingOC.com / GsdPhotography.com]]> http://www.dslreports.com/forum/remark,22495489 Thu, 04 Jun 2009 12:04:11 EDT Re: HJT Log - browser hijack can't be found http://www.dslreports.com/forum/remark,22488329 TheJoker : Hi Mellow

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

quote:
I downloaded "Up 2009 Pixar Rated PG Decent Cam Copy" and it is full of viruses, as soon as I unrar'd and ran the unzip.exe NOD32 went crazy with all kinds of virus's trying to install.

Illegal pirated software will get you all the time. If you haven't deleted the archive files you downloaded, you should do so now.

quote:
Could not get a log from trendmicro's online scanner but it would pickup .hitbox

Those would be cookies, and cookies are just text tiles, and not a threat.

I see you have Acronis TrueImageHome installed. Do you have a current backup? If you do, you may want to consider restoring the latest backup set if you do full backups. It's what I would do if it was my system. It would be both faster and safer than trying to disinfect (if you restored a backup from before you were infected, you would know that none of it was still there).

Clean your Cache and Cookies in IE:
-Close all instances of Outlook Express and Internet Explorer
-Go to Control Panel > Internet Options > General tab
-Click the "Delete Cookies" button
-Next to it, Click the "Delete Files" button
-When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Private Data).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
-Go to start > run and type: cleanmgr and click ok.
-Let it scan your system for files to remove.
-Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
-Press OK to remove them.

Please download Malwarebytes' Anti-Malware from

Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your next reply along with a fresh HijackThis log.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Please go to VirusTotal and submit the following file for a scan and post the detection results (I don't need the "additional information") in your next reply:
C:\WINDOWS\system32\TgbStarter.exe

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run.
- Once the scan is complete, click on View scan report
- Now, click on the Save Report as button.
- In the drop down box labeled Files of type change the type to Text file.
- Save the file to your desktop.
- Copy and paste that information in your next post.

Please post a new HijackThis log, the log from MBAM, the results of scanning the file at VirusTotal, the log from Kaspersky's online scan, and note any errors encountered.

--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22488329 Wed, 03 Jun 2009 10:37:57 EDT HJT Log - browser hijack can't be found http://www.dslreports.com/forum/remark,22484643 Mellow : I have tried all the steps and still have something hijacking my browser when i do searches for "Disk Defragmenter could not start". I can not get defrag to work in safe mode and have checked to make sure my page file is correct and defrag is installed. I read that defrag can be disabled by malware and think that is the case here. I can tell you where I got this issue from, I downloaded "Up 2009 Pixar Rated PG Decent Cam Copy" and it is full of viruses, as soon as I unrar'd and ran the unzip.exe NOD32 went crazy with all kinds of virus's trying to install. I have tried everything mentioned in the FAQ and this pesky redirect still happens. Per the FAQ here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:26 PM, on 6/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\TgbStarter.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »packnship.mailmovers.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Spark] C:\Program Files\Spark\Spark.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: »192.168.0.155
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - »download.eset.com/special/eos/On···nner.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - »192.168.0.155/bl_camera.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »fpdownload2.macromedia.com/get/s···lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99F835C1-BF8B-4397-A5AB-B1C23CF86A95}: NameServer = 68.87.73.242,68.87.71.226
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: TgbIke Starter - Sistech - C:\WINDOWS\system32\TgbStarter.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7910 bytes

Ad-aware Log:

Logfile created: 6/2/2009 11:40:51
Lavasoft Ad-Aware version: 8.0.5
Extended engine version: 8.1
User performing scan: Administrator

*********************** Definitions database information ***********************
Lavasoft definition file: 148.41
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Smart Scan (ID: smart)
Objects scanned: 26738
Objects detected: 2

Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 0
Folders.........: 0
LSPs............: 0
Cookies.........: 2
Browser hijacks.: 0
MRU objects.....: 0

Removed items:
Description: *hitbox* Family Name: Cookies Clean status: Success Item ID: 408858 Family ID: 0
Description: *.hitbox* Family Name: Cookies Clean status: Success Item ID: 409072 Family ID: 0

Scan and cleaning complete: Finished correctly after 346 seconds

*********************************** Settings ***********************************

Scan profile:
ID: smart, enabled:1, value: Smart Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: false
ID: scanhostsfile, enabled:1, value: false
ID: scanmru, enabled:1, value: false
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value:
ID: scanrootkits, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: false
ID: onlyexecutables, enabled:1, value: true
ID: skiplargerthan, enabled:1, value: 20480

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: displaystatus, enabled:1, value: false
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: autodetectproxy, enabled:1, value: false
ID: useautoconfigscript, enabled:1, value: false
ID: autoconfigurl, enabled:0, value:
ID: useproxy, enabled:1, value: false
ID: proxyserver, enabled:0, value:
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Mon Jun 01 11:18:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Mon Jun 01 11:18:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: true
ID: networkprotection, enabled:0, value: true
ID: loadatstartup, enabled:1, value: true
ID: usespywareheuristics, enabled:0, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: strict, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant

****************************** System information ******************************
Computer name: SHAWNLAPTOP
Processor name: Genuine Intel(R) CPU T2050 @ 1.60GHz
Processor identifier: x86 Family 6 Model 14 Stepping 8
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3592, number of processors 2
Physical memory available: 1615503360 bytes
Physical memory total: 2137382912 bytes
Virtual memory available: 2039365632 bytes
Virtual memory total: 2147352576 bytes
Memory load: 24%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 324 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 388 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 412 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 460 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 472 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 632 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 736 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 788 name: C:\Program Files\Windows Defender\MsMpEng.exe owner: SYSTEM domain: NT AUTHORITY
PID: 848 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 904 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1048 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1196 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1320 name: C:\WINDOWS\Explorer.EXE owner: Administrator domain: SHAWNLAPTOP
PID: 1492 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Administrator domain: SHAWNLAPTOP

Startup items:
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: WPDShServiceObj
imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name: IgfxTray
imagepath: C:\WINDOWS\system32\igfxtray.exe
Name: HotKeysCmds
imagepath: C:\WINDOWS\system32\hkcmd.exe
Name: Persistence
imagepath: C:\WINDOWS\system32\igfxpers.exe
Name: SigmatelSysTrayApp
imagepath: %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
Name: Broadcom Wireless Manager UI
imagepath: C:\WINDOWS\system32\WLTRAY.exe
Name: egui
imagepath: "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
Name: SunJavaUpdateSched
imagepath: "C:\Program Files\Java\jre6\bin\jusched.exe"
Name: Adobe Reader Speed Launcher
imagepath: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
Name: QuickTime Task
imagepath: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
Name: TrueImageMonitor.exe
imagepath: C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
Name: AcronisTimounterMonitor
imagepath: C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
Name: Acronis Scheduler2 Service
imagepath: "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
Name: NeroFilterCheck
imagepath: C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
Name: Ad-Watch
imagepath: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
Name: Windows Defender
imagepath: "C:\Program Files\Windows Defender\MSASCui.exe" -hide
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Name:
imagepath: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk /p \??\C:
Name:
imagepath: autocheck autochk *
Name:
imagepath: lsdelete

Running services:
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: dmserver
displayname: Logical Disk Manager
Name: Eventlog
displayname: Event Log
Name: helpsvc
displayname: Help and Support
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: PlugPlay
displayname: Plug and Play
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: WinDefend
displayname: Windows Defender
Name: winmgmt
displayname: Windows Management Instrumentation

Mbam Log:

Malwarebytes' Anti-Malware 1.37
Database version: 2209
Windows 5.1.2600 Service Pack 3

6/1/2009 3:40:35 PM
mbam-log-2009-06-01 (15-40-35).txt

Scan type: Quick Scan
Objects scanned: 87758
Time elapsed: 3 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Esetonline log:
C:\Program Files\Trillian\trillianpro.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined

Could not get a log from trendmicro's online scanner but it would pickup .hitbox
--
SurfingOC.com / GsdPhotography.com]]> http://www.dslreports.com/forum/remark,22484643 Tue, 02 Jun 2009 16:53:43 EDT