HJT Log IE7 Browser Gets Redirected in Security Cleanup

HJT Log IE7 Browser Gets Redirected in Security Cleanup http://www.dslreports.com/forum/r22563951 en Thu, 03 Dec 2009 01:19:10 EDT Thu, 03 Dec 2009 01:19:10 EDT Re: HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22632428 TheJoker : I'm glad to have been able to help. :)
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22632428 Tue, 30 Jun 2009 05:25:16 EDT Re: HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22631927 gda6 : Joker,

I finally did the clean-up work.
Uninstalled combofix, created restore point, ran cleanmgr.
Installed hosts file; spyware blaster; spyware guard.

Everything is running fine.

Thanks so much for your help.]]> http://www.dslreports.com/forum/remark,22631927 Tue, 30 Jun 2009 00:37:09 EDT Re: HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22582217 TheJoker : That's fine if it takes a few days. :)
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22582217 Sat, 20 Jun 2009 08:38:07 EDT Re: HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22581229 gda6 : Joker,

Everything was working fine after your previous set of instructions. I took the machine back to my friend's house because I thought that everything had been wrapped up.

Apparently, there is still some clean-up left. I probably won't be able to do these tasks for another day or two.

I'll take care of the clean-up as you've specified.
I will also install the security utilities that you suggest so that hopefully the machine won't get infected again in the same fashion.

I will post again within a couple of days with an update.]]> http://www.dslreports.com/forum/remark,22581229 Fri, 19 Jun 2009 23:08:12 EDT Re: HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22576443 TheJoker : Go to start > run and copy and paste next command in the field:
ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Create a Restore Point
•Go to Start > Programs > Accessories > System Tools > System Restore
•Select Create a Restore Point and then Next.
•In the box for "Restore point description", enter a descriptive name and press Create
•When the "Restore Point Created" window appears, click Close

Run Disk Cleanup
•Go to Start > Run and type the below line:
cleanmgr
•Click OK
•If you have more than one drive, select the drive Windows is installed on
•Click OK
•When Disk Cleanup opens, select the More Options tab
•In the System Restore section (bottom of window), click Cleanup
•In the confirmation window that opens, click Yes[

Now click on the Disk Cleanup tab and select the following items:
•Downloaded Program Files
•Temporary Internet Files
•Recycle Bin
•Temporary Files
Click OK
in the confirmation window, select Yes (Disk Cleanup will close).

There are several free utilities you can use to help keep malware off your system:

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at »www.mvps.org/winhelp2002/hosts.htm.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at »www.javacoolsoftware.com/products.html.

I recommend reading Tony Klein's article So How did I get Infected in the First Place? at »www.spywareinfoforum.com/index.p···ic=60955

Does your problem appear resolved?
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22576443 Fri, 19 Jun 2009 05:58:11 EDT Re: HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22575226 gda6 : Joker,

I seems that everything is working normally now.
I deleted the zip file as you suggested, and also
updated the java-runtime-environment.

I'm going to drop the machine off at my friend's house.

Both he and I thank you greatly for your help.]]> http://www.dslreports.com/forum/remark,22575226 Thu, 18 Jun 2009 21:41:12 EDT Re: HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22570617 TheJoker :

quote:
I had turned off system restore, before posting my first hijackthis log.

It's not a good idea to do that until cleaning is finished. When you turned off System Restore, it deleted all the Restore Points that there were, eliminating one source of file backups if needed.

Using Internet Explorer, you can delete the file:
c:\windows\Internet Logs\tvDebug.zip
The file will return, but it will save some room due to it's size.

You can also delete the contents of C:\temp. Don't delete the folder itself, just the contents

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
- Download the latest version of Java Runtime Environment (JRE) 6.
- Scroll down to where it says "Java SE Runtime Environment (JRE), JRE 6 Update 14".
- Click the "Download" button to the right.
- In the Window that opens, select Windows, and check the "agree" box and click "Continue".
- Click on the link to download Windows Offline Installation and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs:
-- Java 2 Runtime Environment, SE v1.4.2
-- J2SE Runtime Environment 5.0
-- J2SE Runtime Environment 5.0 Update 2
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6u14-windows-i586-p.exe that you downloaded to install the newest version.

Are you still being redirected?
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22570617 Thu, 18 Jun 2009 05:59:56 EDT Re: HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22569750 lilhurricane : Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:46 PM, on 6/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080529
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dyaaserv.exe] "C:\Program Files\DYMO DiscPainter\Drivers\dyaaserv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4463 bytes
--
~Safe Hex~ Team Discovery ~ Project Hope ~ Like A Hurricane~]]> http://www.dslreports.com/forum/remark,22569750 Wed, 17 Jun 2009 22:52:12 EDT Re: HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22569748 lilhurricane : I'm going to open those logs up for ease of viewing

Malwarebytes' Anti-Malware 1.37
Database version: 2296
Windows 5.1.2600 Service Pack 3

6/17/2009 8:40:49 AM
mbam-log-2009-06-17 (08-40-49).txt

Scan type: Quick Scan
Objects scanned: 81942
Time elapsed: 2 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ieupdates.exe.tmp (Adware.Agent) -> Quarantined and deleted successfully.

ComboFix 09-06-17.02 - Lamar 06/17/2009 20:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1633 [GMT -5:00]
Running from: c:\documents and settings\Lamar\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Lamar\Application Data\inst.exe
c:\windows\system32\drivers\SKYNETpmeevkax.sys
c:\windows\system32\SKYNETgylclswx.dat
c:\windows\system32\SKYNETkpuakgyd.dll
c:\windows\system32\SKYNETowfnanim.dll
c:\windows\system32\SKYNETqkkeuytv.dat

----- BITS: Possible infected sites -----

hxxp://binuser.fileave.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETyutgwmri

((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-17 13:43 . 2009-06-17 13:56 -------- d-----w- c:\temp\working
2009-06-17 13:36 . 2009-06-17 13:36 -------- d-----w- c:\documents and settings\Lamar\Application Data\Malwarebytes
2009-06-17 13:36 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 13:36 . 2009-06-17 13:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 13:36 . 2009-06-17 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-17 13:36 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 13:34 . 2009-06-17 13:34 3371384 ----a-w- c:\temp\mbam-setup.exe
2009-06-17 04:26 . 2009-06-17 04:26 -------- d-----w- c:\program files\Trend Micro
2009-06-17 04:24 . 2009-06-17 04:24 812344 ----a-w- c:\temp\HJTInstall.exe
2009-06-17 04:15 . 2009-06-17 03:09 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-17 03:09 . 2009-06-17 03:08 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-17 03:09 . 2009-06-17 03:09 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-17 03:09 . 2009-06-17 03:09 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-17 03:09 . 2009-06-17 03:09 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-17 03:09 . 2009-06-17 03:09 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-17 03:09 . 2009-06-17 03:09 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-17 03:09 . 2009-06-17 03:09 294240 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-17 03:09 . 2009-06-17 03:09 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-17 03:08 . 2009-06-17 03:08 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-17 03:08 . 2009-06-17 03:08 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-17 03:08 . 2009-06-17 03:08 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-17 03:08 . 2009-06-17 03:08 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-17 03:08 . 2009-06-17 03:08 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-17 03:08 . 2009-06-17 03:08 540536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-17 03:08 . 2009-06-17 03:08 559464 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-17 03:08 . 2009-06-17 03:08 2352456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-17 03:08 . 2009-06-17 03:08 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-17 03:08 . 2009-06-17 03:08 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-17 03:08 . 2009-06-17 03:08 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-17 03:07 . 2009-06-17 03:07 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-17 03:07 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-17 03:07 . 2009-06-17 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-17 03:07 . 2009-06-17 03:07 -------- d-----w- c:\program files\Lavasoft
2009-06-17 03:06 . 2009-06-17 03:06 37452296 ----a-w- c:\temp\Ad-AwareAE.exe
2009-06-17 00:41 . 2009-06-17 02:45 -------- d-----w- c:\documents and settings\Lamar\.housecall6.6
2009-06-16 05:03 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-16 05:03 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-16 05:03 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-16 05:03 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-16 05:03 . 2009-06-16 05:03 -------- d-----w- c:\program files\Avira
2009-06-16 05:03 . 2009-06-16 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-16 04:47 . 2009-06-16 04:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-16 04:44 . 2009-06-16 04:44 30075904 ----a-w- c:\temp\avira_antivir_personal_en.exe
2009-06-16 04:39 . 2009-06-16 04:39 16409960 ----a-w- c:\temp\spybotsd162.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-16 04:49 . 2008-05-31 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-09 23:49 . 2008-06-03 20:48 -------- d-----w- c:\documents and settings\Lamar\Application Data\NewsBin
2009-06-07 15:18 . 2009-06-07 15:19 3087360 ----a-w- c:\windows\Internet Logs\xDB25.tmp
2009-06-07 15:18 . 2009-06-07 15:19 1887744 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2009-06-04 14:18 . 2008-08-12 09:36 -------- d-----w- c:\documents and settings\Lamar\Application Data\dvdcss
2009-06-01 01:56 . 2009-02-07 03:00 -------- d-----w- c:\program files\DYMO DiscPainter
2009-05-30 21:16 . 2009-05-30 21:19 1884160 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2009-05-30 21:16 . 2009-05-30 21:19 372224 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2009-05-22 06:32 . 2008-06-05 02:24 -------- d-----w- c:\documents and settings\Lamar\Application Data\CopyToDvd
2009-05-22 06:24 . 2008-06-05 02:15 -------- d-----w- c:\program files\VSO
2009-05-12 07:34 . 2008-10-25 09:12 2595102 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-05 18:15 . 2009-01-12 02:48 10022 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-03-30 02:12 . 2009-03-30 03:09 60928 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2009-03-30 01:50 . 2009-03-30 03:09 1833472 ----a-w- c:\windows\Internet Logs\xDB20.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-01-26 902936]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-17 518488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Omnipage"="c:\program files\ScanSoft\OmniPagePro11.0\opware32.exe" [2001-06-21 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"dyaaserv.exe"="c:\program files\DYMO DiscPainter\Drivers\dyaaserv.exe" [2007-11-12 177152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-06-14 16132608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/16/2009 10:09 PM 64160]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [6/3/2003 3:52 PM 123957]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [6/3/2003 3:52 PM 46900]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/16/2009 12:03 AM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1005904]
S3 DYUSB;DYMO DiscPainter USB Status Monitor Driver;c:\windows\system32\drivers\dyusb.sys [10/22/2007 12:07 PM 35200]
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:08]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-06-17 20:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-18 20:46
ComboFix-quarantined-files.txt 2009-06-18 01:46

Pre-Run: 57,662,877,696 bytes free
Post-Run: 57,822,457,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

164 --- E O F --- 2009-06-10 00:03
--
~Safe Hex~ Team Discovery ~ Project Hope ~ Like A Hurricane~]]> http://www.dslreports.com/forum/remark,22569748 Wed, 17 Jun 2009 22:51:27 EDT Re: HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22569714 gda6 : Hello The Joker,

... or is it just Hello Joker ... ?

Okay, first to answer your questions.

0. This is my friend's computer. So, I don't know the exact history of how it got infected. But I'll do my best to describe the situation.

1. Why didn't Avira identify the trojan earlier? It was configured to virus-scan the entire hard disk on demand. For this computer, that happens infrequently. Avira was setup to detect suspicious file reads/writes on-the-fly. When my friend gave me his machine after being infected. I immediately uninstaled Avira -- and re-installed the latest version. So, the scan that I previously submitted is from the re-installed version.

2. I don't suspect that the winrar_patch.exe did something malicious. That file has been around for about a year without any ill effects.

3. The power-quest backup for this machine is 11 months old. It's too far out of date to use. Therefore, I'm going to go through the "cleaning" process. But if cleaning doesn't work -- then we'll either have to re-install windows -- or restore the 11-month-old backup.

.... okay here are the cleaning steps that I performed today.
A. Cleaned ALL IE files/history/cookies/passwords/etc.
B. Ran cleanmgr
C. Ran Malwarebytes. Log file is attached: f1_mbam....txt.
D. Reran Hijackthis. Log file is attached: f2_hijackthis....log.
E. Allowes Hijackthis to remove R0 entry.

Note: at this time I enabled most of the start-up programs
that were being blocked by msconfig.exe. The reason that
I did this is that I wanted to create a restore point. I had turned off system restore, before posting my first hijackthis log. So I needed to turn it back on to create a restore point.
I couldn't create a restore point after turning system-restore back on. Windows told me to restart the computer. After doing so; I still could not create a restore point. That is why I unblocked a lot of start-up programs. I thought maybe one of them was part of the problem. It was not. I still was not able to create a restore point.

... okay back to the clean-up activities ...

F. Ran Combofix. Log file is attached: f3_combo_fix....txt
G. Reran Hijackthis. Log file is attached: f4_hijackthis....log.

I have not tried to use the computer after these actions.
Combofix advises that I should not try to fix anything without advice from security forum.]]> http://www.dslreports.com/forum/remark,22569714 Wed, 17 Jun 2009 22:43:51 EDT Re: HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22564324 TheJoker : Hi gda6

Several questions for you to start with.

Why did Avira not identify the trojans ealrier? Did you just install it, and you had no antivirus program previously installed, or did you have it disabled?

Did you see that your problem appears to likely have been from trying to illegaly bypass the registration of a program (WinRAR_Patch.exe)?

I see that you have PowerQuest Drive Image installed. It's an excellent image based backup and restore program. Although outdated (it won't work with Vista), Drive Image 7 works just fine with Windows XP, I use it myself. Have you considered restoring your system rather than disinfecting it? It would be the more secure way to go unless you don't have a current backup image, or you have upgraded to a SATA drive which the Powerquest boot disc won't recognize. If you do have a recent backup image, I would recommend a restore rather than disinfection. It's what I would do if it was my system. I would save any essential data files (do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files) more current than your backup, boot from the Powerquest restore disc, restore the system, and then after rebooting, replace the newer data files you saved.

If you don't want to or can't do that, we can proceed with disinfection.

Clean your Cache and Cookies in IE:
-Close all instances of Outlook Express and Internet Explorer
-Go to Control Panel > Internet Options > General tab
-Click the "Delete Cookies" button
-Next to it, Click the "Delete Files" button
-When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Private Data).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
-Go to start > run and type: cleanmgr and click ok.
-Let it scan your system for files to remove.
-Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
-Press OK to remove them.

Please download Malwarebytes' Anti-Malware from

Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your next reply along with a fresh HijackThis log.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Download ComboFix© by sUBs from one of these locations:

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Familiarize yourself with ComboFix before running it:
»www.bleepingcomputer.com/combofi···combofix

- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.

- Double click on ComboFix.exe & follow the prompts.

- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. There are some difficult to remove infections that will only be fixed if you have the Recovery Console installed.

- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.

Please post a new HijackThis log, the log from MBAM, the log from ComboFix (combofix.txt), and note any errors encountered.

--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22564324 Wed, 17 Jun 2009 06:00:38 EDT Re: HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22564010 gda6 : FYI, I have attached the antivir scan, which found trojans on the initial virus scan.

Avira AntiVir Personal
Report file date: Monday, June 15, 2009 21:42

Scanning for 1466500 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: LDDVTOWER

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 17:45:27
ANTIVIR2.VDF : 7.1.4.87 2982912 Bytes 6/12/2009 02:27:03
ANTIVIR3.VDF : 7.1.4.95 42496 Bytes 6/15/2009 02:27:04
Engineversion : 8.2.0.187
AEVDF.DLL : 8.1.1.1 106868 Bytes 6/16/2009 02:27:20
AESCRIPT.DLL : 8.1.2.6 409978 Bytes 6/16/2009 02:27:19
AESCN.DLL : 8.1.2.3 127347 Bytes 6/16/2009 02:27:17
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.18 401783 Bytes 6/16/2009 02:27:16
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 4/5/2009 17:45:42
AEHEUR.DLL : 8.1.0.131 1786232 Bytes 6/16/2009 02:27:14
AEHELP.DLL : 8.1.3.6 205174 Bytes 6/16/2009 02:27:09
AEGEN.DLL : 8.1.1.45 348532 Bytes 6/16/2009 02:27:08
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.6.12 180599 Bytes 6/16/2009 02:27:06
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.3 155688 Bytes 6/16/2009 02:27:05
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: quarantine
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Monday, June 15, 2009 21:42

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'zlclient.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'vsmon.exe' - '1' Module(s) have been scanned
Scan process 'gearsec.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
23 processes with 23 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
[WARNING] System error [1381]: The maximum number of secrets that may be stored in a single system has been exceeded.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '54' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\hsyte12.exe
[DETECTION] Is the TR/Generic.1568657.1 Trojan
[NOTE] The file was moved to '4ab0070b.qua'!
C:\Iexplor490.exe
[DETECTION] Is the TR/Dldr.LoadAdv.Ace.39 Trojan
[NOTE] The file was moved to '4aaf06fd.qua'!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Lamar\Local Settings\Temporary Internet Files\Content.IE5\8FA2JQ66\Setup[1].exe
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to '4aab075e.qua'!
C:\Program Files\WinRAR\WinRAR_Patch.exe
[DETECTION] Is the TR/Packed.39760 Trojan
[NOTE] The file was moved to '4aa5184b.qua'!

End of the scan: Monday, June 15, 2009 23:03
Used time: 1:21:23 Hour(s)

The scan has been done completely.

4718 Scanning directories
336146 Files were scanned
4 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
4 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
336140 Files not concerned
42968 Archives were scanned
3 Warnings
4 Notes ]]> http://www.dslreports.com/forum/remark,22564010 Wed, 17 Jun 2009 01:30:49 EDT HJT Log IE7 Browser Gets Redirected http://www.dslreports.com/forum/remark,22563951 gda6 : I am having problems with the IE7 browser.
If I right-click-open-in-new-window for a list
item within a google web search, the new window
is redirected to some porno or other unwanted website.
I have run spybot-search-destroy; adaware; avira-anivir;
trend-micro-online-scanner. There were some viruses
detected on first anti-vir scan. These were cleaned,
and all subsequent scans only find cookie threats.
But still, I have the browser redirecting problem.
Interestingly, if I click-on a list item in a google web
search page (requesting the clicked item opens within
the current window) this kind of hyper-link seems to work okay.

Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:53 PM, on 6/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080529
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080529
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4111 bytes ]]> http://www.dslreports.com/forum/remark,22563951 Wed, 17 Jun 2009 01:01:18 EDT