« previous next »
Pages: [1]

Author Topic: Fake AV, Browser Re-direct  (Read 896 times)

Offline Toranekohime27

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Fake AV, Browser Re-direct
« on: July 06, 2010, 04:46:37 PM »
I saw a couple other posts with people who looked like they were having similar problems. A fake anti-virus program was unknowingly installed onto my computer, which popped up with all kinds of alerts and infected files trying to get me to purchase the fake program. I had to jump through hoops to get superantispyware to run and remove (most of) the fake AV so that I could download & run MBAM. Both programs did full scans and came up clean. But then my browser magically redirected me to a contaminated site and I was back where I started with a new fake AV. Removed it again, but my browser still randomly opens tabs or sends me to strange websites and search engines.

Here is my log-

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:36:05 PM, on 7/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback 3G\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 7111 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Fake AV, Browser Re-direct
« Reply #1 on: July 06, 2010, 07:58:33 PM »
Download ComboFix ONLY this location
[color="#0000FF"]Link [/color]
[color="#FF0000"]Save it ONLY to your Desktop[/color]

      --------------------------------------------------------------------
[color="#2E8B57"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]
To disable Avast>>Right click on the avast! icon in system tray and choose (Stop On-Access Protection)

Also, ensure to disable Adware's Adwatch so it won't interfere
AD-AWARE AD-WATCH in some versions are as follows
   1. Start Ad-Aware
   2. Click the Ad-Watch tab
   3. Click the Settings button
   4. Ensure all highlighted options bellow are unchecked:(some settings may be used or changed only in the Pro version)

      Under the General tab
          * Processes Protection
          * Registry Protection
          * Network Protection
      Under the Detection Layers tab:
          * Spyware heuristics
          * AntiVirus engine
   5. OK your way out, and close the main Ad-Aware window.
   6. Shut down Ad-Aware and Ad-Watch Live! by right clicking on the system tray icon, and selecting Exit Ad-Aware.
   7. OK the change.
If that is not the correct change for your version of Ad-Aware, please check your help manual how to properly disable it's Adwatch feature


  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


[color="#2e8b57"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please
« Last Edit: July 06, 2010, 11:02:10 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Toranekohime27

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Fake AV, Browser Re-direct
« Reply #2 on: July 07, 2010, 04:52:02 PM »
[color="#800080"]Upon running Combofix, it detected a rootkit and rebooted my machine before running a full scan on start-up. Kitty had a snack http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' /> <---that made me laugh http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />[/color]

ComboFix 10-07-06.05 - Morgan 07/07/2010 17:41:53.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1587 [GMT -4:00]
Running from: c:\documents and settings\Morgan\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100707-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Morgan\Recent\Thumbs.db

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />
.
((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.

2010-07-07 21:38 . 2010-07-07 21:38   --------   d-s---w-   c:\documents and settings\NetworkService\UserData
2010-07-06 21:35 . 2010-07-06 21:35   388096   ----a-r-   c:\documents and settings\Morgan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-01 05:31 . 2010-07-01 05:31   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-01 05:31 . 2010-07-01 05:31   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-07-01 05:30 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 05:30 . 2010-07-01 05:57   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-01 05:30 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-01 04:37 . 2010-07-01 06:05   --------   d-----w-   c:\documents and settings\Morgan\Local Settings\Application Data\ojppmnwnn
2010-06-23 22:18 . 2010-06-23 22:18   --------   d-----w-   c:\documents and settings\Morgan\Local Settings\Application Data\Yahoo
2010-06-23 22:18 . 2010-06-23 22:18   --------   d-----w-   c:\program files\Yahoo!
2010-06-14 20:46 . 2010-06-14 20:46   50354   ----a-w-   c:\documents and settings\Morgan\Application Data\Facebook\uninstall.exe
2010-06-14 20:46 . 2010-06-14 20:46   --------   d-----w-   c:\documents and settings\Morgan\Application Data\Facebook
2010-06-10 16:24 . 2010-06-10 16:24   95024   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-06-10 16:20 . 2010-06-10 16:20   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-10 16:20 . 2010-02-04 15:53   2954656   -c--a-w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-10 01:35 . 2010-06-10 01:35   57344   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-10 01:35 . 2010-06-10 01:26   1062184   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-10 01:35 . 2010-06-10 01:25   895256   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-06-10 01:35 . 2010-06-10 01:35   56765   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-10 01:35 . 2010-06-10 01:35   56997   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-10 01:35 . 2010-06-10 01:35   53600   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   57715   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   84062   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   57054   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   54166   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   57532   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   56458   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   54174   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   54153   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   54128   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   54644   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   54101   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-10 01:33 . 2010-06-10 01:33   57409   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-06-10 01:33 . 2010-06-10 01:33   52963   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-06-10 01:33 . 2010-06-10 01:33   54073   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-06-10 01:33 . 2010-06-10 01:33   56969   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-06-10 01:25 . 2010-06-10 01:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\DivX
2010-06-09 10:45 . 2010-06-09 10:45   5591040   ----a-w-   c:\documents and settings\Morgan\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-08 22:03 . 2010-06-08 22:03   503808   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5b168309-n\msvcp71.dll
2010-06-08 22:03 . 2010-06-08 22:03   499712   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5b168309-n\jmc.dll
2010-06-08 22:03 . 2010-06-08 22:03   348160   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5b168309-n\msvcr71.dll
2010-06-08 22:03 . 2010-06-08 22:03   61440   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64c34fb8-n\decora-sse.dll
2010-06-08 22:03 . 2010-06-08 22:03   12800   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64c34fb8-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-07 21:40 . 2008-05-30 23:07   16608   ----a-w-   c:\windows\gdrv.sys
2010-07-07 21:40 . 2008-07-02 02:54   --------   d-----w-   c:\documents and settings\Morgan\Application Data\DNA
2010-07-07 21:28 . 2009-05-29 19:28   117760   ----a-w-   c:\documents and settings\Morgan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-07 21:26 . 2008-07-02 02:54   --------   d-----w-   c:\program files\DNA
2010-07-06 21:35 . 2009-03-06 23:18   --------   d-----w-   c:\program files\Trend Micro
2010-07-01 17:59 . 2009-08-19 00:55   --------   d-----w-   c:\program files\NCSoft
2010-07-01 06:07 . 2008-05-30 23:43   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-07-01 05:31 . 2008-05-30 23:02   1100   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-07-01 00:36 . 2008-07-02 02:54   --------   d-----w-   c:\documents and settings\Morgan\Application Data\BitTorrent
2010-06-23 00:47 . 2008-07-02 03:25   --------   d-----w-   c:\documents and settings\Morgan\Application Data\dvdcss
2010-06-10 16:24 . 2009-03-06 16:30   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2010-06-10 16:24 . 2009-03-06 03:21   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
2010-06-10 16:20 . 2009-03-06 03:19   --------   d-----w-   c:\program files\Lavasoft
2010-06-10 16:11 . 2009-05-29 19:27   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-06-10 01:34 . 2008-05-31 01:48   --------   d-----w-   c:\documents and settings\Morgan\Application Data\DivX
2010-06-10 01:33 . 2009-03-26 16:35   --------   d-----w-   c:\program files\Common Files\DivX Shared
2010-05-02 05:22 . 2004-08-04 12:00   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-27 18:40 . 2008-05-30 23:41   9072   ------w-   c:\windows\system32\drivers\cdr4_xp.sys
2010-04-27 18:40 . 2008-05-30 23:41   45648   ----a-w-   c:\windows\system32\drivers\PxHelp20.sys
2010-04-27 18:40 . 2008-05-30 23:41   9200   ------w-   c:\windows\system32\drivers\cdralw2k.sys
2010-04-27 18:40 . 2008-05-30 23:41   133616   ------w-   c:\windows\system32\pxafs.dll
2010-04-27 18:40 . 2008-05-30 23:41   126448   ------w-   c:\windows\system32\pxinsi64.exe
2010-04-27 18:40 . 2008-05-30 23:41   123888   ------w-   c:\windows\system32\pxcpyi64.exe
2010-04-20 05:30 . 2004-08-04 12:00   285696   ----a-w-   c:\windows\system32\atmfd.dll
2010-04-16 22:02 . 2010-04-16 22:02   503808   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d68242a-n\msvcp71.dll
2010-04-16 22:02 . 2010-04-16 22:02   499712   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d68242a-n\jmc.dll
2010-04-16 22:02 . 2010-04-16 22:02   348160   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d68242a-n\msvcr71.dll
2010-04-16 22:02 . 2010-04-16 22:02   61440   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2eaaffde-n\decora-sse.dll
2010-04-16 22:02 . 2010-04-16 22:02   12800   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2eaaffde-n\decora-d3d.dll
2010-04-16 16:09 . 2004-08-04 12:00   667136   ----a-w-   c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 12:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
2010-04-12 21:29 . 2010-04-16 22:02   411368   ----a-w-   c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 451872]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-12 323392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="c:\program files\GIGABYTE\GEST\RUN.exe" [2008-08-10 236040]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"nwiz"="nwiz.exe" [2008-01-03 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-03 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-07-07 864112]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"Diamondback"="c:\program files\Razer\Diamondback 3G\razerhid.exe" [2007-08-01 147456]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\Morgan\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2010-1-21 3450608]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-2-20 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-21 20:39   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\GEST\\run.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0.9637-to-0.1.0.9658-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft Public Test2\\WoW-0.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test2\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft Public Test2\\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\Program Files\\World of Warcraft Public Test3\\WoW-0.3.0.10522-enUS-ptr-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test3\\Launcher.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/5/2009 11:21 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/30/2008 9:50 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/26/2009 10:05 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/30/2008 9:50 PM 20560]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 4:31 PM 161064]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [12/25/2009 12:24 PM 13225]
S3 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\gsvr.exe [5/30/2008 7:08 PM 55816]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\Drivers\Lycosa.sys --> c:\windows\system32\Drivers\Lycosa.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 12872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-06-20 16:47   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:32]

2010-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Morgan\Application Data\Mozilla\Firefox\Profiles\t942hgel.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/Default.aspx
FF - plugin: c:\documents and settings\Morgan\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Morgan\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Morgan\Application Data\Mozilla\Firefox\Profiles\t942hgel.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Magic Video Converter\codec\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\Magic Video Converter\codec\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\DivXConverterUninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{B13A7C41581B411290FBC0395694E2A9} - c:\program files\DivX\DivXConverterUninstall.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-07-07 17:46:41
ComboFix-quarantined-files.txt 2010-07-07 21:46

Pre-Run: 42,114,334,720 bytes free
Post-Run: 42,334,908,416 bytes free

- - End Of File - - DD1FCEACE796888F672ECDC89054FAB1
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Fake AV, Browser Re-direct
« Reply #3 on: July 07, 2010, 06:43:17 PM »
Can I see another couple logs
Download DDS and save it to your desktop from [color="#FF0000"]here[/color]
Disable any script blocker, and then right  click  on dds.scr and choose to "Run as Admin"
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to this topic.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Toranekohime27

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Fake AV, Browser Re-direct
« Reply #4 on: July 07, 2010, 11:07:04 PM »
DDS (Ver_10-03-17.01) - NTFSx86
Run by Morgan at 0:04:02.59 on Thu 07/08/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1513 [GMT -4:00]

AV: avast! antivirus 4.8.1368 [VPS 100707-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Morgan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Javaâ„¢ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [GEST] c:\program files\gigabyte\gest\RUN.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Diamondback] c:\program files\razer\diamondback 3g\razerhid.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\morgan\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\morgan\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\morgan\applic~1\mozilla\firefox\profiles\t942hgel.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/Default.aspx
FF - plugin: c:\documents and settings\morgan\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\morgan\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\morgan\application data\mozilla\firefox\profiles\t942hgel.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\magic video converter\codec\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\magic video converter\codec\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-5 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-5-30 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-5-26 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-5-30 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-5-30 138680]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
R3 GEST Service;GEST Service for program management.;c:\program files\gigabyte\gest\gsvr.exe [2008-5-30 55816]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2009-12-25 13225]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 12872]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-5-30 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-5-30 352920]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\lycosa.sys --> c:\windows\system32\drivers\Lycosa.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-07-07 21:37:56   98816   ----a-w-   c:\windows\sed.exe
2010-07-07 21:37:56   161792   ----a-w-   c:\windows\SWREG.exe
2010-07-07 21:37:46   0   d-----w-   C:\ComboFix
2010-07-01 05:31:12   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-07-01 05:30:05   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 05:30:03   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-01 05:30:03   0   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-06-23 22:18:21   0   d-----w-   c:\program files\Yahoo!
2010-06-14 20:46:35   0   d-----w-   c:\docume~1\morgan\applic~1\Facebook
2010-06-10 16:24:47   95024   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-06-10 16:20:45   0   dc-h--w-   c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-10 01:25:53   0   d-----w-   c:\docume~1\alluse~1\applic~1\DivX

==================== Find3M ====================

2010-07-07 21:55:25   16608   ----a-w-   c:\windows\gdrv.sys
2010-06-10 16:24:40   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2010-06-10 16:24:07   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
2010-05-02 05:22:50   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-27 18:40:40   133616   ------w-   c:\windows\system32\pxafs.dll
2010-04-27 18:40:40   126448   ------w-   c:\windows\system32\pxinsi64.exe
2010-04-27 18:40:40   123888   ------w-   c:\windows\system32\pxcpyi64.exe
2010-04-26 19:58:12   256512   -c--a-w-   c:\windows\PEV.exe
2010-04-20 05:30:08   285696   ----a-w-   c:\windows\system32\atmfd.dll
2010-04-16 16:09:09   667136   ----a-w-   c:\windows\system32\wininet.dll
2010-04-16 16:09:05   81920   ----a-w-   c:\windows\system32\ieencode.dll
2010-04-12 21:29:19   411368   ----a-w-   c:\windows\system32\deployJava1.dll

============= FINISH: 0:04:24.56 ===============

[attachment=5208:Attach.txt]
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Fake AV, Browser Re-direct
« Reply #5 on: July 07, 2010, 11:25:34 PM »
Can you do the following please:
Copy ALL the below in the Code box and paste to an empty notepad file
Don't use anything else than notepad or the script will not work
To open Notepad you can go to Start>Programs>> Accessories, and then clicking Notepad.


Code: [Select]
Folder::
c:\documents and settings\Morgan\Local Settings\Application Data\ojppmnwnn
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
"Adobe Reader Speed Launcher"=-
Save this as txtfile on your desktop, with the exact name of
CFScript

Temporarily disable your AntiVirus/AntiSpyware software so it won't interfere with this next step

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you  with the same name C:\ComboFix.txt..
I'll need to see that log again

Keep me informed how things are now running
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Toranekohime27

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Fake AV, Browser Re-direct
« Reply #6 on: July 08, 2010, 12:00:31 AM »
[color="#800080"]So far so good. I haven't had any random tabs open and when I'm online I am not getting re-directed to weird websites. I'm just curious as to how all of this made it past Avast so easily. Normally Avast alerts me right away if I happen upon an unsafe site.[/color]

ComboFix 10-07-06.05 - Morgan 07/08/2010 0:51.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1508 [GMT -4:00]
Running from: c:\documents and settings\Morgan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Morgan\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100707-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
 * Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Morgan\Local Settings\Application Data\ojppmnwnn

.
((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-07 21:38 . 2010-07-07 21:38   --------   d-s---w-   c:\documents and settings\NetworkService\UserData
2010-07-06 21:35 . 2010-07-06 21:35   388096   ----a-r-   c:\documents and settings\Morgan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-01 05:31 . 2010-07-01 05:31   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-01 05:31 . 2010-07-01 05:31   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-07-01 05:30 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 05:30 . 2010-07-01 05:57   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-01 05:30 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-06-23 22:18 . 2010-06-23 22:18   --------   d-----w-   c:\documents and settings\Morgan\Local Settings\Application Data\Yahoo
2010-06-23 22:18 . 2010-06-23 22:18   --------   d-----w-   c:\program files\Yahoo!
2010-06-14 20:46 . 2010-06-14 20:46   50354   ----a-w-   c:\documents and settings\Morgan\Application Data\Facebook\uninstall.exe
2010-06-14 20:46 . 2010-06-14 20:46   --------   d-----w-   c:\documents and settings\Morgan\Application Data\Facebook
2010-06-10 16:24 . 2010-06-10 16:24   95024   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-06-10 16:20 . 2010-06-10 16:20   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-10 16:20 . 2010-02-04 15:53   2954656   -c--a-w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-10 01:35 . 2010-06-10 01:35   57344   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-10 01:35 . 2010-06-10 01:26   1062184   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-10 01:35 . 2010-06-10 01:25   895256   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-06-10 01:35 . 2010-06-10 01:35   56765   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-10 01:35 . 2010-06-10 01:35   56997   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-10 01:35 . 2010-06-10 01:35   53600   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   57715   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   84062   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   57054   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   54166   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   57532   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   56458   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   54174   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   54153   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   54128   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   54644   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-10 01:34 . 2010-06-10 01:34   54101   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-10 01:33 . 2010-06-10 01:33   57409   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-06-10 01:33 . 2010-06-10 01:33   52963   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-06-10 01:33 . 2010-06-10 01:33   54073   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-06-10 01:33 . 2010-06-10 01:33   56969   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-06-10 01:25 . 2010-06-10 01:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\DivX
2010-06-09 10:45 . 2010-06-09 10:45   5591040   ----a-w-   c:\documents and settings\Morgan\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-08 22:03 . 2010-06-08 22:03   503808   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5b168309-n\msvcp71.dll
2010-06-08 22:03 . 2010-06-08 22:03   499712   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5b168309-n\jmc.dll
2010-06-08 22:03 . 2010-06-08 22:03   348160   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5b168309-n\msvcr71.dll
2010-06-08 22:03 . 2010-06-08 22:03   61440   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64c34fb8-n\decora-sse.dll
2010-06-08 22:03 . 2010-06-08 22:03   12800   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64c34fb8-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 04:53 . 2008-05-30 23:07   16608   ----a-w-   c:\windows\gdrv.sys
2010-07-08 04:52 . 2008-07-02 02:54   --------   d-----w-   c:\documents and settings\Morgan\Application Data\DNA
2010-07-07 21:55 . 2008-07-02 02:54   --------   d-----w-   c:\program files\DNA
2010-07-07 21:28 . 2009-05-29 19:28   117760   ----a-w-   c:\documents and settings\Morgan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-06 21:35 . 2009-03-06 23:18   --------   d-----w-   c:\program files\Trend Micro
2010-07-01 17:59 . 2009-08-19 00:55   --------   d-----w-   c:\program files\NCSoft
2010-07-01 06:07 . 2008-05-30 23:43   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-07-01 05:31 . 2008-05-30 23:02   1100   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-07-01 00:36 . 2008-07-02 02:54   --------   d-----w-   c:\documents and settings\Morgan\Application Data\BitTorrent
2010-06-23 00:47 . 2008-07-02 03:25   --------   d-----w-   c:\documents and settings\Morgan\Application Data\dvdcss
2010-06-10 16:24 . 2009-03-06 16:30   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2010-06-10 16:24 . 2009-03-06 03:21   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
2010-06-10 16:20 . 2009-03-06 03:19   --------   d-----w-   c:\program files\Lavasoft
2010-06-10 16:11 . 2009-05-29 19:27   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-06-10 01:34 . 2008-05-31 01:48   --------   d-----w-   c:\documents and settings\Morgan\Application Data\DivX
2010-06-10 01:33 . 2009-03-26 16:35   --------   d-----w-   c:\program files\Common Files\DivX Shared
2010-05-02 05:22 . 2004-08-04 12:00   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-27 18:40 . 2008-05-30 23:41   9072   ------w-   c:\windows\system32\drivers\cdr4_xp.sys
2010-04-27 18:40 . 2008-05-30 23:41   45648   ----a-w-   c:\windows\system32\drivers\PxHelp20.sys
2010-04-27 18:40 . 2008-05-30 23:41   9200   ------w-   c:\windows\system32\drivers\cdralw2k.sys
2010-04-27 18:40 . 2008-05-30 23:41   133616   ------w-   c:\windows\system32\pxafs.dll
2010-04-27 18:40 . 2008-05-30 23:41   126448   ------w-   c:\windows\system32\pxinsi64.exe
2010-04-27 18:40 . 2008-05-30 23:41   123888   ------w-   c:\windows\system32\pxcpyi64.exe
2010-04-20 05:30 . 2004-08-04 12:00   285696   ----a-w-   c:\windows\system32\atmfd.dll
2010-04-16 22:02 . 2010-04-16 22:02   503808   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d68242a-n\msvcp71.dll
2010-04-16 22:02 . 2010-04-16 22:02   499712   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d68242a-n\jmc.dll
2010-04-16 22:02 . 2010-04-16 22:02   348160   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1d68242a-n\msvcr71.dll
2010-04-16 22:02 . 2010-04-16 22:02   61440   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2eaaffde-n\decora-sse.dll
2010-04-16 22:02 . 2010-04-16 22:02   12800   ----a-w-   c:\documents and settings\Morgan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2eaaffde-n\decora-d3d.dll
2010-04-16 16:09 . 2004-08-04 12:00   667136   ----a-w-   c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 12:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
2010-04-12 21:29 . 2010-04-16 22:02   411368   ----a-w-   c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-07_21.45.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-07 21:55 . 2010-07-07 21:55   16384    c:\windows\Temp\Perflib_Perfdata_6b8.dat
+ 2010-07-07 21:55 . 2010-07-07 21:55   16384    c:\windows\Temp\Perflib_Perfdata_594.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 451872]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-12 323392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="c:\program files\GIGABYTE\GEST\RUN.exe" [2008-08-10 236040]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"nwiz"="nwiz.exe" [2008-01-03 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-03 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-07-07 864112]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"Diamondback"="c:\program files\Razer\Diamondback 3G\razerhid.exe" [2007-08-01 147456]

c:\documents and settings\Morgan\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2010-1-21 3450608]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-2-20 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-21 20:39   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\GEST\\run.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0.9637-to-0.1.0.9658-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft Public Test2\\WoW-0.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test2\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft Public Test2\\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\Program Files\\World of Warcraft Public Test3\\WoW-0.3.0.10522-enUS-ptr-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test3\\Launcher.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/5/2009 11:21 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/30/2008 9:50 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/26/2009 10:05 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/30/2008 9:50 PM 20560]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 4:31 PM 161064]
R3 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\gsvr.exe [5/30/2008 7:08 PM 55816]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [12/25/2009 12:24 PM 13225]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 12872]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\Drivers\Lycosa.sys --> c:\windows\system32\Drivers\Lycosa.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-06-20 16:47   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:32]

2010-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Morgan\Application Data\Mozilla\Firefox\Profiles\t942hgel.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/Default.aspx
FF - plugin: c:\documents and settings\Morgan\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Morgan\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Morgan\Application Data\Mozilla\Firefox\Profiles\t942hgel.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Magic Video Converter\codec\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\Magic Video Converter\codec\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-08 00:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(3984)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
.
Completion time: 2010-07-08 00:54:04
ComboFix-quarantined-files.txt 2010-07-08 04:54
ComboFix2.txt 2010-07-07 21:46

Pre-Run: 42,338,230,272 bytes free
Post-Run: 42,323,812,352 bytes free

- - End Of File - - 9A587F93E3CEBBF4804E778469F984EF
Logged

Offline Toranekohime27

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Fake AV, Browser Re-direct
« Reply #7 on: July 09, 2010, 11:06:15 AM »
[color="#800080"]Ran MBAM today and it found a lot more than the usual handful of tracking cookies. Which is scary considering I used my credit card online today figuring everything was back to normal.[/color]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4296

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/9/2010 12:00:06 PM
mbam-log-2010-07-09 (12-00-06).txt

Scan type: Quick scan
Objects scanned: 120287
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\but.exe (Worm.AutoRun) -> No action taken.
C:\RECYCLER\autoplay.exe (Worm.AutoRun.Gen) -> No action taken.
C:\RECYCLER\autorunme.exe (Worm.AutoRun) -> No action taken.
C:\RECYCLER\blazewrm.vmx (Worm.BlazeBot) -> No action taken.
C:\RECYCLER\Buruh.exe (Worm.SFDC) -> No action taken.
C:\RECYCLER\cb.dll (Trojan.Agent.T) -> No action taken.
C:\RECYCLER\Clear.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\csrss.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\k-1-3542-4232123213-7676767-8888886\r00t.exe (Worm.AutoRun) -> No action taken.
C:\RECYCLER\Kuli.exe (Worm.SFDC) -> No action taken.
C:\RECYCLER\Lcass.exe (Worm.AutoRun) -> No action taken.
C:\RECYCLER\LSACS.EXE (Worm.AutoRun) -> No action taken.
C:\RECYCLER\MQAHCO.EXE (Worm.Fasong) -> No action taken.
C:\RECYCLER\Papelera.exe (Worm.AutoRun) -> No action taken.
C:\recycler\papeleraxp2.exe (Trojan.Qhost) -> No action taken.
C:\recycler\papeleraxpt.exe (Trojan.Qhost) -> No action taken.
C:\RECYCLER\Pembantu.exe (Worm.SFDC) -> No action taken.
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0850\vsse32.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\S-1-5-21-0982818026-0792038349-964117139-9221\service.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\S-1-5-21-1292832515-2685961851-318933812-6215\service.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\csrxx.exe (Worm.AutoRun) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe (Backdoor.Bot) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\intalscrens.exe (Worm.AutoRun) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe (Backdoor.Bot) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise323.exe (Backdoor.Bot) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sndrv.exe (Worm.AutoRun) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe (Worm.AutoRun) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe (Trojan.Agent) -> No action taken.
C:\recycler\s-1-5-21-484763869-1614574334-18083462561-100\csrss.exe (Trojan.Agent) -> No action taken.
C:\recycler\s-1-5-21-484763869-1614574334-18083462561-100\Services.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe (Backdoor.Bot) -> No action taken.
C:\RECYCLER\Services.exe (Worm.SFDC) -> No action taken.
C:\RECYCLER\Tukang.exe (Worm.SFDC) -> No action taken.
C:\RECYCLER\ITss.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\modulo.exe (Trojan.Banker) -> No action taken.
C:\RECYCLER\svctask.exe (Trojan.Banker) -> No action taken.
C:\RECYCLER\mdl.exe (Spyware.Banker) -> No action taken.
C:\RECYCLER\svc.exe (Spyware.Banker) -> No action taken.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Fake AV, Browser Re-direct
« Reply #8 on: July 10, 2010, 11:57:31 AM »
Sorry for the delay, I was almost positive I responded to this thread a couple days ago
but I don't see my response  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

Can you reopen Malwarebytes antimalware please
  • Under the UPDATE tab, check for updates
  • If an update is found, it will download and install the latest version.    
  • Click the SCANNER tab select "Perform Quick Scan", then click Scan.  
     
  • When the scan is complete, click OK, then Show Results to view the results.    
  • Make sure that everything is checked, and click Remove Selected.
        * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)    
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.    
  • Copy&Paste the entire report in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
« Last Edit: July 10, 2010, 11:57:52 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Toranekohime27

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Fake AV, Browser Re-direct
« Reply #9 on: July 10, 2010, 05:44:29 PM »
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4300

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/10/2010 4:32:30 PM
mbam-log-2010-07-10 (16-32-30).txt

Scan type: Quick scan
Objects scanned: 120413
Time elapsed: 5 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Fake AV, Browser Re-direct
« Reply #10 on: July 10, 2010, 06:33:39 PM »
Can you do the following please
download Flash_Disinfector and save it to your desktop
  • Double on Flash_Disinfector.exe  to run it. If you receive a prompt, please allow it.
  • You will be prompted to plug in your flash drive. Plug it in. If you have more than one, plug them in
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
[color="#4169e1"]Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/color]


Ensure there is still a copy of ComboFix on your desktop
Then go to START>>RUN>>type in, or copy/paste

Combofix /Uninstall

(Notice the space between the "x" and "/")
Click OK
You will then receive a message saying Combofix was uninstalled successfully once it's done

Your copy of Adobe Reader is outdated, we should update it to help patch Security holes
Close down all browser windows
Access your Add/Remove Programs and remove
Adobe Reader 8.1.3

Download [color="#FF0000"]ATF-Cleaner[/color] by Atribune.
Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.

If you use Firefox browser
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

NOTE: Startup may be a bit slower after using ATF-Cleaner as it will also clean your Prefetch folder
Not to worry, start time will get faster as this folder is repopulated

Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

After rebooting, let's get Adobe Reader updated
Go to the following link
http://get.adobe.com/reader/

UNTICK the option to also install McAfee Security Scan and/or Google toolbar or similiar
Download and save to desktop the installer for the latest version of A. Reader
Double click on the installer to install
After successfully installing, you can delete the installer on desktop
Can you open Adobe Reader and click on HELP>>CHECK FOR UPDATES and install any update if found to ensure you are right up to date

Your copy of Avast AV is outdated
Can you do the following please
Download the latest version of Avast 5 from the following link and save the installer to your desktop
http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html
Don't install it yet
Instead access your Add/Remove programs and remove/uninstall your current version
After removal, reboot the computer again

Back in Windows, install the latest version of AVAST
After installation, it should auto check for updates to bring it right up to date
Can you, for the first scan do a Full system scan please
Let me know how it goes and how things are now running

Can you include a fresh log from Hijackthis also

NOTE: You can reregister your copy of Avast from within the program itself
There is also the option to set a Scheduled scan
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Toranekohime27

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Fake AV, Browser Re-direct
« Reply #11 on: July 10, 2010, 08:54:50 PM »
Everything seems to be running normally.  There is still ATF cleaner and Flash Disinfector on my desktop...any special ways to remove them?  The full Avast scan came up clean.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:50:23 PM, on 7/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback 3G\razerhid.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 6480 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Fake AV, Browser Re-direct
« Reply #12 on: July 10, 2010, 09:14:42 PM »
Quote
There is still ATF cleaner and Flash Disinfector on my desktop.

Go ahead and manually delete them
I'll lock this topic in a couple days as everything seems fine

EDIT>> I noticed your still running IE6, you may want to update to IE8
« Last Edit: July 10, 2010, 09:17:39 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Toranekohime27

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Fake AV, Browser Re-direct
« Reply #13 on: July 12, 2010, 04:18:56 PM »
Will do.  Thank you so much for your help and quick responses http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Fake AV, Browser Re-direct
« Reply #14 on: July 16, 2010, 10:09:41 PM »
[quote name='Toranekohime27' date='12 July 2010 - 02:18 PM' timestamp='1278969536' post='470644']
Will do.  Thank you so much for your help and quick responses http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
[/quote]

Your welcome, locking this topic, take care
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »