Over the last week I have somehow obtained a redirect problem when I perform searches on Google or Yahoo. The problem will also not let me connect to spyware websites to perform live updates. I have looked into many other forums and run just about every software checker I could find but with no luck. Here is my HiJackThis log file if someone could please analyze: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:18:07 PM, on 2/23/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\CyberDefender\AntiSpyware\cdas28.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\system32\mdm.exe C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Andy\Local Settings\Application Data\CyberDefender\cdmyidd.dll O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Andy\Local Settings\Application Data\CyberDefender\cdmyidd.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Andy\Local Settings\Application Data\CyberDefender\cdmyidd.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\ISSIntro.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas28.exe" /minimize O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=7d246d4c-9ea3-4e61-971c-1c8a51b9bf45 O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://sympatico.zone.msn.com/binFra...I.cab55579.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c1...96/qboax10.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/060...ie06071909.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 9976 bytes
Hi Atrain10, Sounds like you may have picked up the Trojan DNSchanger… Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet. Please download and install SUPERAntiSpyware Free • Double-click SUPERAntiSypware.exe and use the default settings for installation. • An icon will be created on your desktop. Double-click that icon to launch the program. • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.) • Under the "Configuration and Preferences", click the Preferences... button. • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked. • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked): o Close browsers before scanning. o Scan for tracking cookies. o Terminate memory threats before quarantining. • Click the "Close" button to leave the control center screen and exit the program. • Do not run a scan just yet. Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Double-click ATF-Cleaner.exe to run the program. • Under Main "Select Files to Delete" choose: Select All. • Click the Empty Selected button. • If you use Firefox browser click Firefox at the top and choose: Select All • Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. • If you use Opera browser click Opera at the top and choose: Select All • Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. • Click Exit on the Main menu to close the program. Scan with SUPERAntiSpyware as follows: • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer. • On the left, make sure you check C:\Fixed Drive. • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next". • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". • Make sure everything has a checkmark next to it and click "Next". • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. • If asked if you want to reboot, click "Yes" and reboot normally. • To retrieve the removal information after reboot, launch SUPERAntispyware again. o Click Preferences, then click the Statistics/Logs tab. o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. o Please copy and paste the Scan Log results in your next reply. • Click Close to exit the program. Reboot to Normal Mode 2oG
Thank you 2oG, I have followed your inctructions exactly as stated in your last post. Here is the log file from the SAS scan: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 02/25/2009 at 01:18 AM Application Version : 4.25.1012 Core Rules Database Version : 3724 Trace Rules Database Version: 1698 Scan type : Complete Scan Total Scan Time : 03:32:00 Memory items scanned : 257 Memory threats detected : 0 Registry items scanned : 7724 Registry threats detected : 0 File items scanned : 99815 File threats detected : 1 Adware.SeekSuggest C:\WINDOWS\JESTERTB.DLL
2oG, No that did not resolve the problem. The redirect still exists everytime I try to access a link from a search engine.
Hummm, First let’s see if your Host file has been compromised: Please download HostXpert. • Unzip HostsXpert.zip • Double click on HostsXpert.exe • Then click on "Restore ms Hosts file" to restore your Hosts file to its default condidtion.. • Click on Make Read Only to secure it against further infection. • Close program when complete. If that doesn’t correct the problem, then we can use a Big Gun to maybe do it: 1. Download Combo fix from one of these locations. * IMPORTANT !!! Place combofix.exe on your Desktop http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe 2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK. 3. Combo will begin to run DO NOTHING while this is happening. • It will kill a few processes and disconnect you from the internet. • If by chance it stops prematurely you can re-establish your internet connection by restarting your computer. • This needs to be done so the program can work most efficiently for you. Do not attempt to use the internet or anything else while it's doing its job for you. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. If when it's completed you can not get on the internet just reboot the computer Post the log from comboFix for me located in c:\comboFix.txt 2oG
2oG, I ran the HostsXpert.exe and made it "Read Only" but that did not fix the problem. Here is the ComboFix log: ComboFix 09-02-26.02 - Andy 2009-02-26 20:13:20.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.194 [GMT -6:00] Running from: c:\documents and settings\Andy\desktop\combofix.exe Command switches used :: /killall AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) AV: Norton 360 *On-access scanning enabled* (Updated) FW: Norton 360 *enabled* WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\iMeshBar c:\program files\iMeshBar\bar\History\search c:\program files\Need2Find c:\program files\RXToolBar c:\program files\RXToolBar\Cache\RXUpdate c:\program files\RXToolBar\CacheCatalog.rx c:\recycler\S-7-1-93-100002799-100014309-100021754-9529.com c:\windows\system32\bszip.dll c:\windows\system32\drivers\gaopdxtexyirir.sys c:\windows\system32\gaopdxcounter c:\windows\system32\gaopdxpdpiexjd.dll c:\windows\system32\mdm.exe E:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_gaopdxserv.sys ((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 ))))))))))))))))))))))))))))))) . 2009-02-26 20:02 . 2009-02-26 20:02 <DIR> d-------- C:\32788R22FWJFW 2009-02-24 21:38 . 2005-09-07 20:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec 2009-02-24 21:38 . 2005-09-07 20:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc 2009-02-24 21:38 . 2007-11-21 11:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer 2009-02-24 21:38 . 2009-02-24 21:38 <DIR> d-------- c:\documents and settings\Administrator 2009-02-24 21:22 . 2009-02-24 21:22 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-02-24 21:22 . 2009-02-24 21:22 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-02-24 21:22 . 2009-02-24 21:22 <DIR> d-------- c:\documents and settings\Andy\Application Data\SUPERAntiSpyware.com 2009-02-24 21:22 . 2009-02-24 21:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-02-23 21:31 . 2009-02-23 21:31 <DIR> d-------- c:\program files\Trend Micro 2009-02-23 20:53 . 2009-02-23 20:53 578,560 --a------ c:\windows\system32\dllcache\user32.dll 2009-02-23 20:50 . 2009-02-23 20:50 <DIR> d-------- c:\windows\ERUNT 2009-02-23 20:44 . 2009-02-23 21:03 <DIR> d-------- C:\SDFix 2009-02-23 19:55 . 2009-02-23 19:55 <DIR> d-------- c:\program files\CCleaner 2009-02-20 23:05 . 2009-02-23 19:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2009-02-20 22:54 . 2009-02-20 22:54 74 --a------ c:\windows\st_affiliate.ini 2009-02-20 22:13 . 2009-02-20 22:13 64 --a------ c:\windows\av_affiliate.ini 2009-02-20 22:13 . 2009-02-20 22:13 64 --a------ c:\windows\as_affiliate.ini 2009-02-20 22:11 . 2009-02-20 22:19 <DIR> d-------- c:\program files\CyberDefender 2009-02-20 22:11 . 2009-02-20 22:11 67,424 --a------ c:\windows\system32\drivers\CDAVFS.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-27 02:20 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-02-27 01:55 --------- d-----w c:\program files\Dl_cats 2009-02-24 01:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-02-24 01:44 --------- d-----w c:\program files\Common Files\SupportSoft 2009-02-24 01:44 --------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft 2009-02-20 01:32 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2009-02-20 01:30 --------- d-----w c:\program files\TMNT - Ninja Adventures 2009-02-20 01:27 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-20 01:27 --------- d-----w c:\program files\CyberLink 2009-02-20 01:23 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2009-02-20 01:18 --------- d-----w c:\program files\Yahoo! 2009-02-20 01:14 --------- d-----w c:\program files\Yahoo SiteBuilder 2009-02-20 01:14 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo 2009-02-20 01:08 --------- d-----w c:\program files\VMware 2009-02-20 01:08 --------- d-----w c:\documents and settings\All Users\Application Data\VMware 2009-02-20 00:56 --------- d-----w c:\program files\iTunes 2009-02-20 00:55 --------- d-----w c:\program files\IrfanView 2009-02-20 00:53 --------- d-----w c:\program files\Disney Interactive 2009-02-20 00:25 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware 2009-02-04 03:30 --------- d-----w c:\documents and settings\NetworkService\Application Data\VMware 2009-01-24 21:43 --------- d-----w c:\program files\LimeWire 2009-01-24 21:25 --------- d-----w c:\program files\Incomplete 2009-01-10 15:58 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF 2009-01-10 15:58 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS 2009-01-10 15:58 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT 2009-01-10 15:58 --------- d-----w c:\program files\Symantec 2008-03-10 21:27 56 --sh--r c:\windows\system32\0873F275CA.sys 2008-03-10 21:27 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys 2008-10-29 06:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102920081030\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Andy\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2009-02-20 3851592] [HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}] [HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}] [HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}] 2009-02-20 22:11 3851592 --a------ c:\documents and settings\Andy\Local Settings\Application Data\CyberDefender\cdmyidd.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Andy\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2009-02-20 3851592] [HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}] [HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}] [HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Andy\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2009-02-20 3851592] [HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}] [HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}] [HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded] @="{4433A54A-1AC8-432F-90FC-85F045CF383C}" [HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}] 2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending] @="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}" [HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}] 2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected] @="{476D0EA3-80F9-48B5-B70B-05E677C9C148}" [HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}] 2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "CyberDefender Early Detection Center"="c:\program files\CyberDefender\AntiSpyware\cdas28.exe" [2009-02-20 664904] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016] "Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816] "DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "CyberDefender Early Detection Center"="c:\program files\CyberDefender\AntiSpyware\ISSIntro.exe" [2009-02-20 570696] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-09-07 24576] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk backup=c:\windows\pss\Desktop Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk backup=c:\windows\pss\ymetray.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Andy^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=c:\documents and settings\Andy\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=c:\windows\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] --a------ 2006-10-26 23:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2006-01-17 13:03 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] --a------ 2006-01-17 13:03 135168 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2007-08-06 18:05 200704 c:\program files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] --a------ 2006-10-13 17:20 20058152 c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "gusvc"=3 (0x3) "Microsoft Office Groove Audit Service"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\CyberDefender\\AntiSpyware\\cdas28.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024] R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936] S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-02-20 67424] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888] S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-07 33752] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408] --- Other Services/Drivers In Memory --- *NewlyCreated* - COMHOST . Contents of the 'Scheduled Tasks' folder 2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [] 2009-01-31 c:\windows\Tasks\{EB0AFF6C-8F0D-4559-81CE-1A1F05215BA2}_D6XB3G81_Andy.job - c:\windows\system32\mobsync.exe [2008-04-13 18:12] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) HKCU-RunOnce-CheckNetworkConnection - c:\program files\Support.com\providerComcast\desktopdoctor.exe MSConfigStartUp-ddoctorv2 - c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe MSConfigStartUp-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe MSConfigStartUp-Google Update - c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe MSConfigStartUp-VMware hqtray - c:\program files\VMware\VMware Workstation\hqtray.exe MSConfigStartUp-vmware-tray - c:\program files\VMware\VMware Workstation\vmware-tray.exe MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms} uStart Page = hxxp://www.yahoo.com/ mWindow Title = Windows Internet Explorer provided by Comcast IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-26 20:23:43 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(924) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\VAScanner\comHost.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe c:\program files\Java\jre1.5.0_06\bin\jucheck.exe . ************************************************************************** . Completion time: 2009-02-26 20:32:27 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-27 02:32:01 Pre-Run: 19,954,429,952 bytes free Post-Run: 19,977,699,328 bytes free 265 --- E O F --- 2009-01-16 13:21:53
2oG, After I ran the ComboFix.exe I restarted my computer and my search engines appear to be back to normal. My Norton and other virus software also prompted me for Live Updates which I could not do since the trojan has infected my computer. Thank you very much for your help and support. I will let you know if any problems persist. Thanks again. Atrain
That should have taken care of it.. Do let me know if something pops up.. I am at work for a few days and don't have much time but later I will give you some tips to keep you from getting infected again.. p.s. send me a fresh HJT Log so I can look it over and give you some tips... tnx 2oG
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:25, on 2009-02-27 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\CyberDefender\AntiSpyware\cdas28.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Andy\Local Settings\Application Data\CyberDefender\cdmyidd.dll R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Andy\Local Settings\Application Data\CyberDefender\cdmyidd.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Andy\Local Settings\Application Data\CyberDefender\cdmyidd.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\ISSIntro.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas28.exe" /minimize O4 - HKUS\S-1-5-21-1654162065-1135626422-144374985-500\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Administrator') O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c12/v19.096/qboax10.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 9047 bytes
Atrain10, here are a few Tips… Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Remove Old Java using JavaRa Download JavaRa and unzip it to your desktop. ***Please close any instances of Internet Explorer before continuing!*** • Double-click on JavaRa.exe to start the program • From the drop-down menu, choose English and click on Select • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK • A logfile will pop up. Save it to a convenient location • Click on Additional Tasks then tick Remove Useless JRE Files • Click Go then OK when prompted & close the program. Update Java Runtime • Go to http://java.sun.com/javase/downloads/index.jsp • Scroll down to Java Runtime Environment (JRE) 6 Update 12 and click on the Download button • In the Platform box choose Windows • Check the box to Accept License Agreement and click Continue • Click on Windows Offline Installation, click on the link under it which says "jre-6u12-windows-i586-p.exe" and save the downloaded file to your desktop • Install the new version by running the downloaded file with the Java icon & follow the on-screen instructions • Reboot your computer Get rid of your Norton and get a better AntiVirus. See the comparatives: http://www.av-comparatives.org/seiten/ergebnisse_2008_08.php Avira AntiVir is a better AV (even the Free version) If you have trouble uninstalling Norton see here: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039 Download and install Avira AntiVir Hate nag screens? Me too. I use Avira AntiVir and here's how to stop that annoying Avira Antivir PE Classic avnotify nag screen: http://www.elitekiller.com/files/disable_antivir_nag.htm SpywareBlaster is passive protection. It plugs the holes that spyware and other potentially unwanted software use to get in to your system. As such, there is no running process - and no CPU and memory usage either. All you have to do is remember to update SpywareBlaster once a week, and enable the latest protection. Protection against spyware, adware, dialers, browser hijackers, and other potentially unwanted software. Tutorial and download: http://www.bleepingcomputer.com/tutorials/tutorial49.html Download: Comodo BOClean protects your computer against trojans, malware and other threats. It constantly scans your system in the background and intercepts any recognized trojan activity. The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected trojan application. Comodo BOClean currently supports more than 71,000 malware items and offers automatic daily updates. Other features include updating via network share, tamper protection and stealth mode. Antivirus software frequently fails to detect, and more often fails to effectively clean most malware. BOClean runs automatically in the background without interfering with your work and kills malwares INSTANTLY the moment they activate without giving them the chance to invade your machine. BOClean also eliminates the need to stop what you're doing to secure your machine after it's too late. BOClean works with all versions of Windows. Unlike antivirus programs, BOClean will actually shut them down and destroy them without the need for you to seek out the method of removal or risking dangerous editing of your system's innermost configurations. BOClean requires no technical skills and handles detection, removal and repair of your system automatically. Hope these tips help, any questions? Fire! 2oG
2oG, Thank you for the recommendations for my computer. I have installed all the software you recommended and all seems to be running well. I will inform you if any other problems "pop-up". Thank you again. Atrain
