Computer Security & Viruses/browser hijack

Advertisement

Expert: - 10/4/2008


Question
QUESTION: Hi Brian,

I'm having a rather interesting experience with search engines. It's some kind of browser hijack but I'm having no luck getting rid of it. Clicking on any result thrown up when I search on Google, Yahoo, MSN etc takes me, not to the link displayed, but off to a sequence of godawful linkfarming sites via a new browser window. The new window has a URL beginning with go.google.com (or yahoo etc) before it redirects. It does this in both Internet Explorer and Firefox. Most other sites on the internet seem to be behaving normally but when I try to visit the websites of AVG, Lavasoft or other standard security software sites, I'm taken to the MSN Search page and more fake links.

I have (probably outdated) versions of Spybot S&D and Adaware SE Personal installed, so I ran them, but they wouldn't allow me to download the most recent update file, which would make sense if I can't access their websites. I ran the scans anyway. Both found a bunch of ordinary tracking cookies and Spybot found CoolWebSearch.Svchost, but after the Spybot fix, the browser problem was still there.

I downloaded AVG 8.0 on a different computer and transferred it using a USB. It made it through a full scan and found nothing but tracking cookies.

This will teach me not to forget to renew my security software subscriptions... what now?

Thankyou so much for your time - this is a very generous service.

Cheers
Madi


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:30 PM, on 10/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Toscdspd\TOSCDSPD.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aldaily.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TMEPROP] C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe -S
O4 - HKLM\..\Run: [DockMsgFrom] C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [toscdspd] C:\Program Files\Toshiba\Toscdspd\TOSCDSPD.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8081F7BB-BD4B-4139-8171-2E0A148E6B65}: NameServer = 61.9.194.49,61.9.195.193
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TME3SRV - IEC - C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe

--
End of file - 10033 bytes

ANSWER: Hi Madi

Please accept my apologies for not getting back to you sooner.  I have had some issues to deal with which prevented me from responding.  Reboot your computer into Safe Mode by continuously pressing the F8 key before Windows loads.  If you see the Windows loading screen, you will need to reboot and try again.  F8 will take you to a menu where you will choose to Start Windows in Safe Mode With Networking.  Logon to your normal account.  Next, please download ComboFix from here to your Desktop:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* Double click combofix.exe and follow the prompts.
* The computer may reboot.  Please allow it to do so normally.
* When finished, it shall produce a log for you.
* Copy the ComboFix log and a new HJT log here.

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian, thanks so much for your help.

Well, this is bad. I should have mentioned earlier that rebooting in Safe Mode was the first thing I tried to do. It didn't like that idea and gave me a blue screen message a few moments after I pressed Enter on the menu. I've tried a few times. It will only boot up the ordinary way.

The browser hijack problem has been inconsistent, it seemed to be gone for awhile yesterday, but is back today (with AVG green ticks all over the fake links page). Still haven't been able to access any sites like avg.com, grisoft.com etc. Your ComboFix link also seemed to be blocked. The machine in general has been all right but temperamental about booting up - it's frozen once or twice while doing so.

I installed ComboFix from a USB and ran it in normal mode. It told me it had found rootkit activity and needed to reboot. It crunched for a few moments and then the blue screen, similar message: A problem has been detected and Windows has been shut down to prevent damage to your computer.

I copied down the technical codes in case they mean anything to you. This is the one it gave the last time I tried to reboot into Safe Mode:
*** STOP: 0x000000B4 (0x820C0DF8, 0x81697000, 0x81696000, 0x00050000)

And this is the one it gave just now in the middle of the ComboFix:
*** STOP: 0x0000000A (0x00000018, 0x00000002, 0x00000000, 0x8050AF20)

Hope you can help. Thanks again.


ANSWER: Hi Madi

The first stop error points to a failure to load your video driver, and the second points to a hardware error, which may also be video driver related.  Either through the USB, or while the computer is cooperating, try updating the video drivers.  If you have onboard video, and the drivers don't help, it's possible that the video chip is faulty.  Whatever malware you have seems to be a separate issue from the BSOD's.  Once you have the hardware working, we can remove the malware.  Keep me informed of your progress, regardless.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian

Haven't tackled the video driver thing yet but when I rebooted this afternoon ComboFix was able to finish. While it was doing its thing Norton Antivirus stopped some scripts that seemed to be trying to delete things in the C:/ComboFix folder. Most of them came up after it rebooted and was making its log report, though, which I thought was weird.

Here are the logs.





ComboFix 08-10-02.04 - Peter 2008-10-04 18:51:30.1 - NTFSx86

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:Documents and SettingsPeterApplication DataInstall.dat
C:WINDOWSsystem32drivers   dssserv.sys
C:WINDOWSsystem32TDSSadw.dll
C:WINDOWSsystem32TDSSerrors.log
C:WINDOWSsystem32   dssinit.dll
C:WINDOWSsystem32   dssl.dll
C:WINDOWSsystem32TDSSlog.dll
C:WINDOWSsystem32   dssmain.dll
C:WINDOWSsystem32   dssserf.dll
C:WINDOWSsystem32TDSSserf1.dll
C:WINDOWSsystem32   dssservers.dat

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------Legacy_MCHINJDRV


(((((((((((((((((((((((((   Files Created from 2008-09-04 to 2008-10-04  )))))))))))))))))))))))))))))))
.

2008-10-01 18:39 . 2008-10-01 18:39   <DIR>   d--------   C:Program FilesTrend Micro
2008-10-01 18:18 . 2008-10-01 18:18   <DIR>   d--h-----   C:$AVG8.VAULT$
2008-10-01 15:51 . 2008-10-04 19:02   <DIR>   d--------   C:WINDOWSsystem32driversAvg
2008-10-01 15:51 . 2008-10-01 15:51   97,928   --a------   C:WINDOWSsystem32driversavgldx86.sys
2008-10-01 15:51 . 2008-10-01 15:51   76,040   --a------   C:WINDOWSsystem32driversavgtdix.sys
2008-10-01 15:51 . 2008-10-01 15:51   12,936   --a------   C:WINDOWSsystem32driversavgrkx86.sys
2008-10-01 15:51 . 2008-10-01 15:51   10,520   --a------   C:WINDOWSsystem32avgrsstx.dll
2008-10-01 15:50 . 2008-10-01 15:50   <DIR>   d--------   C:Program FilesAVG
2008-10-01 15:50 . 2008-10-01 15:57   <DIR>   d--------   C:Documents and SettingsAll UsersApplication Dataavg8
2008-09-29 17:22 . 2008-09-29 17:22   54,156   --ah-----   C:WINDOWSQTFont.qfn
2008-09-29 17:22 . 2008-09-29 17:22   1,409   --a------   C:WINDOWSQTFont.for
2008-09-10 14:34 . 2008-09-10 14:34   <DIR>   d--------   C:Program FilesNCH Software

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 00:03   ---------   d-----w   C:Program FilesCommon FilesSymantec Shared
2008-08-04 13:57   ---------   d-----w   C:Program FilesNorton AntiVirus
2008-08-04 11:00   ---------   d-----w   C:Program FilesSpybot - Search & Destroy
2008-07-18 12:10   94,920   ----a-w   C:WINDOWSsystem32cdm.dll
2008-07-18 12:10   53,448   ----a-w   C:WINDOWSsystem32wuauclt.exe
2008-07-18 12:10   45,768   ----a-w   C:WINDOWSsystem32wups2.dll
2008-07-18 12:10   36,552   ----a-w   C:WINDOWSsystem32wups.dll
2008-07-18 12:09   563,912   ----a-w   C:WINDOWSsystem32wuapi.dll
2008-07-18 12:09   325,832   ----a-w   C:WINDOWSsystem32wucltui.dll
2008-07-18 12:09   205,000   ----a-w   C:WINDOWSsystem32wuweb.dll
2008-07-18 12:09   1,811,656   ----a-w   C:WINDOWSsystem32wuaueng.dll
2008-07-07 20:32   253,952   ----a-w   C:WINDOWSsystem32es.dll
2008-05-04 09:41   20   ---h--w   C:Documents and SettingsAll UsersApplication DataPKP_DLec.DAT
2008-05-04 09:41   20   ---h--w   C:Documents and SettingsAll UsersApplication DataPKP_DLds.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 15360]
"toscdspd"="C:Program FilesToshibaToscdspdTOSCDSPD.EXE" [2003-09-05 65536]
"MsnMsgr"="C:Program FilesMSN MessengerMsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"IgfxTray"="C:WINDOWSsystem32igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="C:WINDOWSsystem32hkcmd.exe" [2004-10-08 126976]
"SoundMAXPnP"="C:Program FilesAnalog DevicesSoundMAXSMax4PNP.exe" [2004-07-28 1388544]
"SynTPLpr"="C:Program FilesSynapticsSynTPSynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="C:Program FilesSynapticsSynTPSynTPEnh.exe" [2004-10-14 688218]
"dla"="C:WINDOWSsystem32dla   fswctrl.exe" [2004-08-03 122939]
"SmoothView"="C:Program FilesTOSHIBATOSHIBA Zooming UtilitySmoothView.exe" [2004-09-16 135168]
"THotkey"="C:Program FilesToshibaToshiba Applet   hotkey.exe" [2004-12-21 348160]
"TMEPROP"="C:Program FilesToshibaToshiba AppletTMEPROP.exe" [2004-12-08 258048]
"DockMsgFrom"="C:Program FilesToshibaToshiba AppletDockMsgFrom.exe" [2004-11-12 114688]
"ccApp"="C:Program FilesCommon FilesSymantec SharedccApp.exe" [2008-01-17 58728]
"CAP3ON"="C:WINDOWSsystem32spooldriversw32x86CAP3ONN.EXE" [2002-07-19 22528]
"Symantec NetDriver Monitor"="C:PROGRA~1SYMNET~1SNDMon.exe" [2008-01-18 100056]
"TkBellExe"="C:Program FilesCommon FilesRealUpdate_OB
ealsched.exe" [2006-01-11 180269]
"iTunesHelper"="C:Program FilesiTunesiTunesHelper.exe" [2005-12-20 278528]
"QuickTime Task"="C:Program FilesQuickTimeqttask.exe" [2006-02-15 155648]
"SunJavaUpdateSched"="C:Program FilesJavaj2re1.4.2_10injusched.exe" [2005-10-10 32881]
"AVG8_TRAY"="C:PROGRA~1AVGAVG8avgtray.exe" [2008-10-01 1235736]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 C:WINDOWSagrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" [2004-08-28 C:WINDOWSsystem32TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparameters irewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparameters irewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%\system32\sessmgr.exe"=
"C:\Program Files\Messenger\msmsgs.exe"=
"C:\Program Files\iTunes\iTunes.exe"=
"C:\Program Files\MSN Messenger\msnmsgr.exe"=
"C:\Program Files\MSN Messenger\livecall.exe"=
"C:\Program Files\AVG\AVG8\avgupd.exe"=
"C:\Program Files\AVG\AVG8\avgnsx.exe"=

S0 AvgRkx86;avgrkx86.sys;C:WINDOWSSystem32Driversavgrkx86.sys [2008-10-01 15:51]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:WINDOWSSystem32Driversavgldx86.sys [2008-10-01 15:51]
S2 avg8wd;AVG8 WatchDog;C:PROGRA~1AVGAVG8avgwdsvc.exe [2008-10-01 15:51]
S2 AvgTdiX;AVG8 Network Redirector;C:WINDOWSSystem32Driversavgtdix.sys [2008-10-01 15:51]


[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{8f9141e0-c221-11da-a662-000e35cf3076}]
ShellAutoRuncommand - C:WINDOWSsystem32RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sys.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:Documents and SettingsPeterApplication DataMozillaFirefoxProfiles
f4hfhdd.default\r
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-04 19:00:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:WINDOWSexplorer.exe
-> C:Program FilesToshibaToshiba AppletTMEEJDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:Program FilesCommon FilesSymantec SharedCCSETMGR.EXE
C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
C:Program FilesCommon FilesSymantec SharedCCEVTMGR.EXE
C:Program FilesSymantecLiveUpdateAluSchedulerSvc.exe
C:Program FilesTOSHIBAConfigFreeCFSvcs.exe
C:Program FilesCisco SystemsVPN Clientcvpnd.exe
C:WINDOWSsystem32DVDRAMSV.exe
C:Program FilesNorton AntiVirusNAVAPSVC.EXE
C:Program FilesNorton AntiVirusIWPNPFMNTOR.EXE
C:PROGRA~1AVGAVG8avgam.exe
C:Program FilesAnalog DevicesSoundMAXSMAgent.exe
C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
C:Program FilesTOSHIBATOSHIBA AppletTAPPSRV.exe
C:Program FilesTOSHIBATOSHIBA Applet   me3srv.exe
C:WINDOWSsystem32wdfmgr.exe
C:WINDOWSsystem32CAP3RSK.EXE
C:WINDOWSsystem32 xssvc.exe
C:Program FilesTOSHIBAConfigFreeNDSTray.exe
C:Program FilesTOSHIBATOSHIBA ControlsTFncKy.exe
C:Program FilesTOSHIBAConfigFreeCFSServ.exe
C:WINDOWSsystem32TPSBattM.exe
C:Program FilesiPodiniPodService.exe
C:WINDOWSsystem32spooldriversw32x86CAP3LAK.EXE
C:WINDOWSsystem32spooldriversw32x86CAP3SWK.EXE
C:WINDOWSsystem32spooldriversw32x86CAP3SWK.EXE
C:Program FilesNikonPictureProjectNkbMonitor.exe
C:WINDOWSsystem32RAMASST.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesAVGAVG8avgrsx.exe
C:Program FilesAVGAVG8avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-10-04 19:10:38 - machine was rebooted
ComboFix-quarantined-files.txt  2008-10-04 09:10:05

Pre-Run: 9,816,772,608 bytes free
Post-Run: 11,174,387,712 bytes free

174   --- E O F ---   2008-10-03 11:27:35










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:52 PM, on 10/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesSymantecLiveUpdateALUSchedulerSvc.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesTOSHIBAConfigFreeCFSvcs.exe
C:Program FilesCisco SystemsVPN Clientcvpnd.exe
C:WINDOWSsystem32DVDRAMSV.exe
C:Program FilesNorton AntiVirus
avapsvc.exe
C:Program FilesNorton AntiVirusIWPNPFMntor.exe
C:PROGRA~1AVGAVG8avgam.exe
C:Program FilesAnalog DevicesSoundMAXSMAgent.exe
C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
C:Program FilesTOSHIBATOSHIBA AppletTAPPSRV.exe
C:Program FilesTOSHIBATOSHIBA Applet   me3srv.exe
C:WINDOWSsystem32CAP3RSK.EXE
C:WINDOWSsystem32 xssvc.exe
C:WINDOWSsystem32igfxtray.exe
C:WINDOWSsystem32hkcmd.exe
C:Program FilesAnalog DevicesSoundMAXSMax4PNP.exe
C:Program FilesSynapticsSynTPSynTPLpr.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:WINDOWSAGRSMMSG.exe
C:Program FilesTOSHIBAConfigFreeNDSTray.exe
C:WINDOWSsystem32dla   fswctrl.exe
C:Program FilesTOSHIBATOSHIBA Zooming UtilitySmoothView.exe
C:Program FilesToshibaToshiba Applet   hotkey.exe
C:Program FilesToshibaToshiba AppletTMEPROP.exe
C:Program FilesToshibaToshiba AppletDockMsgFrom.exe
C:WINDOWSsystem32TPSMain.exe
C:Program FilesTOSHIBATOSHIBA ControlsTFncKy.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:Program FilesTOSHIBAConfigFreeCFSServ.exe
C:WINDOWSsystem32TPSBattM.exe
C:Program FilesCommon FilesRealUpdate_OB
ealsched.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesJavaj2re1.4.2_10injusched.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesToshibaToscdspdTOSCDSPD.EXE
C:Program FilesMSN MessengerMsnMsgr.Exe
C:Program FilesiPodiniPodService.exe
C:WINDOWSsystem32spooldriversw32x86CAP3LAK.EXE
C:WINDOWSSYSTEM32SPOOLDRIVERSW32X86CAP3SWK.EXE
C:WINDOWSSYSTEM32SPOOLDRIVERSW32X86CAP3SWK.EXE
C:Program FilesNikonPictureProjectNkbMonitor.exe
C:WINDOWSsystem32RAMASST.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32wuauclt.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:WINDOWSexplorer.exe
C:Program FilesAVGAVG8avgrsx.exe
C:Program FilesAVGAVG8avgrsx.exe
C:Program FilesAVGAVG8avgrsx.exe
C:Program FilesAVGAVG8avgrsx.exe
C:Program FilesAVGAVG8avgrsx.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesAVGAVG8avgrsx.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.aldaily.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = lank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSsystem32dla   fswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton AntiVirusNavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:Program FilesNorton AntiVirusNavShExt.dll
O4 - HKLM..Run: [IgfxTray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [SoundMAXPnP] C:Program FilesAnalog DevicesSoundMAXSMax4PNP.exe
O4 - HKLM..Run: [SynTPLpr] C:Program FilesSynapticsSynTPSynTPLpr.exe
O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..Run: [dla] C:WINDOWSsystem32dla   fswctrl.exe
O4 - HKLM..Run: [SmoothView] C:Program FilesTOSHIBATOSHIBA Zooming UtilitySmoothView.exe
O4 - HKLM..Run: [THotkey] C:Program FilesToshibaToshiba Applet   hotkey.exe
O4 - HKLM..Run: [TMEPROP] C:Program FilesToshibaToshiba AppletTMEPROP.exe -S
O4 - HKLM..Run: [DockMsgFrom] C:Program FilesToshibaToshiba AppletDockMsgFrom.exe
O4 - HKLM..Run: [TPSMain] TPSMain.exe
O4 - HKLM..Run: [TFncKy] TFncKy.exe
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - HKLM..Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM..Run: [CAP3ON] C:WINDOWSsystem32spooldriversw32x86CAP3ONN.EXE
O4 - HKLM..Run: [Symantec NetDriver Monitor] C:PROGRA~1SYMNET~1SNDMon.exe /Consumer
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OB
ealsched.exe"  -osboot
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_10injusched.exe
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [toscdspd] C:Program FilesToshibaToscdspdTOSCDSPD.EXE
O4 - HKCU..Run: [MsnMsgr] "C:Program FilesMSN MessengerMsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:WINDOWSsystem32spooldriversw32x86CAP3LAK.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:Program FilesCisco SystemsVPN Clientvpngui.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:Program FilesNikonPictureProjectNkbMonitor.exe
O4 - Global Startup: RAMASST.lnk = C:WINDOWSsystem32RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavaj2re1.4.2_10in
pjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavaj2re1.4.2_10in
pjpi142_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O17 - HKLMSystemCCSServicesTcpip..{8081F7BB-BD4B-4139-8171-2E0A148E6B65}: NameServer = 61.9.194.49,61.9.195.193
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:Program FilesSymantecLiveUpdateALUSchedulerSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:Program FilesTOSHIBAConfigFreeCFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:Program FilesCisco SystemsVPN Clientcvpnd.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:WINDOWSsystem32DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver   Intel 32IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:Program FilesiPodiniPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:PROGRA~1SymantecLIVEUP~1LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:Program FilesNorton AntiVirus
avapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:Program FilesNorton AntiVirusIWPNPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:Program FilesNorton AntiVirusSAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:PROGRA~1COMMON~1SYMANT~1SCRIPT~1SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:Program FilesAnalog DevicesSoundMAXSMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:Program FilesTOSHIBATOSHIBA AppletTAPPSRV.exe
O23 - Service: TME3SRV - IEC - C:Program FilesTOSHIBATOSHIBA Applet   me3srv.exe

--
End of file - 10465 bytes  

Answer
Hi Madi

Your HJT log is not formatted so that I can read it properly.  Please run another scan, then when notepad pops up, make sure that the items look like this:

Running processes:
C:\WINDOWS\System32\smss.exe

and not like this:

Running processes:
C:WINDOWSSystem32smss.exe

If they look like the first example, just select all, copy and paste it in a follow-up here.  If it looks like the second, click Format on Notepad and check Word Wrap.

Brian

Computer Security & Viruses

All Answers

Answers by Expert:

Ask Experts

Volunteer

Brian Benosky

Expertise

I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience

I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributor of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

©2012 About.com, a part of The New York Times Company. All rights reserved.