Expert: Brian Benosky - 1/26/2009

Question
QUESTION: My daughters Vista Ultimate computer has CyberSitter 10 and a popular anti-virus program installed and running.  CyberSitter logs the browser activity and sends the log via email to me.  The contents of the daily log show that Cybersitter is filtering out (preventing) a plethora of http requests for various profane words.  The url requested are not properly formed urls - just swear words.  i.e the log shows entries such as:

12/30/08 01:09:40 AM   andrea   ACCESSED   http://www.updatesdomain.com/bases/ids/i386/ah-i386-0607g.xml

12/30/08 03:13:46 AM   SYSTEM   FILTERED   FUCK

12/30/08 03:33:46 AM   SYSTEM   IGNORED   http://au.download.windowsupdate.com/msdownload/update/software/svpk/2007/12/mai

(I hope by including the profane data that it doesn't get this message junked)  The anti-virus program has perfomred many "full system checks" but has not reported a problem.
Other symptoms that MAY be related:
  Can't install Vista SP1 - fails on all attempts
  Thumb drive needed to be reformated
From the HijackThis log below, can you identify the malware and recomend a way to remove it?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:51 PM, on 1/24/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\IOI\ButtonMonitor.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Windows\Cyb10.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\sttray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\NetCID\NetCID.exe
C:\Windows\System32\p2phost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_U
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_U
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_U
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MESG LLC
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\IOI\ButtonMonitor.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [C2K] C:\Windows\Cyb10.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [NetCID] C:\Program Files\NetCID\NetCID.exe
O4 - HKCU\..\Run: [CollaborationHost] C:\Windows\system32\p2phost.exe -s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-314940194-2465191917-3769173497-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-314940194-2465191917-3769173497-1000\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-314940194-2465191917-3769173497-1000\..\RunOnce: [DPAPIKeyMig] %SystemRoot%\system32\dpapimig.exe -quiet (User 'IUSR_NMPR')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mesg.local
O17 - HKLM\Software\..\Telephony: DomainName = mesg.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mesg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mesg.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mesg.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = mesg.local
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = mesg.local
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = mesg.local
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = mesg.local
O17 - HKLM\System\CS8\Services\Tcpip\Parameters: Domain = mesg.local
O17 - HKLM\System\CS9\Services\Tcpip\Parameters: Domain = mesg.local
O17 - HKLM\System\CS10\Services\Tcpip\Parameters: Domain = mesg.local
O17 - HKLM\System\CS11\Services\Tcpip\Parameters: Domain = mesg.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\PCSECU~1\THESHI~1\r3hook.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: The Shield Deluxe 2009 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
O23 - Service: Communication Services (CCOMSVC) - Solid Oak Software, Inc. - C:\Windows\CComSvc.exe
O23 - Service: Intel(R) DHTrace Controller (DHTRACE) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel(R) NMSCore (NMSCore) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) Quality Manager (QualityManager) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Monitoring Service (WVCSWDSVC) - Solid Oak Software, Inc. - C:\Windows\WVCSWD.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10651 bytes



ANSWER: Hi Mark

From what I can see, the computer is not infected with any malware.  From your HJT log, SP1 is installed and running:
Platform: Windows Vista SP1 (WinNT 6.00.1905)
Now as for CyberSitter filtering profanity, that is what the program is supposed to do.  Log lines such as:
12/30/08 03:13:46 AM SYSTEM FILTERED F*CK
simply means the program filtered an outgoing request by the computer for the word.  
It may not be the computer user's fault, however.  You mentioned something about a thumbdrive.  Has this drive been checked for infection?  Run a total system scan using the program and method below, making sure to include the thumbdrive in the scan.

Download Malwarebytes' Anti-Malware to your desktop from here:

http://www.besttechie.net/tools/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to
o Update Malwarebytes' Anti-Malware
* then click Finish.
* If an update is found, it will download and install the latest version.  Do not run a scan yet.

Restart the computer in Safe Mode by continuously tapping the F8 key on boot until a black screen with a menu appears.  Choose to Start Windows in Safe Mode.  Log on as usual.  Open Malwarebytes and run a Full Scan.

* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.  Save that log and reboot normally.
* Post me the log along with a new HJT scan log into a follow-up.

Brian


---------- FOLLOW-UP ----------

QUESTION: I realize the role of CyberSitter is to filter inappropriate outgoing requests from a USER.  My daughter is 10 years old and has not made the offending requests.  In fact, the log shows that these outgoing http requests in the form of swear words are from a SYSTEM account, not my daughters USER account.  And the logfile shows a wide range of profane words requested multiple times per second.  I'm certain there is a bot or malware or IE add in launching these requests although, the virus scan and Malwarebytes sw does not detect it.   These requests show up in the CyberSitter log even when we let the computer sit, unattended for the day.  Could it be the CyberSitter process itself in some perverse self-vallidation idea for buying the software? I've made several requests for support to CyberSitter and all have gone unanswered.  

Answer
Hi Mark

As I stated before, I realize "it may not be the computer user's fault".  Something is making the request, and since it is not your daughter, we need to find the offender.  I did some research yesterday on the CyberSitter program and, to be honest, I would not be surprised if it really was the offender.  To say that it's methods are shady would be an understatement.  And as you have found, they do not respond to support requests.  
First, I would still run the Malwarebytes' scan just to be on the safe side.  If it comes up clean, definitely go ahead and uninstall the CyberSitter program.  I have also read that this will not be an easy task, so I suggest the free RevoUninstaller, which I have found removes anything and everything:
http://www.revouninstaller.com/
Please keep me updated and let me know if the scan shows any malware.

Brian