Computer Hope

Software => Computer viruses and spyware => Topic started by: alterwind on May 16, 2009, 12:22:08 AM

Title: Streaming Audio Virus/ Page Hijacker?
Post by: alterwind on May 16, 2009, 12:22:08 AM

For quite sometime I have been getting audio advertisements when I access some websites (including CNET Download even when accessed through the link on this site.)  I generally know  when it's going to happen because I hear the cursor clicking to change the page from the site I want to be on.  In the past I would think I got rid of it with AVG switched to AVAST and it still happens.  I followed the instructions for malware removal however when I went to the Computer Hope process tool and had it analyze my Hijack log I didnot feel like I knew what was safe to delete.  I have attached the requested logs.  Any assistance would be appreciated. Thank you folks for running this website!!

[attachment deleted by admin]

Title: Re: Streaming Audio Virus/ Page Hijacker?
Post by: harry 48 on May 16, 2009, 04:51:15 PM

can you not post the process results here , because they are in red doe's not mean they have to come out  , HARRY

Title: Re: Streaming Audio Virus/ Page Hijacker?
Post by: alterwind on May 16, 2009, 05:07:30 PM

I'm sorry I don't know what you mean.  I thought I posted the 3 logs in the right place.  What did you mean about something in red?  Thanks

I think I solved the problem! I manned up and followed the deletions as instructed!! Thanks for this great website!!

Title: Re: Streaming Audio Virus/ Page Hijacker?
Post by: evilfantasy on May 16, 2009, 07:24:16 PM

Would you mind double checking? Better safe than sorry.

Disable Ad-Aware as it may interfere with the HijackThis repairs

• Click the Settings button, Auto Scans tab, and under Scan on Ad-Aware startup
  
• Be sure both selections for No automated scan are checked (green).
  
• Then click Save and close Ad-Aware.

.
----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
• O1 - Hosts: 216.93.174.28 view.atdmt.com
• O1 - Hosts: 216.93.174.28 ad.doubleclick.net
• O2 - BHO: (no name) - {C323E25E-E56E-45C9-8D48-1F60D324C39E} - (no file) O3 - Toolbar: (no name) - {F1654F8F-1EE7-433D-AB43-E3031F766ACC} - (no file)
• O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
• O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

.
Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download DDS by sUBs (http://www.forospyware.com/sUBs/dds) and save it to your desktop. Alternate DDS download link (http://download.bleepingcomputer.com/sUBs/dds.scr)

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

Title: Re: Streaming Audio Virus/ Page Hijacker?
Post by: alterwind on May 17, 2009, 04:10:35 PM

Here are the requested logs (Thank you for your diligence!!):


1) DDS.txt


DDS (Ver_09-05-14.01) - NTFSx86 
Run by Susan Brown at 17:55:06.70 on Sun 05/17/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.510.268 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090516-0] *On-access scanning enabled* (Updated)   {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled*   {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\Zone Alarm2\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PopupVanish\PopupVanish.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SUPERAntiSpyware\8f61df0f-557e-4056-8470-ecc7d24ea825.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Susan Brown\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?hl=en&lr=&btnG=Search
uDefault_Page_URL = hxxp://www.dellnet.com
mStart Page = hxxp://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
mSearch Bar = hxxp://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

7.0\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {F1654F8F-1EE7-433D-AB43-E3031F766ACC} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {EDC4193F-34AD-4D07-AA87-E3FDB89E3E76} - No File
uRun: [PopupVanish] c:\program files\popupvanish\PopupVanish.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zone alarm2\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: microsoft.com \v4.windowsupdate
Trusted Zone: microsoft.com      \*.windowsupdate
Trusted Zone: windowsupdate.com \*.download
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Literati - hxxp://download.games.yahoo.com/games/clients/y/tt2_x.cab
DPF: YExplorer1_8US.CAB - hxxp://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} -

hxxp://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1069812730765
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -

hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://download.yahoo.com/dl/installs/yinst.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -

hxxp://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab
DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - hxxp://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228837070640
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228837058281
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxps://ostsweb.hhs.gov/tsweb/msrdp.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38792.9813194444
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5455/mcfscan.cab
DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: PCANotify - PCANotify.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-2 114768]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2000-9-11 10816]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-1-19 353680]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-2 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-12-2 138680]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-1-11 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-1-11 169632]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service -->

c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-12-2 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-12-2 352920]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2001-11-2 114749]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2007-3-31 10379]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-27 1123008]

=============== Created Last 30 ================

2009-05-16 00:09   <DIR>   --d-----   c:\docume~1\Susan~1\applic~1\Malwarebytes
2009-05-16 00:09   15,504   a-------   c:\windows\system32\drivers\mbam.sys
2009-05-16 00:09   38,496   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-16 00:09   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-16 00:09   <DIR>   --d-----   c:\program files\Malwarebytes' Anti-Malware
2009-05-03 19:21   <DIR>   --d-----   c:\program files\Viewpoint
2009-04-21 20:47   <DIR>   --d-----   c:\program files\TomTom International B.V

==================== Find3M  ====================

2009-04-05 14:54   410,984   a-------   c:\windows\system32\deploytk.dll

============= FINISH: 17:56:12.04 ===============



2) Attach.txt



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/23/2003 4:22:43 PM
System Uptime: 5/17/2009 2:25:13 AM (15 hours ago)

Motherboard: Dell Computer Corporation |  | 07W080
Processor:               Intel(R) Pentium(R) 4 CPU 1.80GHz | Socket 478 | 1794/400mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 56 GiB total, 35.815 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1130: 2/17/2009 9:12:42 AM - System Checkpoint
RP1131: 2/19/2009 7:58:53 PM - System Checkpoint
RP1132: 2/27/2009 12:47:06 AM - System Checkpoint
RP1133: 3/3/2009 12:09:54 PM - System Checkpoint
RP1134: 3/6/2009 1:27:19 PM - System Checkpoint
RP1135: 3/7/2009 1:57:41 PM - System Checkpoint
RP1136: 3/8/2009 8:15:33 PM - System Checkpoint
RP1137: 3/16/2009 9:26:51 PM - Software Distribution Service 3.0
RP1138: 3/18/2009 12:54:14 AM - System Checkpoint
RP1139: 3/20/2009 9:45:28 AM - System Checkpoint
RP1140: 3/21/2009 9:08:31 PM - System Checkpoint
RP1141: 3/24/2009 1:51:05 PM - System Checkpoint
RP1142: 3/25/2009 8:32:18 PM - System Checkpoint
RP1143: 3/27/2009 11:15:33 AM - System Checkpoint
RP1144: 3/28/2009 8:46:17 PM - System Checkpoint
RP1145: 3/30/2009 3:47:02 AM - System Checkpoint
RP1146: 3/31/2009 10:14:44 PM - System Checkpoint
RP1147: 4/2/2009 2:33:12 AM - System Checkpoint
RP1148: 4/3/2009 4:12:35 AM - System Checkpoint
RP1149: 4/4/2009 4:16:59 AM - System Checkpoint
RP1150: 4/5/2009 8:16:58 AM - System Checkpoint
RP1151: 4/5/2009 10:46:20 AM - Software Distribution Service 3.0
RP1152: 4/5/2009 11:55:30 AM - Removed Java(TM) 6 Update 2
RP1153: 4/5/2009 2:54:02 PM - Installed Java(TM) 6 Update 13
RP1154: 4/10/2009 9:20:09 AM - System Checkpoint
RP1155: 4/20/2009 1:58:32 PM - System Checkpoint
RP1156: 4/21/2009 2:27:40 PM - System Checkpoint
RP1157: 4/22/2009 8:02:50 PM - System Checkpoint
RP1158: 4/24/2009 1:18:30 PM - System Checkpoint
RP1159: 4/25/2009 4:03:17 PM - System Checkpoint
RP1160: 4/26/2009 6:06:07 PM - System Checkpoint
RP1161: 4/28/2009 1:02:42 PM - System Checkpoint
RP1162: 4/30/2009 7:59:22 AM - System Checkpoint
RP1163: 5/1/2009 3:29:27 PM - System Checkpoint
RP1164: 5/2/2009 3:53:46 PM - System Checkpoint
RP1165: 5/4/2009 7:45:18 AM - System Checkpoint
RP1166: 5/5/2009 11:29:35 AM - System Checkpoint
RP1167: 5/8/2009 12:23:59 PM - System Checkpoint
RP1168: 5/9/2009 3:42:01 PM - System Checkpoint
RP1169: 5/10/2009 5:13:24 PM - System Checkpoint
RP1170: 5/12/2009 3:23:01 PM - System Checkpoint
RP1171: 5/14/2009 12:00:19 AM - System Checkpoint
RP1172: 5/15/2009 8:24:41 AM - System Checkpoint
RP1173: 5/16/2009 12:43:09 PM - System Checkpoint
RP1174: 5/16/2009 6:49:07 PM - PreHijackDeletion Host files

==== Installed Programs ======================


Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
AOL Coach Version 1.0(Build:20020929.1)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Uninstaller (Choose which Products to Remove)
avast! Antivirus
Avery Wizard 2.1 for Microsoft® Word 2000
BACS
BCM V.92 56K Modem
Broadcom Advanced Control Suite
ccCommon
CCleaner (remove only)
Classic PhoneTools
Corel WordPerfect Suite 8
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support
Digital Line Detect
Docudesk GPL Ghostscript 8.15
Easy CD Creator 5 Basic
Gravity Well v4.0
Help and Support Customization
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Intel RSX 3D
Intel(R) Extreme Graphics Driver
iTunes
Java(TM) 6 Update 13
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 6.1
Microsoft Office 2000 Small Business
Microsoft Silverlight
Modem Helper
Move Networks Media Player for Internet Explorer
Move Networks Player for Internet Explorer
MSN Gaming Zone
MSN Messenger 6.0
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MUSICMATCH® Jukebox
Network Play System (Patching)
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Octoshape add-in for Adobe Flash Player
OLYMPUS CAMEDIA Master 2.0
PrimoPDF
Pure Networks Port Magic
Quicken 2002 New User Edition
QuickTime
RealOne Player
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Shockwave
Smart Defrag 1.11
SPBBC
SpywareBlaster 4.1
SUPERAntiSpyware Free Edition
Symantec
Symantec pcAnywhere
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
Touch by HTC™ User Guide
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC 9.0 Runtime
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinZip
WordPerfect Office 2002
ZoneAlarm

==== Event Viewer Messages From Past Week ========

5/15/2009 6:18:00 AM, error: Service Control Manager [7034]  - The AOL TopSpeed

Monitor service terminated unexpectedly.  It has done this 5 time(s).
5/15/2009 6:09:58 AM, error: Service Control Manager [7031]  - The AOL TopSpeed

Monitor service terminated unexpectedly.  It has done this 4 time(s).  The following

corrective action will be taken in 1000 milliseconds: Restart the service.
5/15/2009 6:01:55 AM, error: Service Control Manager [7031]  - The AOL TopSpeed

Monitor service terminated unexpectedly.  It has done this 3 time(s).  The following

corrective action will be taken in 1000 milliseconds: Restart the service.
5/15/2009 5:53:53 AM, error: Service Control Manager [7031]  - The AOL TopSpeed

Monitor service terminated unexpectedly.  It has done this 2 time(s).  The following

corrective action will be taken in 1000 milliseconds: Restart the service.
5/15/2009 5:46:50 AM, error: Service Control Manager [7031]  - The AOL TopSpeed

Monitor service terminated unexpectedly.  It has done this 1 time(s).  The following

corrective action will be taken in 1000 milliseconds: Restart the service.
5/12/2009 9:49:04 PM, error: SideBySide [59]  - Resolve Partial Assembly failed for

Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not

installed on your system. .
5/12/2009 9:49:04 PM, error: SideBySide [59]  - Generate Activation Context failed

for

C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\

MFC80U.DLL. Reference error message: The operation completed successfully. .
5/12/2009 9:49:04 PM, error: SideBySide [32]  - Dependent Assembly

Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly

is not installed on your system.
5/12/2009 9:48:56 PM, error: SideBySide [59]  - Generate Activation Context failed

for

C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\

MFC80.DLL. Reference error message: The operation completed successfully. .

==== End Of File ===========================

Title: Re: Streaming Audio Virus/ Page Hijacker?
Post by: evilfantasy on May 17, 2009, 04:41:37 PM

You need to get rid of Norton Antivirus. Running two antivirus is a big security risk.

Go to Add or Remove Programs and uninstall:

• Norton AntiVirus Parent MSI
• Norton AntiVirus SYMLT MSI
• Viewpoint Media Player

.
Download the Norton Removal Tool (SymNRT) (http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html) to your Desktop. (This will not remove Symantec pcAnywhere)

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

• Go to your desktop and double click on the removal tool and then click Setup.
  
• Once open Click Next
  
• Accept the license agreement and click Next
  
• Type in the letters/numbers that you see into the text box then click Next.
  
• Then click Next and the tool will start running.
  
• Once finished restart the PC.
• Delete Nortonremoval tool from your Desktop.

.
----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)

**Note:  It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DDS::
TB: {F1654F8F-1EE7-433D-AB43-E3031F766ACC} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {EDC4193F-34AD-4D07-AA87-E3FDB89E3E76} - No File
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Folder::
c:\program files\Viewpoint

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Title: Re: Streaming Audio Virus/ Page Hijacker?
Post by: alterwind on May 17, 2009, 06:01:05 PM

I do not have the following in my add/remove programs (or any other reference to Norton):
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI

I used to use Norton years ago but removed it I  believe through Add/Remove - However I do still have a Norton folder and files in my c:\program files.  Is it okay to just delete the folder?

I removed the Viewpoint Media through Add/Remove, downloaded the Norton Removal Tool and when I tried to run it got the message:

Manual Application Removal
The following programs were found on this computer. These must be removed through "Add/Remove Programs" before Norton Removal Tool can proceed.
Symantec pcAnywhere

Please let me know what I should do or if I should just continue with the remainder of your instructions. Thank you for your continued help!

Title: Re: Streaming Audio Virus/ Page Hijacker?
Post by: evilfantasy on May 17, 2009, 06:05:53 PM

You can just delete the Symantec folder. If you don't use Symantec pcAnywhere then use the removal tool.

Title: Re: Streaming Audio Virus/ Page Hijacker?
Post by: alterwind on May 19, 2009, 05:03:28 PM

Here is the Combofix.txt log: Thank you :)

ComboFix 09-05-19.04 - Susan Brown 05/19/2009 18:36.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.510.267 [GMT -4:00]
Running from: c:\documents and settings\Susan Brown\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Susan Brown\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090518-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\messenger\msmsgs.exe
c:\windows\system32\drivers\fad.sys

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FAD


(((((((((((((((((((((((((   Files Created from 2009-04-19 to 2009-05-19  )))))))))))))))))))))))))))))))
.

2009-05-16 04:09 . 2009-05-16 04:09   --------   d-----w   c:\documents and settings\Susan Brown\Application Data\Malwarebytes
2009-05-16 04:09 . 2009-04-06 19:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-05-16 04:09 . 2009-04-06 19:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-16 04:09 . 2009-05-16 04:09   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-16 04:09 . 2009-05-16 04:09   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-04-22 00:47 . 2009-04-22 00:47   --------   d-----w   c:\program files\TomTom International B.V

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 21:05 . 2008-12-03 06:04   --------   d-----w   c:\program files\SUPERAntiSpyware
2009-04-22 00:46 . 2009-02-20 12:19   --------   d-----w   c:\program files\TomTom HOME 2
2009-04-05 20:06 . 2003-02-18 07:55   --------   d-----w   c:\program files\eFax Messenger Plus
2009-04-05 20:06 . 2003-02-18 07:55   --------   d-----w   c:\program files\Common Files\efax
2009-04-05 19:49 . 2008-08-12 13:32   --------   d-----w   c:\program files\Microsoft Silverlight
2009-04-05 18:54 . 2009-04-05 18:54   410984   ----a-w   c:\windows\system32\deploytk.dll
2009-04-05 18:54 . 2009-04-05 18:54   --------   d-----w   c:\program files\Java
2009-04-05 16:42 . 2009-04-05 16:42   --------   d-----w   c:\program files\IObit
2009-04-05 14:43 . 2009-04-05 14:43   --------   d-----w   c:\program files\CCleaner
2009-03-29 23:18 . 2007-02-01 05:50   664   ----a-w   c:\windows\system32\d3d9caps.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopupVanish"="c:\program files\PopupVanish\PopupVanish.exe" [2002-11-22 69632]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"ZoneAlarm Client"="c:\program files\Zone Labs\Zone Alarm2\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2004-08-04 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-10 14:50   356352   ----a-w   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 18:51   24638   ----a-w   c:\windows\SYSTEM32\PCANotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk.disabled
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online Tray Icon.lnk
backup=c:\windows\pss\America Online Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"DwlClient"=c:\program files\Common Files\Dell\EUSW\Support.exe
"PrinTray"=c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe
"LXSUPMON"=c:\windows\System32\LXSUPMON.EXE RUN
"absr"=c:\windows\mwsvm.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [12/2/2008 6:05 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 4:11 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [12/2/2008 6:05 PM 20560]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 6:38 AM 92008]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\SYSTEM32\DRIVERS\olcamudp.sys [3/31/2007 9:43 AM 10379]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2007-09-16 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]

2009-05-19 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-04-05 22:15]

2009-05-19 c:\windows\Tasks\{B88E149F-7AD7-431A-8C5B-ABABF256A3A3}_SHARON_Susan Brown.job
- c:\windows\system32\mobsync.exe [2002-08-29 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?hl=en&lr=&btnG=Search
mStart Page = hxxp://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
mSearch Bar = hxxp://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: microsoft.com \v4.windowsupdate
Trusted Zone: microsoft.com      \*.windowsupdate
Trusted Zone: windowsupdate.com \*.download
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 18:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3873776020-2489581424-1152295103-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\SYSTEM32\LexBceS.exe
c:\windows\SYSTEM32\Lexpps.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
.
**************************************************************************
.
Completion time: 2009-05-19 18:51 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-19 22:51

Pre-Run: 38,294,376,448 bytes free
Post-Run: 37,961,900,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

197   --- E O F ---   2007-06-10 17:17

Title: Re: Streaming Audio Virus/ Page Hijacker?
Post by: evilfantasy on May 19, 2009, 05:16:14 PM

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

How is the computer running now?

Title: Re: Streaming Audio Virus/ Page Hijacker?
Post by: alterwind on May 19, 2009, 07:12:31 PM

I received a success message about adding the registry item!! Everything seems to be working smoothly - I haven't had any probs since getting rid of the hijacker - and now it seems like its even running a bit faster also!!

Thank you so much 8) EFantasy!!!
 

Title: Re: Streaming Audio Virus/ Page Hijacker?
Post by: evilfantasy on May 19, 2009, 07:20:58 PM

Sounds good.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete: ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Use the  Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.

----------

I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

 SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
*  (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)

Check out  Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.

Also see  Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.