Guys, about this "Adware Softomate".....

system · March 5, 2008, 6:04pm

Yep, the link works … even from the quote box above.

system · March 6, 2008, 12:25am

Well, then apparently something is trying to keep me from opening it because it does load the page for a few seconds and then inmediately it loads a page that says “404 Page not found” (and on the bottom of the Firefox navigator I can see that it’s compulsively trying to re-re-re-reload the same page again). It’s like some sort of system crash.

system · March 6, 2008, 12:28am

Yeah, somethig is definitively wrong here.

I just tried simply going to www.trendsecure.com and finding the Hijackthis by myself.

It gave me the following page:

"Unable to Open the Requested Page

The page you have tried to open either does not exist, or does not permit direct access without authorization.

Please visit the main TrendSecure page for your region instead."

I clicked on the United States Link. It reloaded the same page. I tried Spain. Same thing.
Something is keeping me away from the page.

Any ideas?

oldman960 · March 6, 2008, 12:37am

Try this link, the down load button is in the right corner , right beside a green arrow. Let know how you make out.

http://filehippo.com/download_hijackthis/

If that doesn’t work, navigate to this folder

C:\WINDOWS\SYSTEM32\DRIVERS\ETC

In the right hand panel find this file

hosts

please note that it doesn’t have an extention. Right click it, select rename, name it hosts.old and try again

system · March 6, 2008, 2:04am

That link did work. I have downloaded it but I’m using the computer now so I won’t run the scan yet. I’ll post it either tonight or tomorrow. Once again, thank you.

oldman960 · March 6, 2008, 2:10am

Ok, do the combofix first though. I think you may have a problem with your hosts file. HJT should show that as well.

system · March 6, 2008, 11:13pm

Damn, I already had done the Hijackthis scan by the time I read your post. Anyway, I tried posting the log in here but it said the post exceeded the amount of characters. Let me try posting it in a new reply.

system · March 6, 2008, 11:14pm

Ok, I’m gonna have to split this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:56:58 p.m., on 07/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

system · March 6, 2008, 11:15pm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {76FCFD22-C40A-4764-8420-AFE2C4654ECD} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [LogitechCommunicationsManager] “C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe”
O4 - HKLM..\Run: [LogitechQuickCamRibbon] “C:\Program Files\Logitech\QuickCam\Quickcam.exe” /hide
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender-es.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe

–
End of file - 11014 bytes

oldman960 · March 6, 2008, 11:50pm

Hi, you can attach the logs to your reply by using the additional options button on the reply page, you may have to scroll down to see the browse button.

Please post the combofix log, so we can see if there is anything remaining. Also the conents of the hosts file. Something is blocking you from some sites and that the usuall place it happens.

Thanks.

system · March 7, 2008, 11:52pm

There’s something I’m not quite sure here. When you said this:

“Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.”

You mean that the action “word wrap” should not be clickable? Cause it is when I do what you told me.

oldman960 · March 7, 2008, 11:57pm

There should be no check mark beside enable wordwrap.

system · March 8, 2008, 6:58pm

ComboFix 08-03-04.3 - il Dottore 2008-03-09 14:18:22.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.171 [GMT -7:00]
Running from: C:\Documents and Settings\il Dottore\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\il Dottore\Desktop\CFscript.txt

Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-07 18:56 . 2008-03-07 18:56 d-------- C:\Program Files\Trend Micro
2008-03-06 23:27 . 2008-03-09 14:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-06 23:27 . 2008-03-06 23:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-06 23:24 . 2008-03-06 23:26 d-------- C:\Program Files\iTunes
2008-03-06 23:19 . 2008-03-06 23:21 d-------- C:\Program Files\QuickTime
2008-03-05 20:48 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-05 20:44 . 2008-03-05 20:45 15,918,488 --a------ C:\jre-6u5-windows-i586-p.exe
2008-02-23 17:55 . 2008-02-23 17:59 d-------- C:\Documents and Settings\il Dottore\Application Data\Sibelius Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 21:05 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-03-07 06:25 --------- d-----w C:\Program Files\iPod
2008-03-06 03:48 --------- d-----w C:\Program Files\Java
2008-02-24 00:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sibelius Software
2008-02-24 00:49 --------- d-----w C:\Program Files\Sibelius Software
2008-02-24 00:29 --------- d-----w C:\Program Files\Finale 2002
2008-01-30 06:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-27 02:19 604 —ha-w C:\Program Files\STLL Notifier
2007-04-01 21:36 258 ----a-w C:\Program Files\First Theorem.sn2
2004-04-13 16:13 35,456 ----a-w C:\WINDOWS\Fonts\requiem1.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{76FCFD22-C40A-4764-8420-AFE2C4654ECD}]
C:\WINDOWS\system32\sstqo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TOSCDSPD”=“C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [2003-09-05 04:24 65536]
“Yahoo! Pager”=“C:\Program Files\Yahoo!\Messenger\ypager.exe” [2005-08-19 20:34 3084288]
“LDM”=“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe” [2007-07-25 00:52 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“00THotkey”=“C:\WINDOWS\System32[u]0[/u]0THotkey.exe” [2003-04-15 21:01 258048]
“000StTHK”=“000StTHK.exe” [2001-06-23 21:28 24576 C:\WINDOWS\system32[u]0[/u]00StTHK.exe]
“TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [2003-01-21 19:00 126976]
“PadTouch”=“C:\Program Files\TOSHIBA\PadTouch\PadExe.exe” [2003-10-31 16:01 1019904]
“Start RF Wireless Mouse”=“C:\Program Files\RF Wireless Mouse\cm20.exe” [2002-01-31 11:59 61440]
“ezShieldProtector for Px”=“C:\WINDOWS\system32\ezSP_Px.exe” [2002-08-20 11:29 40960]
“RealTray”=“C:\Program Files\Real\RealPlayer\RealPlay.exe” [2003-11-20 18:24 26112]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 06:00 79224]
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-08-14 14:10 6731312]
“LogitechCommunicationsManager”=“C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe” [2007-07-25 16:02 563984]
“LogitechQuickCamRibbon”=“C:\Program Files\Logitech\QuickCam\Quickcam.exe” [2007-07-25 16:06 2027792]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 05:25 144784]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2008-02-01 00:13 385024]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-02-19 14:10 267048]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:56 15360]

C:\Documents and Settings\il Dottore\Start Menu\Programs\Startup
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2005-03-09 12:49:38 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-04-11 08:23:36 113664]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-07-25 00:52:32 67128]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-07-19 18:53:18 57344]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 14:23:32 51776]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-11-20 17:58:56 155648]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 12:29:12 1568768]

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\Program Files\iTunes\iTunes.exe”=

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 02:07]
R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 12:50]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 14:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 01:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 14:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 14:12]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 10:03]
S3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 18:38]
S3 VVBETHERNET;Efficient Networks Virtual Bus Ethernet driver;C:\WINDOWS\system32\DRIVERS\vvbEthT.sys [2002-05-22 18:26]
S3 VvBusUsb;Efficient Networks USB Virtual Bus driver;C:\WINDOWS\system32\drivers\vvbususb.sys [2002-05-22 18:26]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-03-07 06:09:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

C:\Program Files\Apple Software Update\SoftwareUpdate.exe
“2008-03-07 05:26:15 C:\WINDOWS\Tasks\Symantec NetDetect.job”
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 14:24:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-03-09 14:26:31
ComboFix-quarantined-files.txt 2008-03-09 21:26:07
ComboFix2.txt 2008-03-06 03:30:56
ComboFix3.txt 2008-02-21 08:40:32
.
2008-02-14 03:03:40 — E O F —

oldman960 · March 8, 2008, 11:43pm

Well that one just doesn’t seem to want to die. So we go after it a little differently. Do these steps in the order posted.

Open HJT, run a system scan only, check mark these lines if present

[b]O2 - BHO: (no name) - {76FCFD22-C40A-4764-8420-AFE2C4654ECD} - C:\WINDOWS\system32\sstqo.dll (file missing)

[/b]

Close all other browsers/windows, click fix, close HJT.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\sstqo.dll C:\WINDOWS\system32\drivers\lvuvc.hs
Folder::
C:\WINDOWS\system32\drivers\lvuvc.hs

Driver::
lvuvc

Registry::
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{76FCFD22-C40A-4764-8420-AFE2C4654ECD}]

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

note when doing the combofix fix

A window may open with a warning. Type “1” (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Click File, click Exit and answer ‘Yes’ to save changes

Open HJT and run a scan and post that log along with the combofix log.

Also you should have a look in the hosts file, malware may have placed entries in it tp prevent you from reaching certain sites. You can copy and paste the contents into your next reply. We will be able to advise you if we see the contents. There isn’t any personal info in it.

Thanks

system · March 9, 2008, 1:13am

Hehehe, which one doesn’t seem to want to die?

Either way, I will run the scan again and post the results soon.

system · March 9, 2008, 9:30pm

Good day.

I have scanned once again with Hijack this. I have found and fixed (deleted?) file O2 - BHO: (no name) - {76FCFD22-C40A-4764-8420-AFE2C4654ECD} - C:\WINDOWS\system32\sstqo.dll (file missing). I have saved the log as “CFscript” and dragged it to combofix to start it again. Here’s the results:

ComboFix 08-03-04.3 - il Dottore 2008-03-10 17:19:11.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.174 [GMT -7:00]
Running from: C:\Documents and Settings\il Dottore\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\il Dottore\Desktop\CFscript.txt

Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-07 18:56 . 2008-03-07 18:56 d-------- C:\Program Files\Trend Micro
2008-03-06 23:27 . 2008-03-10 14:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-06 23:27 . 2008-03-06 23:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-06 23:24 . 2008-03-06 23:26 d-------- C:\Program Files\iTunes
2008-03-06 23:19 . 2008-03-06 23:21 d-------- C:\Program Files\QuickTime
2008-03-05 20:48 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-05 20:44 . 2008-03-05 20:45 15,918,488 --a------ C:\jre-6u5-windows-i586-p.exe
2008-02-23 17:55 . 2008-02-23 17:59 d-------- C:\Documents and Settings\il Dottore\Application Data\Sibelius Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 21:18 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-03-07 06:25 --------- d-----w C:\Program Files\iPod
2008-03-06 03:48 --------- d-----w C:\Program Files\Java
2008-02-24 00:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sibelius Software
2008-02-24 00:49 --------- d-----w C:\Program Files\Sibelius Software
2008-02-24 00:29 --------- d-----w C:\Program Files\Finale 2002
2008-01-30 06:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-27 02:19 604 —ha-w C:\Program Files\STLL Notifier
2007-04-01 21:36 258 ----a-w C:\Program Files\First Theorem.sn2
2004-04-13 16:13 35,456 ----a-w C:\WINDOWS\Fonts\requiem1.zip
.