Is It a Cracker, Hacker or Virus/Malware?

**yuhr** · #1 22nd Oct 2009, 09:57

This is the story: About 3-4 mos ago all my Yahoo email contacts received some ad email, signed by me. Needless to say, I never sent the ad (about a Google product), nor was it in the Sent Box. In ~3wks it happened again, although the ad was different. Last week a subfolder of My Documents folder disappeared. It was found by File Recover, yet no actual recovery was done because of a defect in the program (I am email corresponding with its vendor, PC Tools). A day later File Recover disappeared without a trace (almost â€“ the only evidence of its presence was a lonely Registry empty folder named â€œRecovered Filesâ€. A nice tiny program warning of bad websites called Web of Trust (WOT) disappeared twice already, in the space of three days. At least this one is easy to reinstall: itâ€™s a freebie. About a week ago both my CDRW and DVDRW drives stopped functioning: neither can â€œseeâ€ an inserted disc and says something like â€œIncorrect function. Please insert discâ€. In Device Manager near the bottom there is something called â€œM$ Kernel DLS Synthesizerâ€. Microsoft website informed me that it is part of Dmusic, whatever it is. The rest of its short description is too technical for me and is, actually, worthless. I want to fix it as I suspect it is related to malfunctioning drives. Updating Kernelâ€™s driver did not change anything. I found a few websites that offered to download Kernel SW, and uninstall it. Yet, when I went back to those websites and got to secondary Download Now pages, my WOT darkened the pages and warn me: Dangerous Site; Very Bad Reputation! So, I ran System Restore and now have dysfunctional Kernel back.

I don't think that Kernel DLS breakdown is directly related to the rest of my trouble; but since it occured at the same time, who knows?

I appreciate any help.

).

**evilfantasy** · #2 22nd Oct 2009, 10:14

If you think this is a malware issue please follow the instructions in this thread and post the logs.

**yuhr** · #3 22nd Oct 2009, 10:57

I have SAS, Malware bytes, HJT. Whatâ€™s Antimalware? A generic term or a particular program? If so, which one? Google brings zillion pages. Iâ€™d appreciate your advice.
Please, note: Iâ€™ve been working in this computer since 2003 with only insignificant problems, so I know very little about Malware and its removal.
Please keep in mind that I am not a pro: I think it could be a Malware, a Trojan or something, but your diagnosis is more precise.

**evilfantasy** · #4 22nd Oct 2009, 10:58

Malwarebytes Antimalware.

**yuhr** · #5 22nd Oct 2009, 11:14

I attached logfiles to my last post (some are Notepad pages, some are Screenshots, as not every program provides a Notepad logfile. But they are nowhere in sight...

**evilfantasy** · #6 22nd Oct 2009, 11:20

Just copy and paste them directly into the reply.

**yuhr** · #7 22nd Oct 2009, 11:35

Logfile created: 10/18/2009 10:27:13
Lavasoft Ad-Aware version: 8.0.8
Extended engine version: 8.1
User performing scan: Yury

*********************** Definitions database information ***********************
Lavasoft definition file: 149.73
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Default Profile (ID: defaultprofile)
Objects scanned: 70365
Objects detected: 65

Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 1
Folders.........: 0
LSPs............: 0
Cookies.........: 64
Browser hijacks.: 0
MRU objects.....: 0

Removed items:
Description: *live365* Family Name: Cookies Clean status: Success Item ID: 408844 Family ID: 0
Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0
Description: *live365* Family Name: Cookies Clean status: Success Item ID: 408844 Family ID: 0
Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0
Description: *hitbox* Family Name: Cookies Clean status: Success Item ID: 408858 Family ID: 0
Description: *.hitbox* Family Name: Cookies Clean status: Success Item ID: 409072 Family ID: 0
Description: *specificclick* Family Name: Cookies Clean status: Success Item ID: 408807 Family ID: 0
Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0
Description: *pointroll* Family Name: Cookies Clean status: Success Item ID: 408826 Family ID: 0
Description: *ads.pointroll* Family Name: Cookies Clean status: Success Item ID: 408927 Family ID: 0
Description: *adserv* Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0
Description: *traffic.buyservices* Family Name: Cookies Clean status: Success Item ID: 409120 Family ID: 0
Description: www.buy* Family Name: Cookies Clean status: Success Item ID: 409113 Family ID: 0
Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0
Description: *estat* Family Name: Cookies Clean status: Success Item ID: 408873 Family ID: 0
Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0
Description: *clickbank* Family Name: Cookies Clean status: Success Item ID: 408890 Family ID: 0
Description: *apmebf* Family Name: Cookies Clean status: Success Item ID: 409163 Family ID: 0
Description: *mediaplex* Family Name: Cookies Clean status: Success Item ID: 408991 Family ID: 0
Description: *trafficmp* Family Name: Cookies Clean status: Success Item ID: 408787 Family ID: 0
Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0
Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0
Description: *fastclick* Family Name: Cookies Clean status: Success Item ID: 408869 Family ID: 0
Description: *questionmarket* Family Name: Cookies Clean status: Success Item ID: 408819 Family ID: 0
Description: *tacoda* Family Name: Cookies Clean status: Success Item ID: 409123 Family ID: 0
Description: *.bridgetrack* Family Name: Cookies Clean status: Success Item ID: 409095 Family ID: 0
Description: *statcounter* Family Name: Cookies Clean status: Success Item ID: 409185 Family ID: 0
Description: *rambler* Family Name: Cookies Clean status: Success Item ID: 408818 Family ID: 0
Description: *kontera* Family Name: Cookies Clean status: Success Item ID: 409363 Family ID: 0
Description: *.zedo* Family Name: Cookies Clean status: Success Item ID: 409030 Family ID: 0
Description: *real* Family Name: Cookies Clean status: Success Item ID: 408817 Family ID: 0
Description: *247realmedia* Family Name: Cookies Clean status: Success Item ID: 408945 Family ID: 0
Description: *realmedia* Family Name: Cookies Clean status: Success Item ID: 409139 Family ID: 0
Description: *adserve* Family Name: Cookies Clean status: Success Item ID: 409020 Family ID: 0
Description: *unicast* Family Name: Cookies Clean status: Success Item ID: 409281 Family ID: 0
Description: *casalemedia* Family Name: Cookies Clean status: Success Item ID: 409152 Family ID: 0
Description: *adbrite* Family Name: Cookies Clean status: Success Item ID: 409218 Family ID: 0
Description: *tribalfusion* Family Name: Cookies Clean status: Success Item ID: 408785 Family ID: 0
Description: *insightexpressai* Family Name: Cookies Clean status: Success Item ID: 409259 Family ID: 0
Description: *bs.serving-sys* Family Name: Cookies Clean status: Success Item ID: 408902 Family ID: 0
Description: *serving-sys* Family Name: Cookies Clean status: Success Item ID: 409130 Family ID: 0
Description: *coremetrics* Family Name: Cookies Clean status: Success Item ID: 409008 Family ID: 0
Description: *data.coremetrics* Family Name: Cookies Clean status: Success Item ID: 409220 Family ID: 0
Description: *adbureau* Family Name: Cookies Clean status: Success Item ID: 409027 Family ID: 0
Description: *bizrate.co* Family Name: Cookies Clean status: Success Item ID: 409154 Family ID: 0
Description: *omniture* Family Name: Cookies Clean status: Success Item ID: 408835 Family ID: 0
Description: *.stats.esomniture* Family Name: Cookies Clean status: Success Item ID: 409181 Family ID: 0
Description: *overture* Family Name: Cookies Clean status: Success Item ID: 408834 Family ID: 0
Description: *overstock* Family Name: Cookies Clean status: Success Item ID: 409142 Family ID: 0
Description: stat.dealtime* Family Name: Cookies Clean status: Success Item ID: 409126 Family ID: 0
Description: *dealtime* Family Name: Cookies Clean status: Success Item ID: 409235 Family ID: 0
Description: www.new* Family Name: Cookies Clean status: Success Item ID: 409109 Family ID: 0
Description: *adserver* Family Name: Cookies Clean status: Success Item ID: 408737 Family ID: 0
Description: *adtech* Family Name: Cookies Clean status: Success Item ID: 409018 Family ID: 0
Description: *adfarm1.adition* Family Name: Cookies Clean status: Success Item ID: 409171 Family ID: 0
Description: *statse.webtrends* Family Name: Cookies Clean status: Success Item ID: 408803 Family ID: 0
Description: *webtrendslive* Family Name: Cookies Clean status: Success Item ID: 408954 Family ID: 0
Description: *.webtrendslive* Family Name: Cookies Clean status: Success Item ID: 409033 Family ID: 0
Description: *statse.webtrendslive* Family Name: Cookies Clean status: Success Item ID: 409269 Family ID: 0
Description: *betanews* Family Name: Cookies Clean status: Success Item ID: 409366 Family ID: 0
Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0

Quarantined items:
Description: C:\System Volume Information\_restore{623B90B6-EE30-41CA-AAF4-AB3240FFA45D}\RP2\A0000003.exe Family Name: Win32.Adware.Dap Clean status: Success Item ID: 1386166 Family ID: 5458

Scan and cleaning complete: Finished correctly after 1448 seconds

*********************************** Settings ***********************************

Scan profile:
ID: defaultprofile, enabled:1, value: Default Profile
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value: C:\
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Wed Jan 28 10:29:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Wed Jan 28 10:29:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: true
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: usespywareheuristics, enabled:0, value: false
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant

****************************** System information ******************************
Computer name: YUHRTW
Processor name: Intel(R) Pentium(R) 4 CPU 2.40GHz
Processor identifier: x86 Family 15 Model 2 Stepping 7
Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 519, number of processors 1
Physical memory available: 463400960 bytes
Physical memory total: 1072480256 bytes
Virtual memory available: 1943105536 bytes
Virtual memory total: 2147352576 bytes
Memory load: 56%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 624 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 692 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 716 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 760 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 772 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 928 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 996 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1092 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1220 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1456 name: E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1556 name: E:\Program Files\Alwil Software\Avast4\ashServ.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1924 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 480 name: C:\WINDOWS\Explorer.EXE owner: Yury domain: YUHRTW
PID: 496 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY
PID: 384 name: C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 132 name: C:\Program Files\iolo\common\lib\ioloServiceManager.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1052 name: E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe owner: Yury domain: YUHRTW
PID: 1148 name: E:\Program Files\Process Lasso\processlasso.exe owner: Yury domain: YUHRTW
PID: 1208 name: C:\Program Files\Logitech\MouseWare\system\em_exec.exe owner: Yury domain: YUHRTW
PID: 1204 name: E:\Program Files\Process Lasso\processgovernor.exe owner: Yury domain: YUHRTW
PID: 1300 name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1304 name: E:\Program Files\NoAdware\NoAdware5.exe owner: Yury domain: YUHRTW
PID: 1408 name: C:\WINDOWS\system32\pctspk.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1692 name: E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 808 name: E:\Program Files\Alwil Software\Avast4\ashWebSv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 356 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1248 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 3620 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4016 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1812 name: C:\WINDOWS\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3716 name: E:\Program Files\Mozilla Firefox\firefox.exe owner: Yury domain: YUHRTW
PID: 3824 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Yury domain: YUHRTW

Startup items:
Name: RunNarrator
imagepath: Narrator.exe
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name: Logitech Utility
imagepath: Logi_MwX.Exe
Name: avast!
imagepath: E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Name: ProcessSupervisorGUI
imagepath: E:\Program Files\Process Lasso\processlasso.exe
Name: ProcessGovernor
imagepath: E:\Program Files\Process Lasso\processgovernor.exe
Name: Adobe Reader Speed Launcher
imagepath: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: WPDShServiceObj
imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Name:
imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *
Name:
imagepath: autocheck smrgdf C:\Documents and Settings\Yury\Application Data\iolo\
Name:
imagepath: lsdelete

Running services:
Name: ALG
displayname: Application Layer Gateway Service
Name: aswUpdSv
displayname: avast! iAVS4 Control Service
Name: AudioSrv
displayname: Windows Audio
Name: avast! Antivirus
displayname: avast! Antivirus
Name: avast! Mail Scanner
displayname: avast! Mail Scanner
Name: avast! Web Scanner
displayname: avast! Web Scanner
Name: Bonjour Service
displayname: Bonjour Service
Name: CryptSvc
displayname: CryptSvc
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: dmserver
displayname: Logical Disk Manager
Name: ERSvc
displayname: Error Reporting Service
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: gusvc
displayname: Google Updater Service
Name: helpsvc
displayname: Help and Support
Name: HidServ
displayname: HID Input Service
Name: ioloFileInfoList
displayname: iolo FileInfoList Service
Name: ioloSystemService
displayname: iolo System Service
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LightScribeService
displayname: LightScribeService Direct Disc Labeling Service
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: NWCWorkstation
displayname: Client Service for NetWare
Name: Pctspk
displayname: PCTEL Speaker Phone
Name: PlugPlay
displayname: Plug and Play
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: TapiSrv
displayname: Telephony
Name: Themes
displayname: Themes
Name: W32Time
displayname: Windows Time
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wscsvc
displayname: Security Center
Name: WZCSVC
displayname: Wireless Zero Configuration
------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:17 AM, on 10/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Process Lasso\processlasso.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
E:\Program Files\Process Lasso\processgovernor.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\Program Files\NoAdware\NoAdware5.exe
C:\WINDOWS\system32\pctspk.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: Babylon Plug In - {A057A204-BACC-4D26-9E83-2DB586E27190} - C:\PROGRA~1\BABYLO~1\BABYLO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: Babylon Plug In - {A057A204-BACC-4D26-9E83-2DB586E27190} - C:\PROGRA~1\BABYLO~1\BABYLO~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ProcessSupervisorGUI] E:\Program Files\Process Lasso\processlasso.exe
O4 - HKLM\..\Run: [ProcessGovernor] E:\Program Files\Process Lasso\processgovernor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TClockEx] E:\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [NoAdware5] "E:\Program Files\NoAdware\NoAdware5.exe" :Min:
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/Nirva.../PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1236737152390
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) - http://utilities.pcpitstop.com/Nirva...iskMD3Ctrl.dll
O16 - DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Nirva...pAntiVirus.dll
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Nirva...pcpitstop2.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 8972 bytes
-------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/18/2009 10:11:50 AM
mbam-log-2009-10-18 (10-11-50).txt

Scan type: Quick Scan
Objects scanned: 105989
Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
------------------------------------------------------------------------
SAS, AdAware and NoAdware do not have their logfiles in Notepad format; available only as Bitmap files readable by M$ Picture and Fax Viewer.

**evilfantasy** · #8 22nd Oct 2009, 17:26

I highly suggest uninstalling NoAdware. This is not a trusted tool. See here: http://www.mywot.com/en/scorecard/NoAdware.com

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFixÂ© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.

Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

**yuhr** · #9 22nd Oct 2009, 18:06

Thank you.
You last post is full of info, I'll follow your instructions tomorrow morning, as potential mistakes are easier to make now :-).
Once, on somebody's advice, I ran Combofix. I understand that it must be a good program, but... I need somebody's help to analyze its results and one has to be very alert handling it.
Night brings counsel.
See you tomorrow.

**evilfantasy** · #10 22nd Oct 2009, 19:12

No problem.

If you already have ComboFix be sure to delete it and download a new copy. I will analyze the log and let you know if anything else needs to be done.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
What Malware/anti-virus to Install on Vista?	jonesnewton	Virus, Spyware & Security	1	14th Oct 2009 11:55
Adware.NetPumper - Spyware / Malware / Virus?	hopthwoks	Virus, Spyware & Security	2	9th Feb 2009 20:37
Malware Virus/Trojan Blocks IE Images! (HELP)	eslfish	Virus, Spyware & Security	42	2nd Jan 2009 18:58
Help with a malware/virus winspywareprotect	badproduce	Virus, Spyware & Security	8	12th Jun 2008 13:28
Crazy odd freez, is it malware/virus?	bmdkafae	Virus, Spyware & Security	3	29th Jan 2008 14:05