Unsolved
This post is more than 5 years old
18 Posts
0
3045
Explorer redirected to unknow locations and Banking information accessed (and used) from pc
I'm working on an issue with my son's Dell PC. For the past month or so they noticed a redirect of most searched. It didn't seem to matter if you used a favorit or manually entered a url. It is especially troublesome to download a file. Also, last week they got a letter from their bank indicating their address was changed. The bank indicated it was done on line. I suspect someone accessed the information via a virus or trojan of some sort. I tried running the norton viruse scan but it doesn't run. I ran "hijackthis" and see a few entries that are very suspect.
For example: "C:\WINDOWS\Mjizab.exe"
and "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local"
I assume I could just delete the registry entries and try but don't know how many others should be deleted.
Any help on how to proceed will be greatly appricated.
Thanks,
Larry G
BuckRidge
18 Posts
0
August 17th, 2010 11:00
Sorry, I forgot to attach the HijackThis log to my original post.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:24:26 PM, on 8/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\DOCUME~1\A&C.SON\LOCALS~1\Temp\Mqx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\Mjizab.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoDownloader.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ?\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [M5T8QL3YW3] C:\DOCUME~1\A&C.SON\LOCALS~1\Temp\Mqx.exe
O4 - HKCU\..\Run: [Skype] "C:\Documents and Settings\A&C.SON\Application Data\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [V71IQL7HI7] C:\WINDOWS\Mjizab.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?s=100000337&p=ZUxdm265YYUS&si=5235&a=EiZtPMJIwSyRJA2KVrHW2Q&n=2010041919
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} (Image Uploader Control) - http://coborns.lifepics.com/net/Uploader/LPUploader57.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A0FE1A7-392C-4612-8E29-C944CFA338BC}: NameServer = 93.188.163.9,93.188.166.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1B0C432-8804-4466-B4A7-B5EC03032891}: NameServer = 93.188.163.9,93.188.166.244
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.9,93.188.166.244
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: mcupdmgr.exe - Sygate Technologies, Inc. - (no file)
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
--
End of file - 10458 bytes
kevinf80_1d0ac6
1.1K Posts
0
August 17th, 2010 13:00
I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE
** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE
Please proceed as follows :-
Step 1
Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [M5T8QL3YW3] C:\DOCUME~1\A&C.SON\LOCALS~1\Temp\Mqx.exe
O4 - HKCU\..\Run: [V71IQL7HI7] C:\WINDOWS\Mjizab.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?s=100000337&p=ZUxdm26 5YYUS&si=5235&a=EiZtPMJIwSyRJA2KVrHW2Q&n=2010041919
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A0FE1A7-392C-4612-8E29-C944CFA338BC}: NameServer = 93.188.163.9,93.188.166.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1B0C432-8804-4466-B4A7-B5EC03032891}: NameServer = 93.188.163.9,93.188.166.244
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.9,93.188.166.244
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot
Step 2
Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to ALLOW the changes. Instructions available HERE
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
On the Scanner tab:
Back at the main Scanner screen:
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
Step 3
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
Combofix
Don`t forget Combofix must be saved to your desktop. <--Very important
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important
Please include the C:\ComboFix.txt in your next reply for further review.
Examples of how to disable realtime protection available at the following link :-
Disable realtime protection
Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.
Step 4
Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
What i`d like in your reply :-
Kevin
BuckRidge
18 Posts
0
August 17th, 2010 16:00
Log from Malwarebytes
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
8/17/2010 4:33:47 PM
mbam-log-2010-08-17 (16-33-47).txt
Scan type: Quick scan
Objects scanned: 128805
Time elapsed: 10 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 80
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 4
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{df058c45-cd18-453e-8745-5a77f60722ab} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5a33c35-7298-4d15-8753-a2e851e2eab3} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d2b812-752d-4af1-a2fb-968c4d8446db} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e856b973-45fd-4559-8f82-eab539144667} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWebSearchService (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.multiplebutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.multiplebutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.urlalertbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.urlalertbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adwareprj.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus_pro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusplus (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusplus.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcare.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\savedefense.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alphaav (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alphaav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antispywarxp2009.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-virus professional.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antiviruspro_2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quickhealcleaner.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safetykeeper.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\savearmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secure veteran.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securityfighter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\softsafeness.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustwarrior.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows police pro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\malwareremoval.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc_antispyware2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\peravir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quick heal.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\save.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\savekeep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\security center.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w3asbas.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@mywebsearch.com/Plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a0fe1a7-392c-4612-8e29-c944cfa338bc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a0fe1a7-392c-4612-8e29-c944cfa338bc}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b1b0c432-8804-4466-b4a7-b5ec03032891}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b1b0c432-8804-4466-b4a7-b5ec03032891}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\A&C.SON\Application Data\My Security Engine (Rogue.MySecurityEngine) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\SYSTEM32\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully.
C:\Documents and Settings\A&C.SON\Local Settings\Temp\packupdate_build107_2045[1].exe (Trojan.Fraudload) -> Quarantined and deleted successfully.
C:\Documents and Settings\A&C.SON\Desktop\My Security Engine.lnk (Rogue.MySecurityEngine) -> Quarantined and deleted successfully.
C:\Documents and Settings\A&C.SON\Start Menu\My Security Engine.lnk (Rogue.MySecurityEngine) -> Quarantined and deleted successfully.
C:\Documents and Settings\A&C.SON\Start Menu\Programs\My Security Engine.lnk (Rogue.MySecurityEngine) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\svchost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\f3PSSavr.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
Log from Combpfix
ComboFix 10-08-17.02 - A&C 08/17/2010 16:59:05.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.250 [GMT -5:00]
Running from: c:\documents and settings\A&C.SON\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\A&C.SON\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\A&C.SON\Recent\snl2w.drv
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\ernel32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MYWEBSEARCHSERVICE
((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.
2010-08-17 21:37 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\317yW17y.dll
2010-08-17 21:17 . 2010-08-17 21:17 -------- d-----w- c:\documents and settings\A&C.SON\Application Data\Malwarebytes
2010-08-17 21:17 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 21:17 . 2010-08-17 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-17 21:17 . 2010-08-17 21:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 21:17 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 20:50 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\317o3oC9.dll
2010-08-17 20:38 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9u179aA79.dll
2010-08-16 21:18 . 2010-08-16 21:18 -------- d-----w- c:\program files\Trend Micro
2010-08-16 21:15 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\79o1793.dll
2010-08-14 17:11 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\C17u3m7g.dll
2010-08-13 21:03 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7eIQ79c.dll
2010-08-11 12:29 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5q555.dll
2010-08-11 00:12 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5eIQG.dll
2010-08-08 21:49 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555s5.dll
2010-08-08 21:44 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17s3e7.dll
2010-08-08 21:39 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5mYWS.dll
2010-08-07 13:47 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31u9m1gM.dll
2010-08-05 20:50 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EIQG1i.dll
2010-08-04 23:33 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1m93wS.dll
2010-08-04 22:30 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\iQ7wSKU9.dll
2010-08-01 23:54 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\931i93q79.dll
2010-08-01 19:05 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31yWSKU9.dll
2010-07-31 11:33 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EI793q79.dll
2010-07-29 23:30 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\S9317yW.dll
2010-07-24 18:47 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\793a793.dll
2010-07-23 22:04 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17yWSK.dll
2010-07-23 21:59 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5uOC5.dll
2010-07-22 19:48 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\SK9y17.dll
2010-07-22 00:14 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\c555y.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-14 22:11 . 2010-06-25 01:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-13 22:38 . 2010-06-14 22:03 172544 ----a-w- c:\windows\Mjizab.exe
2010-06-13 22:36 . 2010-06-13 22:36 172544 ----a-w- c:\windows\Mjizaa.exe
2010-06-13 22:36 . 2010-06-13 22:36 74752 ----a-w- c:\documents and settings\A&C.SON\Application Data\bfc50cca.exe
2004-08-04 11:00 . 2004-08-04 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2004-08-04 11:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2004-08-04 11:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2004-08-04 11:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2004-08-04 11:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2004-08-04 11:00 343040 --sha-w- c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 . 2004-08-04 11:00 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2004-08-04 11:00 84992 --sha-w- c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 . 2004-08-04 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="?\WkDetect.exe" [?]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 524288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-03 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Skype"="c:\documents and settings\A&C.SON\Application Data\Skype\Phone\Skype.exe" [2010-06-13 180736]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-01-17 26112]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2004-11-14 114800]
"SmcService"="c:\progra~1\Sygate\SSA\smc.exe" [2004-08-14 2532576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
[HKLM\~\startupfolder\C:^Documents and Settings^A&C.SON^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\A&C.SON\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^A&C.SON^Start Menu^Programs^Startup^Microsoft Greetings Reminders.lnk]
path=c:\documents and settings\A&C.SON\Start Menu\Programs\Startup\Microsoft Greetings Reminders.lnk
backup=c:\windows\pss\Microsoft Greetings Reminders.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^A&C.SON^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\A&C.SON\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax.com Tray Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax.com Tray Menu.lnk
backup=c:\windows\pss\eFax.com Tray Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=c:\windows\pss\Live Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sensory Profile Conduit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Sensory Profile Conduit.lnk
backup=c:\windows\pss\Sensory Profile Conduit.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
2007-10-09 21:21 169328 ----a-w- c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54 57344 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-09-14 14:50 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2004-09-14 14:50 131072 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-01-04 20:17 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2001-07-03 15:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-03 04:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MpfService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
R0 ezgmntr;EZ GIG II Backup Archive Explorer;c:\windows\SYSTEM32\DRIVERS\ezgmntr.sys [6/17/2006 10:36 PM 213760]
R2 ezgfsfilt;EZ GIG II FS Filter;c:\windows\SYSTEM32\DRIVERS\ezgfsfilt.sys [6/17/2006 10:36 PM 28800]
R2 ptssvc;ptssvc;c:\program files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe [1/22/2005 11:21 AM 36864]
R3 Eacfilt;Eacfilt Miniport;c:\windows\SYSTEM32\DRIVERS\eacfilt.sys [1/21/2005 5:32 PM 9817]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 9:46 AM 135664]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\SYSTEM32\DRIVERS\ipsecw2k.sys [1/21/2005 5:32 PM 137392]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\Maga\Maga.exe [8/10/2004 6:05 PM 328936]
.
Contents of the 'Scheduled Tasks' folder
2010-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 14:46]
2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 14:46]
2005-01-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]
2010-08-17 c:\windows\Tasks\MSWD-bfc50cca.job
- c:\documents and settings\A&C.SON\Application Data\bfc50cca.exe [2010-06-13 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-17 17:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(916)
c:\windows\system32\SSSensor.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SSA\smc.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-17 17:28:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 22:28
Pre-Run: 10,119,938,048 bytes free
Post-Run: 11,256,483,840 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 519A46CA8AD64902919C97E507E72063
I was unable to run "Security Checks". I downloaded it to the desk top but when I attempt to run I gives the following. "the system cannot find the specified path".
Also, After the last reboot, Symantec Antivirus gives the following warning. Note: This is NEW and I have not seen it before.
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Infostealer
File: C:\WINDOWS\SYSTEM32\ernel32.dll
Location: C:\WINDOWS\SYSTEM32
Computer: SON
User: A&C
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, August 17, 2010 5:43:17 PM
BuckRidge
18 Posts
0
August 17th, 2010 19:00
Kevinf80,
First of all thank you for the help so far. I realize there may be multiple issues with the PC. I don't know where the "infostealer" trojan came from. I had not seen it prior to running "hijackthis", "malwarebytes", and "combofix". These three ran ok and fixed numerous things. I could not run "security checks" because it would fail indicating path not found. I saved it to the desktop and attempt to run it. I didn't try to figure out what was wrong because at that time the infostealer trojan was detected on the pc. Where should I go from here? What is the best way to remove "infostealer"? Thanks again for the help.
kevinf80_1d0ac6
1.1K Posts
0
August 18th, 2010 03:00
If you look at the Combofix log you`ll see that the entry c:\windows\system32\ernel32.dll has already been dealt with. Malwarebytes has done an excellent job and the follow up with CF has more or less finished it off. Still some work to do.
You are right to be worried about the infection, if the PC has been used for any financial transactions or banking etc, I`d definitely contact the appropriate dept and inform them. Change all security references to bank and credit card details etc etc.
I`d also change passwords to any of these functions from a known clean PC until we are sure we have this one clear.
Step 1
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text inbetween the dotted below into it:
------------------------------------------------------------------------------------------------------------------------------
KillAll::
File::
c:\windows\Mjizab.exe
c:\windows\Mjizaa.exe
c:\documents and settings\A&C.SON\Application Data\bfc50cca.exe
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
------------------------------------------------------------------------------------------------------------------------------
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Step 2
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Step 3
Run an online virus scan with Kaspersky from HERE. This scan is very thorough and may take several hours to run, please allow it to complete.
1. At the main page. Press on " Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.
The following animation may help.
Kaspersky Gif
It is really important to get Security Checks to run, this gives an overview of your system and pinpoints any vulnerabilities to your security system, Java, Adobe etc. Delete the one you have on your Desktop and try again please.
What i`d like in your reply :-
- Log from Combofix
- Log from Malwarebytes
- Log from Kaspersky
- Log from Security Checks if possible.
- Update on your system, any specific issues?
Kevin.BuckRidge
18 Posts
0
August 18th, 2010 16:00
Kevin,
Well, I made some progress but still could not get some things to run.
I copied the data to a CFScript.txt file and moved it to Combofix. However, at the time I didn't see to run Combofix.
I then started Malwarebytes however just as yesterday the update failed. I ran it and attached the log below. At this time I realized you probably wanted Combofix run so I did that and the log is attached below.
I tried numerous times to run Kaspersky scan but for some reason it seemed to think Java wasn't loaded. I uninstalled and reinstalled Java both directly from java and following the link provided by Kaspersky. Java says its installed but for some reason Kaspersky doesn't recognize it.
I also could not get Security Check to run. I deleted it, loaded it to desktop and other locations but it still indicates path problems. Does not recognize the path or command.
I disabled/stopped Norton AV. However during the middle of Combofix, it enabled it's self. I don't know why.
I not sure where to go from here. I would like to get the two programs that dont' work to run.
**************************************************************************************************************
ComboFix 10-08-17.04 - A&C 08/18/2010 15:34:54.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.228 [GMT -5:00]
Running from: c:\documents and settings\A&C.SON\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\ernel32.dll
.
((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.
2010-08-18 20:19 . 2010-08-18 20:18 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-18 20:11 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\KUOCE93.dll
2010-08-18 19:40 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\I93q7wS.dll
2010-08-18 00:43 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\3iQ931o9.dll
2010-08-17 23:11 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CEI55.dll
2010-08-17 22:39 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\a793s7.dll
2010-08-17 21:37 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\317yW17y.dll
2010-08-17 21:17 . 2010-08-17 21:17 -------- d-----w- c:\documents and settings\A&C.SON\Application Data\Malwarebytes
2010-08-17 21:17 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 21:17 . 2010-08-17 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-17 21:17 . 2010-08-17 21:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 21:17 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 20:50 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\317o3oC9.dll
2010-08-17 20:38 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9u179aA79.dll
2010-08-16 21:18 . 2010-08-16 21:18 -------- d-----w- c:\program files\Trend Micro
2010-08-16 21:15 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\79o1793.dll
2010-08-14 17:11 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\C17u3m7g.dll
2010-08-13 21:03 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7eIQ79c.dll
2010-08-11 12:29 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5q555.dll
2010-08-11 00:12 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5eIQG.dll
2010-08-08 21:49 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555s5.dll
2010-08-08 21:44 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17s3e7.dll
2010-08-08 21:39 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5mYWS.dll
2010-08-07 13:47 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31u9m1gM.dll
2010-08-05 20:50 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EIQG1i.dll
2010-08-04 23:33 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1m93wS.dll
2010-08-04 22:30 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\iQ7wSKU9.dll
2010-08-01 23:54 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\931i93q79.dll
2010-08-01 19:05 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31yWSKU9.dll
2010-07-31 11:33 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EI793q79.dll
2010-07-29 23:30 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\S9317yW.dll
2010-07-24 18:47 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\793a793.dll
2010-07-23 22:04 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17yWSK.dll
2010-07-23 21:59 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5uOC5.dll
2010-07-22 19:48 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\SK9y17.dll
2010-07-22 00:14 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\c555y.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 20:19 . 2005-01-17 19:41 -------- d-----w- c:\program files\Common Files\Java
2010-08-18 20:19 . 2010-08-18 20:19 503808 ----a-w- c:\documents and settings\A&C.SON\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2f542f2b-n\msvcp71.dll
2010-08-18 20:19 . 2010-08-18 20:19 499712 ----a-w- c:\documents and settings\A&C.SON\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2f542f2b-n\jmc.dll
2010-08-18 20:19 . 2010-08-18 20:19 348160 ----a-w- c:\documents and settings\A&C.SON\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2f542f2b-n\msvcr71.dll
2010-08-18 20:19 . 2010-08-18 20:19 61440 ----a-w- c:\documents and settings\A&C.SON\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2996df7d-n\decora-sse.dll
2010-08-18 20:19 . 2010-08-18 20:19 12800 ----a-w- c:\documents and settings\A&C.SON\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2996df7d-n\decora-d3d.dll
2010-08-18 20:18 . 2005-01-17 19:41 -------- d-----w- c:\program files\Java
2010-08-16 21:18 . 2010-08-16 21:18 388096 ----a-r- c:\documents and settings\A&C.SON\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-14 22:11 . 2010-06-25 01:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-13 22:38 . 2010-06-14 22:03 172544 ----a-w- c:\windows\Mjizab.exe
2010-06-13 22:36 . 2010-06-13 22:36 172544 ----a-w- c:\windows\Mjizaa.exe
2010-06-13 22:36 . 2010-06-13 22:36 74752 ----a-w- c:\documents and settings\A&C.SON\Application Data\bfc50cca.exe
2010-06-13 22:36 . 2010-06-13 22:36 74752 ----a-w- c:\documents and settings\A&C.SON\Application Data\bfc50cca.exe
2004-08-04 11:00 . 2004-08-04 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2004-08-04 11:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2004-08-04 11:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2004-08-04 11:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2004-08-04 11:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2004-08-04 11:00 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2004-08-04 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="?\WkDetect.exe" [?]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 524288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-03 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-01-17 26112]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2004-11-14 114800]
"SmcService"="c:\progra~1\Sygate\SSA\smc.exe" [2004-08-14 2532576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
[HKLM\~\startupfolder\C:^Documents and Settings^A&C.SON^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\A&C.SON\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^A&C.SON^Start Menu^Programs^Startup^Microsoft Greetings Reminders.lnk]
path=c:\documents and settings\A&C.SON\Start Menu\Programs\Startup\Microsoft Greetings Reminders.lnk
backup=c:\windows\pss\Microsoft Greetings Reminders.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^A&C.SON^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\A&C.SON\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax.com Tray Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax.com Tray Menu.lnk
backup=c:\windows\pss\eFax.com Tray Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=c:\windows\pss\Live Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sensory Profile Conduit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Sensory Profile Conduit.lnk
backup=c:\windows\pss\Sensory Profile Conduit.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
2007-10-09 21:21 169328 ----a-w- c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54 57344 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-09-14 14:50 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2004-09-14 14:50 131072 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-01-04 20:17 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2001-07-03 15:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-03 04:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MpfService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
R0 ezgmntr;EZ GIG II Backup Archive Explorer;c:\windows\SYSTEM32\DRIVERS\ezgmntr.sys [6/17/2006 10:36 PM 213760]
R2 ezgfsfilt;EZ GIG II FS Filter;c:\windows\SYSTEM32\DRIVERS\ezgfsfilt.sys [6/17/2006 10:36 PM 28800]
R3 Eacfilt;Eacfilt Miniport;c:\windows\SYSTEM32\DRIVERS\eacfilt.sys [1/21/2005 5:32 PM 9817]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 9:46 AM 135664]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\SYSTEM32\DRIVERS\ipsecw2k.sys [1/21/2005 5:32 PM 137392]
S2 ptssvc;ptssvc;c:\program files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe [1/22/2005 11:21 AM 36864]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\Maga\Maga.exe [8/10/2004 6:05 PM 328936]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder
2010-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 14:46]
2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 14:46]
2005-01-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]
2010-08-18 c:\windows\Tasks\MSWD-bfc50cca.job
- c:\documents and settings\A&C.SON\Application Data\bfc50cca.exe [2010-06-13 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Skype - c:\documents and settings\A&C.SON\Application Data\Skype\Phone\Skype.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-18 15:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-08-18 15:56:49
ComboFix-quarantined-files.txt 2010-08-18 20:56
ComboFix2.txt 2010-08-17 22:28
Pre-Run: 11,040,063,488 bytes free
Post-Run: 11,038,826,496 bytes free
- - End Of File - - FECCB8EE7CE2E249A33000FBE32C87DE
*****************************************************************************************
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
8/18/2010 3:07:35 PM
mbam-log-2010-08-18 (15-07-35).txt
Scan type: Quick scan
Objects scanned: 125301
Time elapsed: 6 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a0fe1a7-392c-4612-8e29-c944cfa338bc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a0fe1a7-392c-4612-8e29-c944cfa338bc}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b1b0c432-8804-4466-b4a7-b5ec03032891}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b1b0c432-8804-4466-b4a7-b5ec03032891}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
kevinf80_1d0ac6
1.1K Posts
0
August 19th, 2010 01:00
You didn`t get Combofix scriptfix to run, therefore the secondary infections I had in the script have not been dealt with, also it seems this entry c:\windows\system32\ernel32.dll had returned because CF has removed it again. I`ve no doubt you have a Rootkit onboard and is causing the issues. If TDSSKiller is successful and fixes the rootkit try to update Malwarebytes and re-run it.
Step 1
Lets run TDSSKiller and see if this will find our unwanted guest. Proceed as follows :-
Please read carefully and follow these steps.
Step 2
If TDSSKiller is successful update Malwarebytes and do a quick scan, kill anything it finds.
Step 3
Run ESET Online Scan
You can refer to this animation by neomage if needed.
Frequently asked questions available Here
Post relevent logs in your reply, plus a fresh HJT log
Kevin,
BuckRidge
18 Posts
0
August 19th, 2010 13:00
Kevin,
Again thanks for helping me on this. I don't know if I made any progress today. Because I think I didn't do the ComboFix run correctly yesterday, I tried again today and it looked like it did use the "script" fix. I attached the log after running Combofix.
PC Reboot
I then loaded and ran "TDSSKILLER" It did not find any infections. Log attached.
PC Rebooted
The web page for "esetonline" scan would not open. I tried several ways to get there but it seems the site is down.
Ran "malwarebytes" log attached.
Tried again to run "Security Check" - same results as yesterday. "system cannot find the path Speciified" etc.
I again tried to run "Kaspersky" scan but it had the same issues with Java. I though some java scripts had issues with IE level 6 (that's what on this machine). I tried to load IE 8.0 but could not get to the sites (web page not found) when I attempted.
I ran "hijackthis" and attached the log.
Remaining issues (that I know of)
1. AV still reports a virus detected.
2. Kaspersky online scan does not start
3. Security Checks does not run correctly.
Let me know what you see with these files and if IE 6.0 may be an issue regarding running some things.
Larry G
****************************************************************************************************************
ComboFix 10-08-18.04 - A&C 08/19/2010 11:34:39.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.201 [GMT -5:00]
Running from: c:\documents and settings\A&C.SON\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\ernel32.dll
.
((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
.
2010-08-19 16:19 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1uO3o7.dll
2010-08-18 23:47 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\k7931c.dll
2010-08-18 22:59 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\O93mY93.dll
2010-08-18 21:49 . 2010-08-18 21:49 869051 ----a-w- c:\temp\SecurityCheck.exe
2010-08-18 21:01 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\931gM3179.dll
2010-08-18 20:19 . 2010-08-18 21:21 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-18 20:11 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\KUOCE93.dll
2010-08-18 19:40 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\I93q7wS.dll
2010-08-18 00:43 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\3iQ931o9.dll
2010-08-17 23:11 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CEI55.dll
2010-08-17 22:39 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\a793s7.dll
2010-08-17 21:37 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\317yW17y.dll
2010-08-17 21:17 . 2010-08-17 21:17 -------- d-----w- c:\documents and settings\A&C.SON\Application Data\Malwarebytes
2010-08-17 21:17 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 21:17 . 2010-08-17 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-17 21:17 . 2010-08-17 21:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 21:17 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 20:50 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\317o3oC9.dll
2010-08-17 20:38 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9u179aA79.dll
2010-08-16 21:18 . 2010-08-16 21:18 -------- d-----w- c:\program files\Trend Micro
2010-08-16 21:15 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\79o1793.dll
2010-08-14 17:11 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\C17u3m7g.dll
2010-08-13 21:03 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7eIQ79c.dll
2010-08-11 12:29 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5q555.dll
2010-08-11 00:12 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5eIQG.dll
2010-08-08 21:49 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555s5.dll
2010-08-08 21:44 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17s3e7.dll
2010-08-08 21:39 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5mYWS.dll
2010-08-07 13:47 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31u9m1gM.dll
2010-08-05 20:50 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EIQG1i.dll
2010-08-04 23:33 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1m93wS.dll
2010-08-04 22:30 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\iQ7wSKU9.dll
2010-08-01 23:54 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\931i93q79.dll
2010-08-01 19:05 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31yWSKU9.dll
2010-07-31 11:33 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EI793q79.dll
2010-07-29 23:30 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\S9317yW.dll
2010-07-24 18:47 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\793a793.dll
2010-07-23 22:04 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17yWSK.dll
2010-07-23 21:59 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5uOC5.dll
2010-07-22 19:48 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\SK9y17.dll
2010-07-22 00:14 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\c555y.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 21:22 . 2005-01-17 19:41 -------- d-----w- c:\program files\Common Files\Java
2010-08-18 21:21 . 2005-01-17 19:41 -------- d-----w- c:\program files\Java
2010-08-14 22:11 . 2010-06-25 01:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-13 22:38 . 2010-06-14 22:03 172544 ----a-w- c:\windows\Mjizab.exe
2010-06-13 22:36 . 2010-06-13 22:36 172544 ----a-w- c:\windows\Mjizaa.exe
2010-06-13 22:36 . 2010-06-13 22:36 74752 ----a-w- c:\documents and settings\A&C.SON\Application Data\bfc50cca.exe
2004-08-04 11:00 . 2004-08-04 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2004-08-04 11:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2004-08-04 11:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2004-08-04 11:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2004-08-04 11:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2004-08-04 11:00 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2004-08-04 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="?\WkDetect.exe" [?]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 524288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-03 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-01-17 26112]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2004-11-14 114800]
"SmcService"="c:\progra~1\Sygate\SSA\smc.exe" [2004-08-14 2532576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKLM\~\startupfolder\C:^Documents and Settings^A&C.SON^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\A&C.SON\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^A&C.SON^Start Menu^Programs^Startup^Microsoft Greetings Reminders.lnk]
path=c:\documents and settings\A&C.SON\Start Menu\Programs\Startup\Microsoft Greetings Reminders.lnk
backup=c:\windows\pss\Microsoft Greetings Reminders.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^A&C.SON^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\A&C.SON\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax.com Tray Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax.com Tray Menu.lnk
backup=c:\windows\pss\eFax.com Tray Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=c:\windows\pss\Live Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sensory Profile Conduit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Sensory Profile Conduit.lnk
backup=c:\windows\pss\Sensory Profile Conduit.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
2007-10-09 21:21 169328 ----a-w- c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54 57344 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-09-14 14:50 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2004-09-14 14:50 131072 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-01-04 20:17 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2001-07-03 15:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-03 04:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MpfService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
R0 ezgmntr;EZ GIG II Backup Archive Explorer;c:\windows\SYSTEM32\DRIVERS\ezgmntr.sys [6/17/2006 10:36 PM 213760]
R2 ezgfsfilt;EZ GIG II FS Filter;c:\windows\SYSTEM32\DRIVERS\ezgfsfilt.sys [6/17/2006 10:36 PM 28800]
R3 Eacfilt;Eacfilt Miniport;c:\windows\SYSTEM32\DRIVERS\eacfilt.sys [1/21/2005 5:32 PM 9817]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\SYSTEM32\DRIVERS\ipsecw2k.sys [1/21/2005 5:32 PM 137392]
.
Contents of the 'Scheduled Tasks' folder
2010-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 14:46]
2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 14:46]
2005-01-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]
2010-08-19 c:\windows\Tasks\MSWD-bfc50cca.job
- c:\documents and settings\A&C.SON\Application Data\bfc50cca.exe [2010-06-13 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-19 11:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-08-19 12:00:47
ComboFix-quarantined-files.txt 2010-08-19 17:00
ComboFix2.txt 2010-08-18 20:56
ComboFix3.txt 2010-08-17 22:28
Pre-Run: 10,877,722,624 bytes free
Post-Run: 10,888,007,680 bytes free
- - End Of File - - 552CC6467DB2BB420C2DD2636111C2B8
*************************************************************************************************************
2010/08/19 12:23:50.0203 TDSS rootkit removing tool 2.4.1.2 Aug 16 2010 09:46:23
2010/08/19 12:23:50.0218 ================================================================================
2010/08/19 12:23:50.0218 SystemInfo:
2010/08/19 12:23:50.0218
2010/08/19 12:23:50.0218 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/19 12:23:50.0218 Product type: Workstation
2010/08/19 12:23:50.0218 ComputerName: SON
2010/08/19 12:23:50.0218 UserName: A&C
2010/08/19 12:23:50.0218 Windows directory: C:\WINDOWS
2010/08/19 12:23:50.0218 System windows directory: C:\WINDOWS
2010/08/19 12:23:50.0218 Processor architecture: Intel x86
2010/08/19 12:23:50.0218 Number of processors: 1
2010/08/19 12:23:50.0218 Page size: 0x1000
2010/08/19 12:23:50.0218 Boot type: Normal boot
2010/08/19 12:23:50.0218 ================================================================================
2010/08/19 12:23:50.0593 Initialize success
2010/08/19 12:24:18.0984 ================================================================================
2010/08/19 12:24:18.0984 Scan started
2010/08/19 12:24:18.0984 Mode: Manual;
2010/08/19 12:24:18.0984 ================================================================================
2010/08/19 12:24:19.0578 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/08/19 12:24:19.0734 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/19 12:24:19.0828 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/19 12:24:19.0921 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/08/19 12:24:20.0000 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/19 12:24:20.0140 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/19 12:24:20.0234 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/08/19 12:24:20.0421 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/08/19 12:24:20.0515 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/08/19 12:24:20.0687 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/08/19 12:24:20.0750 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/08/19 12:24:20.0828 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/08/19 12:24:20.0906 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/08/19 12:24:21.0062 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/08/19 12:24:21.0250 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/08/19 12:24:21.0437 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/08/19 12:24:21.0593 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/08/19 12:24:21.0734 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/08/19 12:24:21.0812 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2010/08/19 12:24:21.0984 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/19 12:24:22.0125 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/19 12:24:22.0250 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/19 12:24:22.0421 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/19 12:24:22.0484 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/19 12:24:22.0718 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/08/19 12:24:22.0781 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/19 12:24:22.0875 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/08/19 12:24:22.0937 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/19 12:24:23.0031 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/19 12:24:23.0125 cdrbsvsd (7fc46240546c16c0448c29c9d233b915) C:\WINDOWS\system32\drivers\cdrbsvsd.sys
2010/08/19 12:24:23.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/19 12:24:23.0500 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/08/19 12:24:23.0578 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/08/19 12:24:23.0640 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/08/19 12:24:23.0718 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/08/19 12:24:23.0812 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/19 12:24:23.0984 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/19 12:24:24.0156 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/19 12:24:24.0312 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/19 12:24:24.0406 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/19 12:24:24.0578 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/08/19 12:24:24.0671 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/19 12:24:24.0843 drvmcdb (b15f9e526ba511a48b1b1b8537815740) C:\WINDOWS\system32\drivers\drvmcdb.sys
2010/08/19 12:24:24.0937 drvnddm (fa4670cae95ae2bb857c68e535661145) C:\WINDOWS\system32\drivers\drvnddm.sys
2010/08/19 12:24:25.0109 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/08/19 12:24:25.0218 Eacfilt (96d87dead469d45dbdc4ac0ff7d2de8a) C:\WINDOWS\system32\DRIVERS\eacfilt.sys
2010/08/19 12:24:25.0328 ezgfsfilt (a3c06263009f0f698bd44c62f2d44b2c) C:\WINDOWS\system32\DRIVERS\ezgfsfilt.sys
2010/08/19 12:24:25.0484 ezgmntr (10f50a0294eb9f6c643f8f0fc0687018) C:\WINDOWS\system32\DRIVERS\ezgmntr.sys
2010/08/19 12:24:25.0640 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/19 12:24:25.0734 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/08/19 12:24:25.0828 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/19 12:24:25.0968 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/08/19 12:24:26.0109 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/19 12:24:26.0234 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/19 12:24:26.0343 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/19 12:24:26.0421 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/08/19 12:24:26.0578 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/19 12:24:26.0812 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/19 12:24:27.0093 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/08/19 12:24:27.0359 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/19 12:24:27.0890 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/08/19 12:24:28.0078 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/08/19 12:24:28.0312 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/19 12:24:28.0578 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/08/19 12:24:28.0796 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/19 12:24:28.0906 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/08/19 12:24:29.0125 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2010/08/19 12:24:29.0343 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2010/08/19 12:24:29.0578 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2010/08/19 12:24:29.0703 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/08/19 12:24:29.0781 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/19 12:24:29.0937 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/19 12:24:30.0031 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/19 12:24:30.0125 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/19 12:24:30.0265 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/19 12:24:30.0375 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/19 12:24:30.0531 IPSECEXT (2239c94971abe52789948b519d892fe0) C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
2010/08/19 12:24:30.0562 IPSECSHM (2239c94971abe52789948b519d892fe0) C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
2010/08/19 12:24:30.0703 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/19 12:24:30.0796 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/19 12:24:30.0953 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/19 12:24:31.0031 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/19 12:24:31.0187 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/19 12:24:31.0296 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/19 12:24:31.0578 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/19 12:24:31.0671 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/19 12:24:31.0828 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/08/19 12:24:31.0968 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2010/08/19 12:24:32.0046 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/19 12:24:32.0187 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/19 12:24:32.0343 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/19 12:24:32.0468 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/08/19 12:24:32.0625 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/19 12:24:32.0718 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/19 12:24:32.0890 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/19 12:24:33.0000 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/19 12:24:33.0296 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/19 12:24:33.0390 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/19 12:24:33.0531 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/19 12:24:33.0687 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/19 12:24:33.0796 NAVAP (f0f1a68f13dfefd7f079bfb799cf4f31) C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
2010/08/19 12:24:33.0906 NAVAPEL (d96b7eb2f61c65be096475edb5c9fc06) C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAPEL.SYS
2010/08/19 12:24:34.0046 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~2\20100712.003\NAVENG.sys
2010/08/19 12:24:34.0265 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~2\20100712.003\NAVEX15.sys
2010/08/19 12:24:34.0453 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/19 12:24:34.0625 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/19 12:24:34.0765 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/19 12:24:34.0843 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/19 12:24:34.0984 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/19 12:24:35.0140 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/19 12:24:35.0281 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/19 12:24:35.0671 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/19 12:24:35.0859 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/19 12:24:36.0062 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2010/08/19 12:24:36.0234 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/19 12:24:36.0453 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/08/19 12:24:36.0593 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/19 12:24:36.0687 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/19 12:24:36.0781 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/19 12:24:36.0937 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/19 12:24:37.0031 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/19 12:24:37.0171 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/19 12:24:37.0328 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/19 12:24:37.0484 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/19 12:24:37.0734 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/08/19 12:24:37.0906 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/08/19 12:24:38.0046 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/19 12:24:38.0140 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/19 12:24:38.0265 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/19 12:24:38.0343 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/19 12:24:38.0531 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/08/19 12:24:38.0609 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/08/19 12:24:38.0734 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/08/19 12:24:38.0796 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/08/19 12:24:38.0859 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/08/19 12:24:38.0921 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/19 12:24:39.0015 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/19 12:24:39.0156 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/19 12:24:39.0234 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/19 12:24:39.0312 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/19 12:24:39.0484 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/19 12:24:39.0562 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/19 12:24:39.0718 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/19 12:24:39.0812 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/19 12:24:40.0015 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/19 12:24:40.0203 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2010/08/19 12:24:40.0296 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/19 12:24:40.0453 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/19 12:24:40.0531 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/19 12:24:40.0765 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/08/19 12:24:40.0937 smwdm (86c4d93b7b7818d066c52fdb03c6c921) C:\WINDOWS\system32\drivers\smwdm.sys
2010/08/19 12:24:41.0140 snapman (d5ce266a448fedca7eec48000dcdeb7b) C:\WINDOWS\system32\DRIVERS\snapman.sys
2010/08/19 12:24:41.0296 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/08/19 12:24:41.0453 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/08/19 12:24:41.0578 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/19 12:24:41.0656 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/19 12:24:41.0828 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/19 12:24:42.0000 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2010/08/19 12:24:42.0171 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2010/08/19 12:24:42.0250 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/19 12:24:42.0406 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/19 12:24:42.0531 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/08/19 12:24:42.0593 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/08/19 12:24:42.0703 SymEvent (083fe6483dc16a02af2434d04b7d7aea) C:\Program Files\Symantec\SYMEVENT.SYS
2010/08/19 12:24:42.0875 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/08/19 12:24:42.0953 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/08/19 12:24:43.0015 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/19 12:24:43.0187 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/19 12:24:43.0359 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/19 12:24:43.0500 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/19 12:24:43.0593 Teefer (04906f0072903bd0280791a562596b95) C:\WINDOWS\system32\Drivers\Teefer.sys
2010/08/19 12:24:43.0734 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/19 12:24:43.0875 tfsnboio (1d265cd2fb1673a0873bf8cec19ddc7f) C:\WINDOWS\system32\dla\tfsnboio.sys
2010/08/19 12:24:44.0031 tfsncofs (62e4901295e0467cac78e5b4b131ae5c) C:\WINDOWS\system32\dla\tfsncofs.sys
2010/08/19 12:24:44.0203 tfsndrct (a2f380f9252ab3464c859adf91eead9c) C:\WINDOWS\system32\dla\tfsndrct.sys
2010/08/19 12:24:44.0359 tfsndres (eee79bbefe9c6a2a3ce6c8753cfea950) C:\WINDOWS\system32\dla\tfsndres.sys
2010/08/19 12:24:44.0531 tfsnifs (9d644eb11fec9487450c4cfcd63a5df4) C:\WINDOWS\system32\dla\tfsnifs.sys
2010/08/19 12:24:44.0687 tfsnopio (e656af05c67edb7c0e9230a5df71ed1b) C:\WINDOWS\system32\dla\tfsnopio.sys
2010/08/19 12:24:44.0859 tfsnpool (64fccb9cce703ca507dffc3cebf6b2cb) C:\WINDOWS\system32\dla\tfsnpool.sys
2010/08/19 12:24:45.0031 tfsnudf (48bc9d8ab4e4b9bff70fb18e55cec3d6) C:\WINDOWS\system32\dla\tfsnudf.sys
2010/08/19 12:24:45.0187 tfsnudfa (79f60822224256b49bfc855da8d651d5) C:\WINDOWS\system32\dla\tfsnudfa.sys
2010/08/19 12:24:45.0375 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/08/19 12:24:45.0484 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/19 12:24:45.0671 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/08/19 12:24:45.0828 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/19 12:24:46.0015 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/08/19 12:24:46.0156 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/19 12:24:46.0265 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/19 12:24:46.0406 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/19 12:24:46.0515 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/19 12:24:46.0687 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/19 12:24:46.0828 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/19 12:24:46.0984 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/19 12:24:47.0125 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/19 12:24:47.0281 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/08/19 12:24:47.0453 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/08/19 12:24:47.0625 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/19 12:24:47.0843 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/19 12:24:48.0000 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2010/08/19 12:24:48.0156 wceusbsh (4c0b8ef721783f52f8e531fbdc4b1f74) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
2010/08/19 12:24:48.0328 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/08/19 12:24:48.0546 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/19 12:24:48.0718 wg3n (038ad5561af23bc9bba3d624daf311f0) C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
2010/08/19 12:24:48.0796 wg4n (266aa247c92f5d202a9cc633142ca425) C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys
2010/08/19 12:24:48.0937 wg5n (c2a06a1673391203c023de8bc60927bc) C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys
2010/08/19 12:24:49.0031 wg6n (2e94e4ef8d985be291cb4573c5dfca35) C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys
2010/08/19 12:24:49.0234 wpsdrvnt (9eb103f5652c9253bad58350aede476d) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2010/08/19 12:24:49.0343 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/19 12:24:49.0500 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/19 12:24:49.0562 ================================================================================
2010/08/19 12:24:49.0562 Scan finished
2010/08/19 12:24:49.0562 ================================================================================
*******************************************************************************************************************
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
8/19/2010 12:56:26 PM
mbam-log-2010-08-19 (12-56-26).txt
Scan type: Quick scan
Objects scanned: 125017
Time elapsed: 6 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a0fe1a7-392c-4612-8e29-c944cfa338bc}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a0fe1a7-392c-4612-8e29-c944cfa338bc}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b1b0c432-8804-4466-b4a7-b5ec03032891}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b1b0c432-8804-4466-b4a7-b5ec03032891}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
*************************************************************************************************************
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:12:01 PM, on 8/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ?\WkDetect.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A0FE1A7-392C-4612-8E29-C944CFA338BC}: NameServer = 93.188.163.9,93.188.166.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1B0C432-8804-4466-B4A7-B5EC03032891}: NameServer = 93.188.163.9,93.188.166.244
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.9,93.188.166.244
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: mcupdmgr.exe - Sygate Technologies, Inc. - (no file)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
--
End of file - 10094 bytes
kevinf80_1d0ac6
1.1K Posts
0
August 19th, 2010 14:00
I more or less sure that you have Rootkit running on your system. If you look at the recent logs and see waht was found and cleaned, then look at the latest HJT log, everything has returned.
OK lets try and find it with GMER.
It is veryimportant that all security is turned off prior to running this tool, failure to do so will end in BSOD or system crash. When you are ready to run GMER you may disconnect the internet connection.
Proceed as follows :-
Download GMER Rootkit Scanner from Here or Here.
In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...
Then click the Scan button & wait for it to finish
Once the scan completes, click on the [Save..] button, and in the File name area, type in "ark.txt"
Save it where you can easily find it, such as your desktop
**Caution**
Rootkit scans often produce false positives.
Do NOT take any action on any of these "<--- ROOKIT" entries without proper guidance from an expert user.
Copy and paste the log in next reply.....
Although the document itself may instruct you to zip and attach when posting, please ignore that and copy/paste instead...unless of course, your log is so large that the forum software tells you that it is too large for posting. Only in that case would you need to zip it and attach it. Thanks!
Kevin
BuckRidge
18 Posts
0
August 20th, 2010 11:00
Kevin,
OK, I downloaded "GMER" and ran the scan. I turned off all AV's and other blockers. I attached the log below.
I have word wrap off but the file is very wide. I hope it means something to you because it's pretty much gibberish to me. Thanks for looking.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-20 12:33:51
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\A&C.SON\LOCALS~1\Temp\pxtdypow.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xF894AB30]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF894A6F0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF894A470]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xF894AC50]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xF894A990]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xF894A8D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xF894AD60]
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF8A7B760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF766CF80]
.text tcpip.sys!IPTransmit + 10FC EE63ED3A 6 Bytes CALL F84E2CE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 EE640690 6 Bytes CALL F84E2CE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 EE656454 6 Bytes CALL F84E2CE0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F897D3FD 4 Bytes CALL F84E2E30 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F897D402 2 Bytes [90, 90] {NOP ; NOP }
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\spoolsv.exe[288] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00FF000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[796] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 003F000A
.text C:\WINDOWS\Explorer.EXE[1636] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 01DE000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2124] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0094000A
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2184] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0087000A
.text ...
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 ezgmntr.sys (EZ GIG II Backup Archive Explorer/Apricorn)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 ezgmntr.sys (EZ GIG II Backup Archive Explorer/Apricorn)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 ezgmntr.sys (EZ GIG II Backup Archive Explorer/Apricorn)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- EOF - GMER 1.0.15 ----
kevinf80_1d0ac6
1.1K Posts
0
August 20th, 2010 13:00
Lets try a different tack, proceed as follows please :-
Step 1
Please download OTM by OldTimer.
Alternative Mirror
Save it to your desktop.
Double click OTM.exe to start the tool.
-------------------------------------------------------------------------------------------------------
:Processes
explorer.exe
:Files
c:\windows\system32\Spool\prtprocs\w32x86\1uO3o7.dll
c:\windows\system32\Spool\prtprocs\w32x86\k7931c.dll
c:\windows\system32\Spool\prtprocs\w32x86\O93mY93.dll
c:\temp\SecurityCheck.exe
c:\windows\system32\Spool\prtprocs\w32x86\931gM3179.dll
c:\windows\system32\Spool\prtprocs\w32x86\KUOCE93.dll
c:\windows\system32\Spool\prtprocs\w32x86\I93q7wS.dll
c:\windows\system32\Spool\prtprocs\w32x86\3iQ931o9.dll
c:\windows\system32\Spool\prtprocs\w32x86\CEI55.dll
c:\windows\system32\Spool\prtprocs\w32x86\a793s7.dll
c:\windows\system32\Spool\prtprocs\w32x86\317yW17y.dll
c:\windows\system32\Spool\prtprocs\w32x86\317o3oC9.dll
c:\windows\system32\Spool\prtprocs\w32x86\9u179aA79.dll
c:\windows\system32\Spool\prtprocs\w32x86\79o1793.dll
c:\windows\system32\Spool\prtprocs\w32x86\C17u3m7g.dll
c:\windows\system32\Spool\prtprocs\w32x86\7eIQ79c.dll
c:\windows\system32\Spool\prtprocs\w32x86\5q555.dll
c:\windows\system32\Spool\prtprocs\w32x86\5eIQG.dll
c:\windows\system32\Spool\prtprocs\w32x86\555s5.dll
c:\windows\system32\Spool\prtprocs\w32x86\17s3e7.dll
c:\windows\system32\Spool\prtprocs\w32x86\5mYWS.dll
c:\windows\system32\Spool\prtprocs\w32x86\31u9m1gM.dll
c:\windows\system32\Spool\prtprocs\w32x86\EIQG1i.dll
c:\windows\system32\Spool\prtprocs\w32x86\1m93wS.dll
c:\windows\system32\Spool\prtprocs\w32x86\iQ7wSKU9.dll
c:\windows\system32\Spool\prtprocs\w32x86\931i93q79.dll
c:\windows\system32\Spool\prtprocs\w32x86\31yWSKU9.dll
c:\windows\system32\Spool\prtprocs\w32x86\EI793q79.dll
c:\windows\system32\Spool\prtprocs\w32x86\S9317yW.dll
c:\windows\system32\Spool\prtprocs\w32x86\793a793.dll
c:\windows\system32\Spool\prtprocs\w32x86\17yWSK.dll
c:\windows\system32\Spool\prtprocs\w32x86\5uOC5.dll
c:\windows\system32\Spool\prtprocs\w32x86\SK9y17.dll
c:\windows\system32\Spool\prtprocs\w32x86\c555y.dll
c:\windows\system32\ernel32.dll
c:\windows\Mjizab.exe
c:\windows\Mjizaa.exe
c:\windows\Tasks\MSWD-bfc50cca.job
c:\documents and settings\A&C.SON\Application Data\bfc50cca.exe
:Commands
[CreateRestorePoint]
[EmptyFlash]
[EmptyTemp]
[Purity]
[Reboot]
-----------------------------------------------------------------------------------------------
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
step 2
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Step 3
Delete Combofix from your Desktop and d/la fersh copy from either of the following links and run as previous
Link 1
Link 2
Post logs from OTM, Malwarebytes, Combofix and fresh HJT in reply.
Kevin..
BuckRidge
18 Posts
0
August 20th, 2010 17:00
Kevin, I think we may have made some progress here.
1. I loaded and ran OTM using the file stuff you sent. Logs are attached.
2. I started "Malwarebytes" (updates still fail). Completed ok and Logs attached.
3. Deleted "ComboFix". I ran into a bit of trouble reloading it because I lost the internet connection. After looking around for a while I noticed the DNS server information was gong (blank). I got the information and then was able to access the Web. I assume at this point that the OTM run someway deleted this information from the system. Is that so?
4. Reloaded Combofix and ran. Logs attached.
5. Ran Hijackthis, logs attached.
So far my AV has not reported the virus that it was reporting the past day. Maybe we are getting closer. Let me know where we go from here and also what can be run/loaded to lessen the chance of a simular issue.
What AV/Malware detection would you recommend for me.
Thanks, Larry
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\1uO3o7.dll
c:\windows\system32\Spool\prtprocs\w32x86\1uO3o7.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\k7931c.dll
c:\windows\system32\Spool\prtprocs\w32x86\k7931c.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\O93mY93.dll
c:\windows\system32\Spool\prtprocs\w32x86\O93mY93.dll moved successfully.
c:\temp\SecurityCheck.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\931gM3179.dll
c:\windows\system32\Spool\prtprocs\w32x86\931gM3179.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\KUOCE93.dll
c:\windows\system32\Spool\prtprocs\w32x86\KUOCE93.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\I93q7wS.dll
c:\windows\system32\Spool\prtprocs\w32x86\I93q7wS.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\3iQ931o9.dll
c:\windows\system32\Spool\prtprocs\w32x86\3iQ931o9.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\CEI55.dll
c:\windows\system32\Spool\prtprocs\w32x86\CEI55.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\a793s7.dll
c:\windows\system32\Spool\prtprocs\w32x86\a793s7.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\317yW17y.dll
c:\windows\system32\Spool\prtprocs\w32x86\317yW17y.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\317o3oC9.dll
c:\windows\system32\Spool\prtprocs\w32x86\317o3oC9.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\9u179aA79.dll
c:\windows\system32\Spool\prtprocs\w32x86\9u179aA79.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\79o1793.dll
c:\windows\system32\Spool\prtprocs\w32x86\79o1793.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\C17u3m7g.dll
c:\windows\system32\Spool\prtprocs\w32x86\C17u3m7g.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\7eIQ79c.dll
c:\windows\system32\Spool\prtprocs\w32x86\7eIQ79c.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\5q555.dll
c:\windows\system32\Spool\prtprocs\w32x86\5q555.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\5eIQG.dll
c:\windows\system32\Spool\prtprocs\w32x86\5eIQG.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\555s5.dll
c:\windows\system32\Spool\prtprocs\w32x86\555s5.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\17s3e7.dll
c:\windows\system32\Spool\prtprocs\w32x86\17s3e7.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\5mYWS.dll
c:\windows\system32\Spool\prtprocs\w32x86\5mYWS.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\31u9m1gM.dll
c:\windows\system32\Spool\prtprocs\w32x86\31u9m1gM.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\EIQG1i.dll
c:\windows\system32\Spool\prtprocs\w32x86\EIQG1i.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\1m93wS.dll
c:\windows\system32\Spool\prtprocs\w32x86\1m93wS.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\iQ7wSKU9.dll
c:\windows\system32\Spool\prtprocs\w32x86\iQ7wSKU9.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\931i93q79.dll
c:\windows\system32\Spool\prtprocs\w32x86\931i93q79.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\31yWSKU9.dll
c:\windows\system32\Spool\prtprocs\w32x86\31yWSKU9.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\EI793q79.dll
c:\windows\system32\Spool\prtprocs\w32x86\EI793q79.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\S9317yW.dll
c:\windows\system32\Spool\prtprocs\w32x86\S9317yW.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\793a793.dll
c:\windows\system32\Spool\prtprocs\w32x86\793a793.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\17yWSK.dll
c:\windows\system32\Spool\prtprocs\w32x86\17yWSK.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\5uOC5.dll
c:\windows\system32\Spool\prtprocs\w32x86\5uOC5.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\SK9y17.dll
c:\windows\system32\Spool\prtprocs\w32x86\SK9y17.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\c555y.dll
c:\windows\system32\Spool\prtprocs\w32x86\c555y.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\ernel32.dll
c:\windows\system32\ernel32.dll moved successfully.
c:\windows\Mjizab.exe moved successfully.
c:\windows\Mjizaa.exe moved successfully.
c:\windows\Tasks\MSWD-bfc50cca.job moved successfully.
c:\documents and settings\A&C.SON\Application Data\bfc50cca.exe moved successfully.
========== COMMANDS ==========
Restore point Set: OTM Restore Point (0)
[EMPTYTEMP]
User: A&C
->Temp folder emptied: 6747994 bytes
->Temporary Internet Files folder emptied: 2950765 bytes
User: A&C.SON
->Temp folder emptied: 25419 bytes
->Temporary Internet Files folder emptied: 19364933 bytes
->Java cache emptied: 6323124 bytes
->Apple Safari cache emptied: 14336 bytes
->Flash cache emptied: 97845 bytes
User: A&C~SON
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41620 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
%systemdrive% .tmp files removed: 6597 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 3317777 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 754 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 37.00 mb
OTM by OldTimer - Version 3.1.15.0 log created on 08202010_153553
Files moved on Reboot...
C:\Documents and Settings\A&C.SON\Local Settings\Temp\Google Toolbar\GoogleToolbarWelcome.log moved successfully.
C:\Documents and Settings\A&C.SON\Local Settings\Temporary Internet Files\Content.IE5\UQWJ0KBF\CAG1AJ41.php moved successfully.
C:\Documents and Settings\A&C.SON\Local Settings\Temporary Internet Files\Content.IE5\UQWJ0KBF\searchTrack[1].php moved successfully.
C:\Documents and Settings\A&C.SON\Local Settings\Temporary Internet Files\Content.IE5\U49OKFVT\c307815431[1].htm moved successfully.
C:\Documents and Settings\A&C.SON\Local Settings\Temporary Internet Files\Content.IE5\U49OKFVT\content[1].php moved successfully.
C:\Documents and Settings\A&C.SON\Local Settings\Temporary Internet Files\Content.IE5\U49OKFVT\view[1].htm moved successfully.
Registry entries deleted on Reboot...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
8/20/2010 3:55:04 PM
mbam-log-2010-08-20 (15-55-04).txt
Scan type: Quick scan
Objects scanned: 124136
Time elapsed: 6 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a0fe1a7-392c-4612-8e29-c944cfa338bc}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b1b0c432-8804-4466-b4a7-b5ec03032891}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.9,93.188.166.244 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ComboFix 10-08-19.02 - A&C 08/20/2010 17:26:21.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.251 [GMT -5:00]
Running from: c:\documents and settings\A&C.SON\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
.
2010-08-20 20:35 . 2010-08-20 20:35 -------- d-----w- C:\_OTM
2010-08-20 20:30 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555k5.dll
2010-08-20 17:51 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\3qG9i17q.dll
2010-08-20 17:36 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\K931793.dll
2010-08-20 17:03 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\aAA9317u.dll
2010-08-19 18:03 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31793aAA.dll
2010-08-19 17:59 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\O5o5o.dll
2010-08-19 17:32 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1o9oC7.dll
2010-08-19 17:11 . 2010-06-13 22:36 74752 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\YWS3e7.dll
2010-08-19 17:02 . 2010-08-20 17:32 -------- d-----w- c:\temp\C&Aviruslogs
2010-08-18 20:19 . 2010-08-18 21:21 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-17 21:17 . 2010-08-17 21:17 -------- d-----w- c:\documents and settings\A&C.SON\Application Data\Malwarebytes
2010-08-17 21:17 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 21:17 . 2010-08-17 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-17 21:17 . 2010-08-17 21:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 21:17 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-16 21:18 . 2010-08-16 21:18 -------- d-----w- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 21:22 . 2005-01-17 19:41 -------- d-----w- c:\program files\Common Files\Java
2010-08-18 21:21 . 2005-01-17 19:41 -------- d-----w- c:\program files\Java
2010-08-18 20:19 . 2010-08-18 20:19 503808 ----a-w- c:\documents and settings\A&C.SON\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2f542f2b-n\msvcp71.dll
2010-08-18 20:19 . 2010-08-18 20:19 499712 ----a-w- c:\documents and settings\A&C.SON\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2f542f2b-n\jmc.dll
2010-08-18 20:19 . 2010-08-18 20:19 348160 ----a-w- c:\documents and settings\A&C.SON\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2f542f2b-n\msvcr71.dll
2010-08-18 20:19 . 2010-08-18 20:19 61440 ----a-w- c:\documents and settings\A&C.SON\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2996df7d-n\decora-sse.dll
2010-08-18 20:19 . 2010-08-18 20:19 12800 ----a-w- c:\documents and settings\A&C.SON\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2996df7d-n\decora-d3d.dll
2010-08-16 21:18 . 2010-08-16 21:18 388096 ----a-r- c:\documents and settings\A&C.SON\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-14 22:11 . 2010-06-25 01:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2004-08-04 11:00 . 2004-08-04 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2004-08-04 11:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2004-08-04 11:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2004-08-04 11:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2004-08-04 11:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2004-08-04 11:00 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2004-08-04 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-08-18_20.50.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-20 21:27 . 2010-08-20 21:27 16384 c:\windows\temp\Perflib_Perfdata_a30.dat
+ 2005-01-17 19:33 . 2010-08-20 21:16 71964 c:\windows\SYSTEM32\PERFC009.DAT
- 2005-01-17 19:33 . 2010-08-18 20:15 71964 c:\windows\SYSTEM32\PERFC009.DAT
- 2005-01-17 19:33 . 2010-08-18 20:15 443082 c:\windows\SYSTEM32\PERFH009.DAT
+ 2005-01-17 19:33 . 2010-08-20 21:16 443082 c:\windows\SYSTEM32\PERFH009.DAT
- 2010-08-18 20:19 . 2010-08-18 20:18 153376 c:\windows\SYSTEM32\javaws.exe
+ 2010-08-18 21:21 . 2010-08-18 21:21 153376 c:\windows\SYSTEM32\javaws.exe
- 2010-08-18 20:19 . 2010-08-18 20:18 145184 c:\windows\SYSTEM32\javaw.exe
+ 2010-08-18 21:21 . 2010-08-18 21:21 145184 c:\windows\SYSTEM32\javaw.exe
+ 2010-08-18 21:21 . 2010-08-18 21:21 145184 c:\windows\SYSTEM32\java.exe
- 2010-08-18 20:19 . 2010-08-18 20:18 145184 c:\windows\SYSTEM32\java.exe
+ 2010-08-18 21:22 . 2010-08-18 21:22 180224 c:\windows\Installer\1067f0.msi
+ 2010-08-18 21:21 . 2010-08-18 21:21 676352 c:\windows\Installer\1067eb.msi
+ 2010-02-10 12:24 . 2010-02-10 12:24 284048 c:\windows\Downloaded Program Files\rufsi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="?\WkDetect.exe" [?]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 524288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-03 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-01-17 26112]
"BuildBU"="c:\dell\bldbubg.exe" [2004-02-19 61440]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2004-11-14 114800]
"SmcService"="c:\progra~1\Sygate\SSA\smc.exe" [2004-08-14 2532576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKLM\~\startupfolder\C:^Documents and Settings^A&C.SON^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\A&C.SON\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^A&C.SON^Start Menu^Programs^Startup^Microsoft Greetings Reminders.lnk]
path=c:\documents and settings\A&C.SON\Start Menu\Programs\Startup\Microsoft Greetings Reminders.lnk
backup=c:\windows\pss\Microsoft Greetings Reminders.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^A&C.SON^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\A&C.SON\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax.com Tray Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax.com Tray Menu.lnk
backup=c:\windows\pss\eFax.com Tray Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=c:\windows\pss\Live Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sensory Profile Conduit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Sensory Profile Conduit.lnk
backup=c:\windows\pss\Sensory Profile Conduit.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
2007-10-09 21:21 169328 ----a-w- c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54 57344 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-09-14 14:50 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2004-09-14 14:50 131072 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-01-04 20:17 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2001-07-03 15:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-03 04:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MpfService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
R0 ezgmntr;EZ GIG II Backup Archive Explorer;c:\windows\SYSTEM32\DRIVERS\ezgmntr.sys [6/17/2006 10:36 PM 213760]
R2 ezgfsfilt;EZ GIG II FS Filter;c:\windows\SYSTEM32\DRIVERS\ezgfsfilt.sys [6/17/2006 10:36 PM 28800]
R3 Eacfilt;Eacfilt Miniport;c:\windows\SYSTEM32\DRIVERS\eacfilt.sys [1/21/2005 5:32 PM 9817]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 9:46 AM 135664]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\SYSTEM32\DRIVERS\ipsecw2k.sys [1/21/2005 5:32 PM 137392]
S2 ptssvc;ptssvc;c:\program files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe [1/22/2005 11:21 AM 36864]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\Maga\Maga.exe [8/10/2004 6:05 PM 328936]
.
Contents of the 'Scheduled Tasks' folder
2010-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 14:46]
2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 14:46]
2005-01-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: {B1B0C432-8804-4466-B4A7-B5EC03032891} = 69.66.0.20,69.66.1.20
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-20 17:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3360)
c:\windows\system32\SSSensor.dll
c:\progra~1\PANICW~1\POP-UP~1\XAHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-20 17:41:45
ComboFix-quarantined-files.txt 2010-08-20 22:41
ComboFix2.txt 2010-08-19 17:00
ComboFix3.txt 2010-08-18 20:56
ComboFix4.txt 2010-08-17 22:28
Pre-Run: 10,843,394,048 bytes free
Post-Run: 10,824,163,328 bytes free
- - End Of File - - 51EC78262F5D0E60391D7D10713E767A
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:48:00 PM, on 8/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ?\WkDetect.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1B0C432-8804-4466-B4A7-B5EC03032891}: NameServer = 69.66.0.20,69.66.1.20
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: mcupdmgr.exe - Sygate Technologies, Inc. - (no file)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
--
End of file - 9574 bytes
kevinf80_1d0ac6
1.1K Posts
0
August 21st, 2010 00:00
Hi Larry,
We`ve definitely made some headway because the HJT log is clear this time, also infostealer has not returned. There is still stuff showing in the CF log which we will deal with shortly. Malwarebytes still refuses to update, that is a concern and we will try to get that fixed too. Proceed as follows :-
Step 1
Re-open OTM BY double click OTM.exe to start the tool.
-------------------------------------------------------------------------------------
:Processes
explorer.exe
:Files
c:\windows\system32\Spool\prtprocs\w32x86\555k5.dll
c:\windows\system32\Spool\prtprocs\w32x86\3qG9i17q.dll
c:\windows\system32\Spool\prtprocs\w32x86\K931793.dll
c:\windows\system32\Spool\prtprocs\w32x86\aAA9317u.dll
c:\windows\system32\Spool\prtprocs\w32x86\31793aAA.dll
c:\windows\system32\Spool\prtprocs\w32x86\O5o5o.dll
c:\windows\system32\Spool\prtprocs\w32x86\1o9oC7.dll
c:\windows\system32\Spool\prtprocs\w32x86\YWS3e7.dll
:Commands
[EmptyTemp]
[ResetHosts]
[CreateRestorePoint]
[Reboot]
-------------------------------------------------------------------------------------
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
Step 2
Step 3
Alernative D/L mirror
Alternative D/L mirror
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Step 4
Please perform an online scan with BitDefender
Post logs from Malwarebytes, BitDefender and fresh HJT in reply please.
Kevin
BuckRidge
18 Posts
0
August 22nd, 2010 12:00
Kevin, I was busy yesterday so you had the day off. I'm back at it today.
1. Ran OTM and pasted logs
2. loaded Malwarebyte cleanup tool, uninstalled Malwarebytes and rebooted.
3. Malwarebytes Cleanup tool would not run got the following msg. "mbam-clean.exe in not a valid Win32 application"
4. Reloaded Malwarebytes and the update worked. Updated from base 4052 to 4462.
5 Ran Malwarebytes and attached log (noticed at some point that AV was enabled so I disabled it)
6. Started Bitdefender. Took about 2.5 hours to run. Log attached
7. Ran Hijackthis. log attached.
I'm still trying to get SecurityCheck to run. Stil get same fault indication. It opens a DOS type window and displays the following "The system cannot find the Path specified" Then it goes on to say that it will check and than I should hit a key to continue. It seems to run something but continually complains about bad paths. I goes on to say it cannot find file "install.txt". It seems to run to completion and displays a notepad log that is empty.
########################################################################
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\555k5.dll
c:\windows\system32\Spool\prtprocs\w32x86\555k5.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\3qG9i17q.dll
c:\windows\system32\Spool\prtprocs\w32x86\3qG9i17q.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\K931793.dll
c:\windows\system32\Spool\prtprocs\w32x86\K931793.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\aAA9317u.dll
c:\windows\system32\Spool\prtprocs\w32x86\aAA9317u.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\31793aAA.dll
c:\windows\system32\Spool\prtprocs\w32x86\31793aAA.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\O5o5o.dll
c:\windows\system32\Spool\prtprocs\w32x86\O5o5o.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\1o9oC7.dll
c:\windows\system32\Spool\prtprocs\w32x86\1o9oC7.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\Spool\prtprocs\w32x86\YWS3e7.dll
c:\windows\system32\Spool\prtprocs\w32x86\YWS3e7.dll moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: A&C
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: A&C.SON
->Temp folder emptied: 183248 bytes
->Temporary Internet Files folder emptied: 7509394 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 882 bytes
User: A&C~SON
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 754 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 206 bytes
Total Files Cleaned = 7.00 mb
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTM Restore Point (0)
OTM by OldTimer - Version 3.1.15.0 log created on 08222010_093309
Files moved on Reboot...
Registry entries deleted on Reboot...
############################################################################
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4462
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
8/22/2010 10:18:32 AM
mbam-log-2010-08-22 (10-18-32).txt
Scan type: Quick scan
Objects scanned: 140461
Time elapsed: 8 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
##############################################################################
BitDefender Online Scanner
Scan report generated at: Sun, Aug 22, 2010 - 12:27:11
Scan path: A:\;C:\;D:\;E:\;
Statistics
Time
01:42:59
Files
281529
Folders
11863
Boot Sectors
0
Archives
10167
Packed Files
11265
Results
Identified Viruses
5
Infected Files
36
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
70
Engines Info
Virus Definitions
6166591
Engine build
AVCORE v2.1 Windows/i386 11.0.0.33 (Jun 18 2010)
Scan plugins
18
Archive plugins
44
Unpack plugins
10
E-mail plugins
6
System plugins
4
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03500000.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.2260100
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03500000.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03500000.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\099C0000.VBN=>(Quarantine-9)
Infected with: Exploit.Win32.WMF-PFV
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\099C0000.VBN=>(Quarantine-9)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\099C0000.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\099C0000.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B700000.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B700000.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B700000.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B700001.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B700001.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B700001.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B700002.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B700002.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B700002.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C8C0000.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C8C0000.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C8C0000.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE00000.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE00000.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE00000.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80000.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80000.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80000.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80001.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80001.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80001.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80002.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80002.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80002.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80003.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80003.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80003.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80004.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80004.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80004.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80005.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80005.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80005.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80006.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80006.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80006.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80007.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80007.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80007.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80008.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80008.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80008.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80009.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80009.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE80009.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE8000A.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE8000A.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE8000A.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE8000B.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE8000B.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE8000B.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE8000C.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE8000C.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE8000C.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE8000D.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE8000D.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DE8000D.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00000.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00000.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00000.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00001.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00001.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00001.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00002.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00002.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00002.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00003.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00003.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00003.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00004.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00004.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00004.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00005.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00005.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00005.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00006.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00006.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00006.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00007.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00007.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00007.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00008.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00008.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00008.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00009.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00009.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00009.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF0000A.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.4164368
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF0000A.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF0000A.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA00000.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.1683779
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA00000.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA00000.VBN
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA40000.VBN=>(Quarantine-9)
Infected with: Trojan.Generic.1683779
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA40000.VBN=>(Quarantine-9)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA40000.VBN
Deleted
C:\Program Files\TurboTax\Deluxe 2004\32bit\ss.dll
Detected with: Gen:Adware.Heur.Fu8@WPJEaVai
C:\Program Files\TurboTax\Deluxe 2004\32bit\ss.dll
Disinfection failed
C:\Program Files\TurboTax\Deluxe 2004\32bit\ss.dll
Deleted
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP22\A0002720.dll
Detected with: Gen:Adware.Heur.Fu8@WPJEaVai
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP22\A0002720.dll
Disinfection failed
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP22\A0002720.dll
Deleted
#############################################################################
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:47:24 PM, on 8/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ?\WkDetect.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1B0C432-8804-4466-B4A7-B5EC03032891}: NameServer = 69.66.0.20,69.66.1.20
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: mcupdmgr.exe - Sygate Technologies, Inc. - (no file)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
--
End of file - 10423 bytes
########################################################################
kevinf80_1d0ac6
1.1K Posts
0
August 22nd, 2010 13:00
Hi Larry,
Nothing to worry us in that Bitdefender log. The infected files were either locked in Quarantine or in system restore or deleted. The system restore entries will be removed when we clean up later.
Good news that Malwarebytes has updated and ran successfully. If your system is responding ok with nothing unusual happening i`d like to run one more diagnostic scan, if the two logs come OK from the scan we`ll clean up and set you free.
One other point to note, you are using IE6 this needs to be updated to IE8. Proceed as follows :-
We need to see some additional information about what is happening in your machine.
Please perform the following scan:
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE
Copy and paste both logs into your reply please,
Kevin.