Jump to content

yellowdog9

Members
 View Profile  See their activity

  • Posts

    17

  • Joined

  • Last visited

Reputation

0 Neutral
  1. yellowdog9
    w00t you! w00t mbam! mostly w00t you! Thanks so much, miekiemoes - I seem to be Trojan free (I'll post the mbam log below). I can't thank you enough for your attention, patience, and support. May I as a question or two before we finish? 1. In my mbam Quarantine I have a long list of Trojans. Do I just let them alone, or should I click delete? Going forward, should that be the standard procedure if mbam picks up a trojan? 2. Does a purchased version of mbam offer the same kind of 'real-time' protection as my PCToolsSpywareDr, just, erm....better?? I've come here, using the free version of Malwarebytes, to fix a problem that PCTools allowed through, and received absolutely stellar assistance. If I'm going to pay for antivirus protection, I'd rather it be for software that does what its advertised to do. Thanks again for the help...I'm off now to get my browser back *is really quite clueless sometimes* Malwarebytes' Anti-Malware 1.35 Database version: 1917 Windows 5.1.2600 Service Pack 3 4/1/2009 6:06:06 PM mbam-log-2009-04-01 (18-06-06).txt Scan type: Quick Scan Objects scanned: 77897 Time elapsed: 2 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  2. yellowdog9
    Thanks for coming back to help (just as a side note, I'd gotten my browser back last night - elves, I think - but it went again with this restart...no biggie - just mentioning it) Today's log: ComboFix 09-04-01.01 - Patrice 2009-04-01 17:17:45.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1426 [GMT -4:00] Running from: c:\documents and settings\Patrice\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Patrice\Desktop\CFScript.txt AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) * Created a new restore point FILE :: c:\windows\emihazozahuyuruw.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\emihazozahuyuruw.dll c:\windows\mshmsxp.dll . ((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 ))))))))))))))))))))))))))))))) . 2009-03-31 19:28 . 2009-03-31 19:28 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache 2009-03-31 19:28 . 2009-03-31 19:28 <DIR> d-------- c:\documents and settings\Administrator 2009-03-28 23:02 . 2009-03-28 23:02 <DIR> d-------- c:\program files\Trend Micro 2009-03-26 18:23 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat 2009-03-26 10:58 . 2009-03-26 10:58 <DIR> d--hs---- c:\documents and settings\Patrice\IECompatCache 2009-03-26 05:13 . 2009-03-26 05:34 <DIR> d-------- c:\windows\SxsCaPendDel 2009-03-26 05:13 . 2009-03-26 05:14 <DIR> d-------- C:\59d9fd794a448ee29c1d 2009-03-26 04:43 . 2009-03-26 04:43 <DIR> d--hs---- c:\documents and settings\Patrice\PrivacIE 2009-03-26 04:42 . 2009-03-26 04:42 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache 2009-03-26 04:41 . 2009-03-26 04:41 <DIR> d--hs---- c:\documents and settings\Patrice\IETldCache 2009-03-26 04:39 . 2009-03-26 04:39 <DIR> d-------- c:\windows\ie8updates 2009-03-26 04:35 . 2009-03-26 04:39 <DIR> d--h----- c:\windows\msdownld.tmp 2009-03-26 04:35 . 2009-03-26 04:38 <DIR> d--h-c--- c:\windows\ie8 2009-03-26 04:34 . 2009-02-28 00:55 105,984 -----c--- c:\windows\system32\dllcache\iecompat.dll 2009-03-22 20:15 . 2008-06-06 12:15 51,520 --a------ c:\windows\system32\drivers\TfFsMon.sys 2009-03-22 20:15 . 2008-06-06 12:15 38,208 --a------ c:\windows\system32\drivers\TfSysMon.sys 2009-03-22 20:15 . 2008-06-06 12:15 33,088 --a------ c:\windows\system32\drivers\TfNetMon.sys 2009-03-22 20:15 . 2008-06-06 12:15 12,608 --a------ c:\windows\system32\drivers\TfKbMon.sys 2009-03-22 20:12 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys 2009-03-22 20:12 . 2009-03-06 16:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys 2009-03-22 20:12 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys 2009-03-22 20:12 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys 2009-03-14 20:19 . 2004-03-29 16:23 90,112 --a------ c:\windows\unvise32.exe 2009-03-14 20:18 . 2009-03-14 20:18 <DIR> d-------- c:\program files\The Rosetta Stone 2009-03-12 06:16 . 2009-03-12 06:16 <DIR> d-------- c:\program files\TurboTax 2009-03-10 07:52 . 2009-03-10 07:59 <DIR> d-------- c:\documents and settings\Patrice\Application Data\ImgBurn 2009-03-10 07:50 . 2009-03-10 07:51 <DIR> d-------- c:\program files\ImgBurn 2009-03-08 14:22 . 2009-03-08 14:22 49,152 --a------ c:\windows\system32\msrating.dll.mui 2009-03-08 14:22 . 2009-03-08 14:22 2,560 --a------ c:\windows\system32\mshta.exe.mui 2009-03-08 14:21 . 2009-03-08 14:21 4,096 --a------ c:\windows\system32\ie4uinit.exe.mui 2009-03-08 14:20 . 2009-03-08 14:20 81,920 --a------ c:\windows\system32\iedkcs32.dll.mui 2009-03-08 04:33 . 2009-03-08 04:33 18,944 -----c--- c:\windows\system32\dllcache\corpol.dll 2009-03-01 12:23 . 2009-03-01 12:23 <DIR> d-------- c:\documents and settings\Patrice\Application Data\Kodak 2009-03-01 12:21 . 2009-03-01 12:21 <DIR> d-------- c:\program files\Kodak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-01 21:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-04-01 21:15 --------- d-----w c:\program files\Spyware Doctor 2009-04-01 21:14 --------- d-----w c:\documents and settings\Patrice\Application Data\uTorrent 2009-04-01 19:38 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-03-31 23:54 --------- d-----w c:\program files\uTorrent 2009-03-29 02:21 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-03-27 11:27 --------- d-----w c:\program files\MediaCoder 2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-26 08:44 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-03-26 08:38 --------- d-----w c:\program files\Yahoo! 2009-03-26 08:38 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo! 2009-03-26 04:48 --------- d-----w c:\documents and settings\Patrice\Application Data\Smilebox 2009-03-23 00:12 --------- d-----w c:\program files\Common Files\PC Tools 2009-03-21 05:00 --------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop 2009-03-18 04:22 --------- d-----w c:\program files\eMule 2009-03-18 04:13 --------- d-----w c:\program files\Defraggler 2009-03-11 21:30 34 ----a-w c:\documents and settings\Patrice\jagex_runescape_preferences.dat 2009-03-11 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-02-24 10:00 --------- d-----w c:\documents and settings\All Users\Application Data\PC Tools 2009-02-24 07:01 12,608 ----a-w c:\windows\system32\drivers\TfKbMon.sys.old 2009-02-08 04:19 --------- d-----w c:\documents and settings\Patrice\Application Data\dvdcss 2009-02-07 17:50 --------- d-----w c:\documents and settings\Patrice\Application Data\foobar2000 2009-02-07 13:45 --------- d-----w c:\documents and settings\Patrice\Application Data\vlc 2009-02-03 00:27 --------- d-----w c:\program files\Avery 2009-01-30 10:40 49,152 ----a-w c:\documents and settings\Patrice\Application Data\upd.exe 2008-07-21 01:01 9,814,742 ----a-w c:\documents and settings\Patrice\RTS8.zip 2008-04-13 16:43 9,730,075 ----a-w c:\program files\vlc-0.8.6f-win32.exe 2008-03-22 04:37 427,556 ----a-w c:\program files\ljArchive-0.9.7.exe 2008-03-22 04:37 318,016 ----a-w c:\program files\ljArchive-0.9.7-doc.chm 2008-03-22 04:36 65,536 ----a-w c:\program files\EF.ljArchive.Common-0.9.7.dll 2008-03-11 00:59 2,733,520 ----a-w c:\program files\ccsetup205.exe 2008-03-09 22:37 4,013,384 ----a-w c:\program files\audioextractor.exe 2008-02-23 16:41 6,029,648 ----a-w c:\program files\Firefox Setup 2.0.0.12.exe 2007-09-20 22:34 936,960 ----a-w c:\program files\WinRAR.exe 2008-08-22 02:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-06-18 1122816] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2008-11-05 4347120] "Google Update"="c:\documents and settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-23 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960] "YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "VTTimer"="VTTimer.exe" [2006-09-14 c:\windows\system32\VTTimer.exe] "VTTrayp"="VTtrayp.exe" [2007-04-25 c:\windows\system32\VTTrayp.exe] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Documents and Settings\\Patrice\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Patrice\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "25930:TCP"= 25930:TCP:eMule Plus "25941:UDP"= 25941:UDP:eMule Plus R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-22 130424] R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-03-22 51520] R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-03-22 38208] R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-02-21 17920] R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-03-22 159600] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392] R3 DsAudioDevice_286;DsAudioDevice_286;c:\windows\system32\drivers\DsAudioDevice_286.sys [2008-12-24 16640] S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-03-22 64392] S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-13 348752] S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?] S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-03-22 33088] S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12 . Contents of the 'Scheduled Tasks' folder 2009-04-01 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 06:29] 2009-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1604221776-682003330-1004.job - c:\documents and settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-23 20:34] 2009-01-07 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job - c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 15:56] . . ------- Supplementary Scan ------- . uStart Page = hxxp://verizon.my.yahoo.com uInternet Settings,ProxyOverride = *.local LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll FF - ProfilePath - . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-01 17:22:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(704) c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\progra~1\Yahoo!\browser\ycommon.exe c:\program files\Microsoft IntelliType Pro\dpupdchk.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe . ************************************************************************** . Completion time: 2009-04-01 17:25:01 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-01 21:24:58 ComboFix2.txt 2009-04-01 01:42:31 Pre-Run: 130,831,486,976 bytes free Post-Run: 130,840,358,912 bytes free 197 --- E O F --- 2009-03-26 22:44:04
  3. yellowdog9
    Thanks for the reassurance on the odd files. Thanks for staying up till the wee hours to help! ComboFix ran this time *phew* but somewhere in the middle of all of the reboots, my default browser was changed...lost all my bookmarks and things, and found myself on IE with about a bazillion Yahoo add ons . Just took me a while to find my way back - nearly a dead panic when IE (which I don't usually use) wouldn't connect to the internet. Anyway - here's the log - and I'll be back tomorrow after work. Thanks again. ComboFix 09-03-31.01 - Patrice 2009-03-31 21:35:47.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1536 [GMT -4:00] Running from: c:\documents and settings\Patrice\Desktop\ComboFix.exe AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\vimiuscw.ini . ((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 ))))))))))))))))))))))))))))))) . 2009-03-31 19:28 . 2009-03-31 19:28 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache 2009-03-31 19:28 . 2009-03-31 19:28 <DIR> d-------- c:\documents and settings\Administrator 2009-03-28 23:02 . 2009-03-28 23:02 <DIR> d-------- c:\program files\Trend Micro 2009-03-26 18:23 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat 2009-03-26 10:58 . 2009-03-26 10:58 <DIR> d--hs---- c:\documents and settings\Patrice\IECompatCache 2009-03-26 05:13 . 2009-03-26 05:34 <DIR> d-------- c:\windows\SxsCaPendDel 2009-03-26 05:13 . 2009-03-26 05:14 <DIR> d-------- C:\59d9fd794a448ee29c1d 2009-03-26 04:43 . 2009-03-26 04:43 <DIR> d--hs---- c:\documents and settings\Patrice\PrivacIE 2009-03-26 04:42 . 2009-03-26 04:42 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache 2009-03-26 04:41 . 2009-03-26 04:41 <DIR> d--hs---- c:\documents and settings\Patrice\IETldCache 2009-03-26 04:39 . 2009-03-26 04:39 <DIR> d-------- c:\windows\ie8updates 2009-03-26 04:35 . 2009-03-26 04:39 <DIR> d--h----- c:\windows\msdownld.tmp 2009-03-26 04:35 . 2009-03-26 04:38 <DIR> d--h-c--- c:\windows\ie8 2009-03-26 04:34 . 2009-02-28 00:55 105,984 -----c--- c:\windows\system32\dllcache\iecompat.dll 2009-03-22 20:15 . 2008-06-06 12:15 51,520 --a------ c:\windows\system32\drivers\TfFsMon.sys 2009-03-22 20:15 . 2008-06-06 12:15 38,208 --a------ c:\windows\system32\drivers\TfSysMon.sys 2009-03-22 20:15 . 2008-06-06 12:15 33,088 --a------ c:\windows\system32\drivers\TfNetMon.sys 2009-03-22 20:15 . 2008-06-06 12:15 12,608 --a------ c:\windows\system32\drivers\TfKbMon.sys 2009-03-22 20:12 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys 2009-03-22 20:12 . 2009-03-06 16:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys 2009-03-22 20:12 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys 2009-03-22 20:12 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys 2009-03-14 20:19 . 2004-03-29 16:23 90,112 --a------ c:\windows\unvise32.exe 2009-03-14 20:18 . 2009-03-14 20:18 <DIR> d-------- c:\program files\The Rosetta Stone 2009-03-12 06:16 . 2009-03-12 06:16 <DIR> d-------- c:\program files\TurboTax 2009-03-10 07:52 . 2009-03-10 07:59 <DIR> d-------- c:\documents and settings\Patrice\Application Data\ImgBurn 2009-03-10 07:50 . 2009-03-10 07:51 <DIR> d-------- c:\program files\ImgBurn 2009-03-08 14:22 . 2009-03-08 14:22 49,152 --a------ c:\windows\system32\msrating.dll.mui 2009-03-08 14:22 . 2009-03-08 14:22 2,560 --a------ c:\windows\system32\mshta.exe.mui 2009-03-08 14:21 . 2009-03-08 14:21 4,096 --a------ c:\windows\system32\ie4uinit.exe.mui 2009-03-08 14:20 . 2009-03-08 14:20 81,920 --a------ c:\windows\system32\iedkcs32.dll.mui 2009-03-08 04:33 . 2009-03-08 04:33 18,944 -----c--- c:\windows\system32\dllcache\corpol.dll 2009-03-01 12:23 . 2009-03-01 12:23 <DIR> d-------- c:\documents and settings\Patrice\Application Data\Kodak 2009-03-01 12:21 . 2009-03-01 12:21 <DIR> d-------- c:\program files\Kodak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-01 01:39 --------- d-----w c:\documents and settings\Patrice\Application Data\uTorrent 2009-04-01 01:31 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-04-01 01:31 --------- d-----w c:\program files\Spyware Doctor 2009-03-31 23:54 --------- d-----w c:\program files\uTorrent 2009-03-31 18:37 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-03-29 02:21 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-03-27 11:27 --------- d-----w c:\program files\MediaCoder 2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-26 08:44 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-03-26 08:38 --------- d-----w c:\program files\Yahoo! 2009-03-26 08:38 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo! 2009-03-26 04:48 --------- d-----w c:\documents and settings\Patrice\Application Data\Smilebox 2009-03-23 00:12 --------- d-----w c:\program files\Common Files\PC Tools 2009-03-21 05:00 --------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop 2009-03-18 04:22 --------- d-----w c:\program files\eMule 2009-03-18 04:13 --------- d-----w c:\program files\Defraggler 2009-03-11 21:30 34 ----a-w c:\documents and settings\Patrice\jagex_runescape_preferences.dat 2009-03-11 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-02-24 10:00 --------- d-----w c:\documents and settings\All Users\Application Data\PC Tools 2009-02-24 07:01 12,608 ----a-w c:\windows\system32\drivers\TfKbMon.sys.old 2009-02-08 04:19 --------- d-----w c:\documents and settings\Patrice\Application Data\dvdcss 2009-02-07 17:50 --------- d-----w c:\documents and settings\Patrice\Application Data\foobar2000 2009-02-07 13:45 --------- d-----w c:\documents and settings\Patrice\Application Data\vlc 2009-02-03 00:27 --------- d-----w c:\program files\Avery 2009-01-30 10:40 49,152 ----a-w c:\documents and settings\Patrice\Application Data\upd.exe 2008-07-21 01:01 9,814,742 ----a-w c:\documents and settings\Patrice\RTS8.zip 2008-04-13 16:43 9,730,075 ----a-w c:\program files\vlc-0.8.6f-win32.exe 2008-03-22 04:37 427,556 ----a-w c:\program files\ljArchive-0.9.7.exe 2008-03-22 04:37 318,016 ----a-w c:\program files\ljArchive-0.9.7-doc.chm 2008-03-22 04:36 65,536 ----a-w c:\program files\EF.ljArchive.Common-0.9.7.dll 2008-03-11 00:59 2,733,520 ----a-w c:\program files\ccsetup205.exe 2008-03-09 22:37 4,013,384 ----a-w c:\program files\audioextractor.exe 2008-02-23 16:41 6,029,648 ----a-w c:\program files\Firefox Setup 2.0.0.12.exe 2007-09-20 22:34 936,960 ----a-w c:\program files\WinRAR.exe 2008-08-22 02:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-06-18 1122816] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2008-11-05 4347120] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-02-19 270128] "Google Update"="c:\documents and settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-23 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960] "YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "Tmaconaxehizajif"="c:\windows\emihazozahuyuruw.dll" [2008-04-13 156160] "VTTimer"="VTTimer.exe" [2006-09-14 c:\windows\system32\VTTimer.exe] "VTTrayp"="VTtrayp.exe" [2007-04-25 c:\windows\system32\VTTrayp.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=omszag.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli mshmsxp.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Documents and Settings\\Patrice\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Patrice\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "%windir%\\system32\\drivers\\svchost.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "25930:TCP"= 25930:TCP:eMule Plus "25941:UDP"= 25941:UDP:eMule Plus R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-22 130424] R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-03-22 51520] R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-03-22 38208] R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-02-21 17920] R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-03-22 159600] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392] R3 DsAudioDevice_286;DsAudioDevice_286;c:\windows\system32\drivers\DsAudioDevice_286.sys [2008-12-24 16640] S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-03-22 64392] S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-13 348752] S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?] S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-03-22 33088] S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12 . Contents of the 'Scheduled Tasks' folder 2009-04-01 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 06:29] 2009-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1604221776-682003330-1004.job - c:\documents and settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-23 20:34] 2009-01-07 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job - c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 15:56] . . ------- Supplementary Scan ------- . uStart Page = hxxp://verizon.my.yahoo.com uInternet Settings,ProxyOverride = *.local LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll FF - ProfilePath - . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-31 21:39:21 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(704) c:\windows\mshmsxp.dll c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\progra~1\Yahoo!\browser\ycommon.exe c:\program files\Microsoft IntelliType Pro\dpupdchk.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe . ************************************************************************** . Completion time: 2009-03-31 21:42:30 - machine was rebooted [Patrice] ComboFix-quarantined-files.txt 2009-04-01 01:42:27 Pre-Run: 130,787,344,384 bytes free Post-Run: 130,867,585,024 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer 207 --- E O F --- 2009-03-26 22:44:04
  4. yellowdog9
    ok - saved and attempting - thanks!
  5. yellowdog9
    Should I tell you now that in looking for the file you requested I just saw some stuff on my C drive that I've never seen before? Being a big baby, of course it scares the beejeezuz out of me. I don't know that it has anything to do with my particular infection or with the programs we've dld to fix. And I know you're not psychic - just thought I should mention it. I opened one file (iSofterOutput0 and the browser crashed. Also see something called FileIn.CnS and FileOut.Cns. and a directory QooBox.
  6. yellowdog9
    uploaded successfully...thanks (had tried RAR, but not ZIP)
  7. yellowdog9
    I followed this route C > Windows > (scary note about not modifying these files) > imm32.dll then copied that file to a folder in my external drive (where I put anything I want to be able to find) I then followed your link, browsed to the file, but the upload failed - it said "you are not allowed to upload this type of file " Sorry - know it must be me...I appreciate you sticking with this....but how do I package the file for upload?
  8. yellowdog9
    done: Volume in drive C has no label. Volume Serial Number is 04E1-3A75 Directory of c:\WINDOWS\$NtServicePackUninstall$ 02/28/2006 08:00 AM 110,080 imm32.dll 1 File(s) 110,080 bytes Directory of c:\WINDOWS\ServicePackFiles\i386 04/13/2008 08:11 PM 110,080 imm32.dll 1 File(s) 110,080 bytes Directory of c:\WINDOWS\system32 03/27/2009 04:27 PM 110,592 imm32.dll 1 File(s) 110,592 bytes Total Files Listed: 3 File(s) 330,752 bytes 0 Dir(s) 130,892,386,304 bytes free
  9. yellowdog9
    Thank you for staying with this....and me. You're correct, of course - I was logging in incorrectly. I was able to start ComboFix in Safe Mode but encountered much the same error. This time the message said file msmqytsoigt.dll would be disabled, but the errors that followed were the same as before. It took another restart to close the message box and close ComboFix. Here is the new HijackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:04:36 PM, on 3/31/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\Verizon\McciTrayApp.exe C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\Program Files\uTorrent\uTorrent.exe C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\WINDOWS\System32\alg.exe C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\Spyware Doctor\TFEngine\TFService.exe C:\PROGRA~1\Yahoo!\browser\ybrowser.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Tmaconaxehizajif] rundll32.exe "C:\WINDOWS\emihazozahuyuruw.dll",e O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O20 - AppInit_DLLs: omszag.dll O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe (file missing) O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 9100 bytes
  10. yellowdog9
    I feel like such a knob, but....in Safe Mode, the ComboFix.exe icon disappears from my desktop. Nor does it appear when I look in "All Programs". All the directions say "save to the desktop". Should I move it somewhere that I can locate while in Safe Mode?
  11. yellowdog9
    ok
  12. yellowdog9
    Thank you for your help - it is much appreciated. I downloaded ComboFix to my desktop, and disabled PCTools Spyware Dr (required a reboot). When I clicked on Combofix exe, the first window opened as expected and then I received the following message: C:\Windows\System32\msmqytsoigt.dll has tried to attach to ComboFix. Please make note of the file for future reference. I did just that and continued. ComboFix went as far as the message "Preparing to Run" when I received the following error: CF23542.exe Unable to locate component. Application failed to start because msmqytsoigt.dll was not found. Reinstalling the application may fix this. When I clicked OK, the same message appeared as the following errors: NirCmd.cfexe SWREG.cfexe Attrib.cfexe CF23542.exe hidec.exe Ping.exe pv.cfexe sort.exe CombFix-Download.cfexe FindSTR.cfexe Clicking OK only resulted in the same messages apppearing again, and the error message would not close. I tried patience (a last resort) but nothing seemed to be moving ahead. I was able to close the ComboFix window, but the error messages remained until I restarted. So I don't have a ComboFix log yet, nor has Recovery Console installed. Very sorry. I *am* trying!
  13. yellowdog9
    Thank you for taking the time to read/reply. And sorry about the other post - I really did think I had successfully removed the two items, and didn't want to bother y'all when so many folks are in need. I have done as you asked and unchecked wordwrap. Since reading your response I: 1. ran mbam, full scan - result was 2 infections 2. removed/rebooted 3. ran HijackThis 4. ran mbam/quick scan to see if the Trojans had been removed - 2 more showed up 5. removed/rebooted 6. ran HijackThis Here are the logs - I hope the format is easier to read. Thanks again for the assistance. Malwarebytes' Anti-Malware 1.35 Database version: 1917 Windows 5.1.2600 Service Pack 3 3/30/2009 7:42:46 PM mbam-log-2009-03-30 (19-42-24).txt Scan type: Full Scan (C:\|F:\|) Objects scanned: 237207 Time elapsed: 56 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmaconaxehizajif (Trojan.Agent) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\igupoyowuka.dll (Trojan.Agent) -> No action taken. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:46:39 PM, on 3/30/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\Verizon\McciTrayApp.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\Program Files\uTorrent\uTorrent.exe C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\WINDOWS\System32\alg.exe C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Spyware Doctor\TFEngine\TFService.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O20 - AppInit_DLLs: omszag.dll O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe (file missing) O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 9029 bytes Malwarebytes' Anti-Malware 1.35 Database version: 1917 Windows 5.1.2600 Service Pack 3 3/30/2009 7:54:12 PM mbam-log-2009-03-30 (19-53-28).txt Scan type: Quick Scan Objects scanned: 80107 Time elapsed: 4 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmaconaxehizajif (Trojan.Agent) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\ugeyetas.dll (Trojan.Agent) -> No action taken. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:57:21 PM, on 3/30/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\Verizon\McciTrayApp.exe C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\Program Files\uTorrent\uTorrent.exe C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\WINDOWS\System32\alg.exe C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe C:\Program Files\Spyware Doctor\TFEngine\TFService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O20 - AppInit_DLLs: omszag.dll O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe (file missing) O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 8972 bytes
  14. yellowdog9
    I seem to have the reoccuring form of these bl**dy things. I run Malewarebytes, which finds them, select Remove, reboot, and then run another scan. And the're gone, but not for long. Always back again after a few hours. This time time on the reboot I got a DLL error messge that windows couldn't find C:\WINDOWS\onewanom.dll , which was what I had mbam remove. Scared to death now that I've removed something needed..... Helpr from someone who knows a LOT more than me would be much appreciated. Here's the logs: HiJack This: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:01:02 PM, on 3/29/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Spyware Doctor\TFEngine\TFService.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\Verizon\McciTrayApp.exe C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\uTorrent\uTorrent.exe C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\PROGRA~1\Yahoo!\browser\ybrowser.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Tmaconaxehizajif] rundll32.exe "C:\WINDOWS\iwejepuritucivi.dll",e O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O20 - AppInit_DLLs: omszag.dll O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe (file missing) O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 9101 bytes mbam: Malwarebytes' Anti-Malware 1.35 Database version: 1917 Windows 5.1.2600 Service Pack 3 3/29/2009 10:50:49 PM mbam-log-2009-03-29 (22-50-49).txt Scan type: Quick Scan Objects scanned: 79559 Time elapsed: 3 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmaconaxehizajif (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\onewanom.dll (Trojan.Agent) -> Delete on reboot.
  15. yellowdog9
    So apparently - just to make me look like a total noob - the Trojans did indeed come out. Three times through Malewarebytes scan/remove/reboot, but they're out. So that I can learn from this, though, and not disturb those of you who are busy helping folks who are less fortunate with *their* removals, could anyone explain what just happened? Should I expect to run the tool more than once for some removals? Or is it likely that the two Trojans will appear again soon? And thanks to anyone who has taken the time to read/reply. This is a great forum - I see lots of people receiving expert assistance. Very nice.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.