Jump to content

Bill_M

Members
 View Profile  See their activity

  • Posts

    9

  • Joined

  • Last visited

 Content Type 

Everything posted by Bill_M

  1. Bill_M

    Excellent instruction. I was never in doubt. FBI MoneyPak has been removed and my system runs great. Will be visiting PayPal shortly. Thanks!

  2. Bill_M
    AdwCleaner log after delete option followed by Security Check checkup.txt: # AdwCleaner v2.108 - Logfile created 01/24/2013 at 21:54:27 # Updated 24/01/2013 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : Bill_2 - GKC8391 # Boot Mode : Normal # Running from : C:\Documents and Settings\Bill_2\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1 Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1 Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD} Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E} Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD} Key Deleted : HKLM\Software\Viewpoint ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. ************************* AdwCleaner[R1].txt - [1347 octets] - [24/01/2013 21:11:20] AdwCleaner[R2].txt - [1407 octets] - [24/01/2013 21:53:01] AdwCleaner[s1].txt - [1356 octets] - [24/01/2013 21:54:27] ########## EOF - C:\AdwCleaner[s1].txt - [1416 octets] ########## ***************************************************************************************************************************** ***************************************************************************************************************************** Results of screen317's Security Check version 0.99.57 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! HKR,,EventMessageFile,0x00020000,%%SystemRoot%%\System32\IoLogMsg.dll;%%SystemRoot%%\System32\drivers\PciPPorts.sys `````````Anti-malware/Other Utilities Check:````````` Spybot - Search & Destroy Norton Ghost Malwarebytes Anti-Malware version 1.61.0.1400 Java™ 6 Update 15 Java 2 Runtime Environment, SE v1.4.2_03 Java version out of Date! Adobe Flash Player 10 Flash Player out of Date! Adobe Flash Player 10.1.102.64 Flash Player out of Date! ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 5% ````````````````````End of Log``````````````````````
  3. Bill_M
    I don't see anything to keep. # AdwCleaner v2.108 - Logfile created 01/24/2013 at 21:11:20 # Updated 24/01/2013 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : Bill_2 - GKC8391 # Boot Mode : Normal # Running from : C:\Documents and Settings\Bill_2\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1 Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1 Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E} Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD} Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E} Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD} Key Found : HKLM\Software\Viewpoint ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. ************************* AdwCleaner[R1].txt - [1218 octets] - [24/01/2013 21:11:20] ########## EOF - C:\AdwCleaner[R1].txt - [1278 octets] ##########
  4. Bill_M
    Execution of your last instructions and resulting log. PC seems to be running fine for all users. ========== OTL ========== Registry value HKEY_USERS\S-1-5-21-2301580660-910432840-3679377455-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found. Registry value HKEY_USERS\S-1-5-21-2301580660-910432840-3679377455-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found. Registry value HKEY_USERS\S-1-5-21-2301580660-910432840-3679377455-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Google Search\ deleted successfully. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Translate English Word\ deleted successfully. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Backward Links\ deleted successfully. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Cached Snapshot of Page\ deleted successfully. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Similar Pages\ deleted successfully. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Translate Page into English\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found. OTL by OldTimer - Version 3.2.69.0 log created on 01242013_204331
  5. Bill_M
    OTL scan results attached. Thank you and have a good night. OTL.Txt Extras.Txt
  6. Bill_M
    PC is running fine. Although I have not ran or done anything other that what you have instructed me to do. Remeber the problem occured when another user with a limited account was logged in. I have been working under my admin account and have not attempted to log back into the limited account.
  7. Bill_M
    Execution of previous directions and resulting log: ComboFix 13-01-23.01 - Bill_2 01/23/2013 21:58:00.2.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3710.2817 [GMT -5:00] Running from: c:\documents and settings\Bill_2\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Bill_2\Desktop\CFScript.txt AV: eEye Digital Security Blink Anti-Virus *Disabled/Outdated* {C4821238-EFD9-4B79-B2A5-40CE68D50E68} FW: eEye Digital Security Blink Firewall *Disabled* {AC6BB248-92AF-4E26-A70A-6E5FDB75C144} * Created a new restore point . FILE :: "c:\documents and settings\Missy\Local Settings\Application Data\d3d9caps.tmp" . . ((((((((((((((((((((((((( Files Created from 2012-12-24 to 2013-01-24 ))))))))))))))))))))))))))))))) . . 2013-01-23 02:45 . 2013-01-23 02:45 -------- d-----w- c:\documents and settings\Bill_2\Local Settings\Application Data\Conceiva 2013-01-03 22:45 . 2013-01-03 22:45 -------- d-----w- c:\documents and settings\Missy\Local Settings\Application Data\Conceiva 2013-01-03 01:20 . 2013-01-03 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Conceiva 2013-01-03 01:19 . 2013-01-03 01:19 -------- d-----w- c:\program files\Conceiva 2013-01-01 20:53 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll 2012-12-29 16:45 . 2012-12-29 16:45 -------- d-----w- c:\documents and settings\Missy\Local Settings\Application Data\MyEditor v5.00 2012-12-29 16:45 . 2012-12-29 16:45 -------- d-----w- c:\windows\lhsp 2012-12-29 16:44 . 2012-12-29 16:44 -------- d-----w- c:\program files\myeditor 2012-12-29 16:44 . 2012-12-29 16:44 -------- d-----w- c:\documents and settings\All Users\MyEditor v5.00 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-01-22 22:22 . 2012-04-10 01:16 664 ----a-w- c:\documents and settings\Missy\Local Settings\Application Data\d3d9caps.tmp . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-28 160592] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552] "vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2009-03-27 96816] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968] "Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2009-08-03 2250088] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040] . c:\documents and settings\Missy\Start Menu\Programs\Startup\ MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-5-11 546816] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Blink.lnk - c:\program files\eEye Digital Security\Blink\Blink.exe [2012-4-28 273920] Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784] . c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2010-3-3 81997] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] 2008-04-23 08:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager] 2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPMonitor] 2010-08-25 16:27 84464 ----a-w- c:\program files\Roxio\CinePlayer\5.0\CPMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] 2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Disc Tool] 2010-06-30 13:10 477680 ----a-w- c:\program files\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] 2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Garmin Lifetime Updater] 2012-01-06 20:30 1446760 ----a-w- c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2009-02-26 23:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM] 2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2005-12-29 06:47 98304 ----a-w- c:\program files\QuickTime\qttask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] 2010-07-16 10:48 307184 ----a-w- c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard] 2011-06-01 16:42 79112 ----a-w- c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"= "c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\APC\\PowerChute Business Edition\\agent\\pbeagent.exe"= "c:\\Program Files\\APC\\PowerChute Business Edition\\server\\pbeserver.exe"= "c:\\Program Files\\Common Files\\eEye Digital Security\\Application Bus\\eeyeevnt.exe"= "c:\\Program Files\\Samsung\\SAMSUNG PC Share Manager\\WiselinkPro.exe"= "c:\\Program Files\\Samsung\\SAMSUNG PC Share Manager\\http_ss_win_pro.exe"= "c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:TCP"= 5353:TCP:Adobe CSI CS4 "53168:TCP"= 53168:TCP:Mezzmo Media Server Service . R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [6/21/2011 7:15 PM 21488] R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [6/21/2011 7:15 PM 15856] R1 eeyeh;eeyeh;c:\windows\system32\drivers\eeyehf.sys [4/28/2012 8:09 PM 185560] R1 eeyen;eEye NDIS driver;c:\windows\system32\drivers\eeyen.sys [12/13/2011 8:08 PM 61264] R1 eeyet;eEye TDI driver;c:\windows\system32\drivers\eeyet.sys [4/28/2012 8:09 PM 78792] R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [6/21/2011 7:15 PM 25584] R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\App\SaibSVC.exe [6/2/2009 6:05 PM 457200] R2 APCPBEAgent;APC PBE Agent;c:\progra~1\APC\POWERC~1\agent\pbeagent.exe [5/8/2011 10:41 AM 28672] R2 APCPBEServer;APC PBE Server;c:\progra~1\APC\POWERC~1\server\PBESER~1.EXE [5/8/2011 10:44 AM 45134] R2 BlinkRM;eEye Blink Rule Manager;c:\program files\eEye Digital Security\Blink\BLINKRM.exe [4/28/2012 8:08 PM 189472] R2 blinksvc;eEye Blink Engine;c:\program files\eEye Digital Security\Blink\blinksvc.exe [4/28/2012 8:08 PM 90568] R2 BOT4Service;BOT4Service;c:\program files\Roxio\BackOnTrack\App\BService.exe [8/30/2010 10:14 PM 39408] R2 eEyeUpdateSvc;eEye Update Service;c:\program files\Common Files\eEye Digital Security\SyncIt\eEyeUpdateSvc.exe [11/10/2011 2:34 PM 91576] R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [1/14/2011 4:47 PM 70016] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/17/2010 10:50 PM 654408] R2 Mezzmo;Mezzmo;c:\program files\Conceiva\Mezzmo\MezzmoMediaServer.exe [1/2/2013 8:20 PM 3119472] R2 ndiskio;eEye DirectDisk Access Driver;c:\windows\system32\drivers\Ndiskio.sys [3/2/2010 4:31 PM 20448] R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 11:42 AM 14088] R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/10/2004 1:50 PM 5120] R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [2/21/2011 9:07 PM 251736] R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [3/26/2009 11:05 PM 54960] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/17/2010 10:50 PM 22344] R3 PciSPorts;High-Speed PCI Serial Port;c:\windows\system32\drivers\PciSPorts.sys [5/8/2011 9:37 AM 119808] R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [10/21/2009 7:46 PM 47360] R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 5:13 PM 1562096] S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [7/16/2010 5:48 AM 354288] S3 AllShare;SAMSUNG AllShare Service;c:\program files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [7/16/2010 4:23 PM 6638080] S3 RoxMediaDB13;RoxMediaDB13;c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [7/16/2010 5:48 AM 1099248] S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?] . Contents of the 'Scheduled Tasks' folder . 2013-01-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-07-11 20:31] . 2013-01-19 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-07-11 20:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ig/dell?hl=en IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000 IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll TCP: DhcpNameServer = 192.168.1.254 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-23 22:02 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{82C3E419-1ABB-8FB4-3F58-1D22AF8C97DB}\InProcServer32*] "oagamicbndlbdkchomabmklmmbnkbi"=hex:6a,61,70,68,69,65,69,6f,61,6c,67,6a,63,64, 66,62,66,65,62,6c,00,e1 "nagackiddfipglmnknaflkbfdclj"=hex:6a,61,70,68,6a,65,62,6e,67,68,66,6c,65,63, 67,6f,6e,68,64,64,00,f9 . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(880) c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll . - - - - - - - > 'explorer.exe'(1044) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\ieframe.dll c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll . Completion time: 2013-01-23 22:04:56 ComboFix-quarantined-files.txt 2013-01-24 03:04 ComboFix2.txt 2013-01-24 02:15 . Pre-Run: 636,231,680 bytes free Post-Run: 683,393,024 bytes free . - - End Of File - - 1B2349A95C72561C426ED44EF7EEEC48
  8. Bill_M
    Here's the requested log. ************** Is it safe for this PC to be connected to the internet now? ******************************* ComboFix 13-01-23.01 - Bill_2 01/23/2013 20:55:01.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3710.2920 [GMT -5:00] Running from: c:\documents and settings\Bill_2\Desktop\ComboFix.exe AV: eEye Digital Security Blink Anti-Virus *Disabled/Outdated* {C4821238-EFD9-4B79-B2A5-40CE68D50E68} FW: eEye Digital Security Blink Firewall *Disabled* {AC6BB248-92AF-4E26-A70A-6E5FDB75C144} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\SET140.tmp c:\windows\system32\SET14C.tmp c:\windows\system32\URTTemp c:\windows\system32\URTTemp\fusion.dll c:\windows\system32\URTTemp\mscoree.dll c:\windows\system32\URTTemp\mscoree.dll.local c:\windows\system32\URTTemp\mscorsn.dll c:\windows\system32\URTTemp\mscorwks.dll c:\windows\system32\URTTemp\msvcr71.dll c:\windows\system32\URTTemp\regtlib.exe c:\windows\system64 . . ((((((((((((((((((((((((( Files Created from 2012-12-24 to 2013-01-24 ))))))))))))))))))))))))))))))) . . 2013-01-23 02:45 . 2013-01-23 02:45 -------- d-----w- c:\documents and settings\Bill_2\Local Settings\Application Data\Conceiva 2013-01-03 22:45 . 2013-01-03 22:45 -------- d-----w- c:\documents and settings\Missy\Local Settings\Application Data\Conceiva 2013-01-03 01:20 . 2013-01-03 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Conceiva 2013-01-03 01:19 . 2013-01-03 01:19 -------- d-----w- c:\program files\Conceiva 2013-01-01 20:53 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll 2012-12-29 16:45 . 2012-12-29 16:45 -------- d-----w- c:\documents and settings\Missy\Local Settings\Application Data\MyEditor v5.00 2012-12-29 16:45 . 2012-12-29 16:45 -------- d-----w- c:\windows\lhsp 2012-12-29 16:44 . 2012-12-29 16:44 -------- d-----w- c:\program files\myeditor 2012-12-29 16:44 . 2012-12-29 16:44 -------- d-----w- c:\documents and settings\All Users\MyEditor v5.00 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-01-22 22:22 . 2012-04-10 01:16 664 ----a-w- c:\documents and settings\Missy\Local Settings\Application Data\d3d9caps.tmp . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-28 160592] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552] "vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2009-03-27 96816] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968] "Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2009-08-03 2250088] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040] . c:\documents and settings\Missy\Start Menu\Programs\Startup\ MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-5-11 546816] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Blink.lnk - c:\program files\eEye Digital Security\Blink\Blink.exe [2012-4-28 273920] Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784] . c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2010-3-3 81997] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] 2008-04-23 08:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager] 2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPMonitor] 2010-08-25 16:27 84464 ----a-w- c:\program files\Roxio\CinePlayer\5.0\CPMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] 2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Disc Tool] 2010-06-30 13:10 477680 ----a-w- c:\program files\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] 2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Garmin Lifetime Updater] 2012-01-06 20:30 1446760 ----a-w- c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2009-02-26 23:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM] 2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2005-12-29 06:47 98304 ----a-w- c:\program files\QuickTime\qttask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] 2010-07-16 10:48 307184 ----a-w- c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard] 2011-06-01 16:42 79112 ----a-w- c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"= "c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\APC\\PowerChute Business Edition\\agent\\pbeagent.exe"= "c:\\Program Files\\APC\\PowerChute Business Edition\\server\\pbeserver.exe"= "c:\\Program Files\\Common Files\\eEye Digital Security\\Application Bus\\eeyeevnt.exe"= "c:\\Program Files\\Samsung\\SAMSUNG PC Share Manager\\WiselinkPro.exe"= "c:\\Program Files\\Samsung\\SAMSUNG PC Share Manager\\http_ss_win_pro.exe"= "c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:TCP"= 5353:TCP:Adobe CSI CS4 "53168:TCP"= 53168:TCP:Mezzmo Media Server Service . R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [6/21/2011 7:15 PM 21488] R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [6/21/2011 7:15 PM 15856] R1 eeyeh;eeyeh;c:\windows\system32\drivers\eeyehf.sys [4/28/2012 8:09 PM 185560] R1 eeyen;eEye NDIS driver;c:\windows\system32\drivers\eeyen.sys [12/13/2011 8:08 PM 61264] R1 eeyet;eEye TDI driver;c:\windows\system32\drivers\eeyet.sys [4/28/2012 8:09 PM 78792] R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [6/21/2011 7:15 PM 25584] R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\App\SaibSVC.exe [6/2/2009 6:05 PM 457200] R2 APCPBEAgent;APC PBE Agent;c:\progra~1\APC\POWERC~1\agent\pbeagent.exe [5/8/2011 10:41 AM 28672] R2 APCPBEServer;APC PBE Server;c:\progra~1\APC\POWERC~1\server\PBESER~1.EXE [5/8/2011 10:44 AM 45134] R2 BlinkRM;eEye Blink Rule Manager;c:\program files\eEye Digital Security\Blink\BLINKRM.exe [4/28/2012 8:08 PM 189472] R2 blinksvc;eEye Blink Engine;c:\program files\eEye Digital Security\Blink\blinksvc.exe [4/28/2012 8:08 PM 90568] R2 BOT4Service;BOT4Service;c:\program files\Roxio\BackOnTrack\App\BService.exe [8/30/2010 10:14 PM 39408] R2 eEyeUpdateSvc;eEye Update Service;c:\program files\Common Files\eEye Digital Security\SyncIt\eEyeUpdateSvc.exe [11/10/2011 2:34 PM 91576] R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [1/14/2011 4:47 PM 70016] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/17/2010 10:50 PM 654408] R2 Mezzmo;Mezzmo;c:\program files\Conceiva\Mezzmo\MezzmoMediaServer.exe [1/2/2013 8:20 PM 3119472] R2 ndiskio;eEye DirectDisk Access Driver;c:\windows\system32\drivers\Ndiskio.sys [3/2/2010 4:31 PM 20448] R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 11:42 AM 14088] R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/10/2004 1:50 PM 5120] R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [2/21/2011 9:07 PM 251736] R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [3/26/2009 11:05 PM 54960] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/17/2010 10:50 PM 22344] R3 PciSPorts;High-Speed PCI Serial Port;c:\windows\system32\drivers\PciSPorts.sys [5/8/2011 9:37 AM 119808] R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [10/21/2009 7:46 PM 47360] R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 5:13 PM 1562096] S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [7/16/2010 5:48 AM 354288] S3 AllShare;SAMSUNG AllShare Service;c:\program files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [7/16/2010 4:23 PM 6638080] S3 RoxMediaDB13;RoxMediaDB13;c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [7/16/2010 5:48 AM 1099248] S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?] . Contents of the 'Scheduled Tasks' folder . 2013-01-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-07-11 20:31] . 2013-01-19 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-07-11 20:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ig/dell?hl=en IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000 IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll TCP: DhcpNameServer = 192.168.1.254 . - - - - ORPHANS REMOVED - - - - . HKLM-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe MSConfigStartUp-BuildBU - c:\dell\bldbubg.exe MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe HKLM_ActiveSetup-{DA89EF83-F349-41D6-A897-BA11E8A3968C} - MSIEXEC AddRemove-LAME for Audacity_is1 - h:\portableapps\AudacityPortable\App\LAME\unins000.exe AddRemove-{06706400-70cb-47eb-9fce-5acaed849161} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{13301a6f-7e55-4323-8b66-aaf46c5ff3a1} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{14c6d91a-b5fb-4895-a6ec-d5077ad1ee0b} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{2dd63795-f001-4223-a9aa-2838186e4668} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{46ea72bb-c98b-42c0-922a-bd844004e593} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{4e146242-3240-498a-8eb7-2ddd0f9264f5} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{67e18946-97e8-453d-8fa2-18271ffd41a2} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{69973e6a-e059-4b52-87cf-30be3423c681} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{7423d301-90ac-4f12-b9be-add0ab7ae7c1} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{8342c926-94f8-49dc-9baa-5e2b696be261} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{862bf750-880b-4f22-88fb-db9e2dce3b2f} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{9fe766cb-3142-4098-aab5-586af92f5bc7} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{cc21c02c-fc49-416f-87d7-1ab658addb65} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{d3f3095a-f786-4e14-92d4-84331c753e37} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{d714e37a-142f-486c-a1aa-0b2849ea6f2c} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{e9b226d4-41f0-4490-a75c-de74742de5a9} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe AddRemove-{f6421e28-059c-458c-ac3a-d9bc19ad85fb} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-23 21:13 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{82C3E419-1ABB-8FB4-3F58-1D22AF8C97DB}\InProcServer32*] "oagamicbndlbdkchomabmklmmbnkbi"=hex:6a,61,70,68,69,65,69,6f,61,6c,67,6a,63,64, 66,62,66,65,62,6c,00,e1 "nagackiddfipglmnknaflkbfdclj"=hex:6a,61,70,68,6a,65,62,6e,67,68,66,6c,65,63, 67,6f,6e,68,64,64,00,f9 . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(880) c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll . Completion time: 2013-01-23 21:15:50 ComboFix-quarantined-files.txt 2013-01-24 02:15 . Pre-Run: 480,907,264 bytes free Post-Run: 609,714,176 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect . - - End Of File - - 1B1948D618837D71B5AFFE6B26D4C178
  9. Bill_M
    RogueKiller Log as requested: RogueKiller V8.4.3 [Jan 21 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo...13-roguekiller/ Website : http://tigzy.geeksto...roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Bill_2 [Admin rights] Mode : Scan -- Date : 01/23/2013 18:21:32 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 2 ¤¤¤ [HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[41] : NtCreateKey @ 0x806240F6 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB0360EFE) SSDT[63] : NtDeleteKey @ 0x80624592 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB036136C) SSDT[65] : NtDeleteValueKey @ 0x80624762 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB0361344) SSDT[119] : NtOpenKey @ 0x806254D4 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB03610BA) SSDT[247] : NtSetValueKey @ 0x80622668 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB03611FA) SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB0362740) SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB036224C) S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB0361F34) ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1001namen.com 127.0.0.1 1001namen.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100888290cs.com 127.0.0.1 100sexlinks.com [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST3160828AS +++++ --- User --- [MBR] 2ec62ffd137035f6192c2104643b5816 [bSP] 74c3e5f98933aa316c7c225b4c7cf3a6 : Dell MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 30004 Mo 2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 304303230 | Size: 4000 Mo 3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 61561080 | Size: 118526 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: WDC WD1001FALS-00J7B0 +++++ --- User --- [MBR] caac2e3fa058d4277820d50353b957f9 [bSP] c6ec5bbfedb2566dee2fe2327358ed06 : Windows XP MBR Code Partition table: 0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 20482875 | Size: 943865 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 10001 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_S_01232013_02d1821.txt >> RKreport[1]_S_01232013_02d1821.txt You didn't request DDS logs but they are attached if needed. attach.txt dds.txt
  10. Bill_M
    My computer is infected with what is being described as the FBI Moneypak virus. It first appeared yesterday. Sequence of events from yesterday (01/22/2013) in order of occurrence: 1) User Missy is logged in with limited account. 2) Early a.m. scheduled Malwarebytes scan: Malwarebytes Anti-Malware (PRO) 1.61.0.1400 www.malwarebytes.org Database version: v2013.01.22.02 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Missy :: GKC8391 [limited] Protection: Enabled 1/22/2013 5:36:25 AM mbam-log-2013-01-22 (05-36-25).txt Scan type: Flash scan Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: Registry | File System | P2P Objects scanned: 121204 Time elapsed: 1 minute(s), 43 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) 3) Later in the day, Malwarebytes pop-up window indicates a detection and user selects quarantine. 4) Sometime later, entire screen is filled with an intimidating message; FBI has locked your computer, etc. and a request for $200 to be paid through Moneypak. 5) I was able to switch to another user account. 6) User Bill is logged in with admin. account and user Missy is disconnected / logged out using task manager. 7) A Malwarebytes flash scan is initiated by me: Malwarebytes Anti-Malware (PRO) 1.61.0.1400 www.malwarebytes.org Database version: v2013.01.22.02 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Bill :: GKC8391 [administrator] Protection: Disabled 1/22/2013 8:04:47 PM mbam-log-2013-01-22 (20-04-47).txt Scan type: Flash scan Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: Registry | File System | P2P Objects scanned: 208411 Time elapsed: 1 minute(s), 20 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Documents and Settings\Missy\Application Data\skype.dat (Trojan.Agent) -> Quarantined and deleted successfully. (end) 8) Here’s the protection log from yesterday showing detections if useful: 2013/01/22 01:00:00 -0500 GKC8391 Missy MESSAGE Executing scheduled scan: Quick Scan | Daily 2013/01/22 01:00:00 -0500 GKC8391 Missy MESSAGE Scheduled scan executed successfully 2013/01/22 05:36:00 -0500 GKC8391 Missy MESSAGE Executing scheduled update: Flash Scan | Daily 2013/01/22 05:36:12 -0500 GKC8391 Missy MESSAGE Starting database refresh 2013/01/22 05:36:12 -0500 GKC8391 Missy MESSAGE Scheduled update executed successfully: database updated from version v2013.01.21.10 to version v2013.01.22.02 2013/01/22 05:36:12 -0500 GKC8391 Missy MESSAGE Stopping IP protection 2013/01/22 05:36:12 -0500 GKC8391 Missy MESSAGE IP Protection stopped 2013/01/22 05:36:15 -0500 GKC8391 Missy MESSAGE Executing scheduled scan: Flash Scan | -terminate 2013/01/22 05:36:15 -0500 GKC8391 Missy MESSAGE Scheduled scan executed successfully 2013/01/22 05:36:27 -0500 GKC8391 Missy MESSAGE Database refreshed successfully 2013/01/22 05:36:27 -0500 GKC8391 Missy MESSAGE Starting IP protection 2013/01/22 05:37:20 -0500 GKC8391 Missy MESSAGE IP Protection started successfully 2013/01/22 17:14:29 -0500 GKC8391 Missy IP-BLOCK 69.6.27.100 (Type: outgoing) 2013/01/22 17:14:34 -0500 GKC8391 Missy DETECTION C:\Documents and Settings\Missy\Local Settings\Temp\LIF4R7TU3.exe Backdoor.0Access QUARANTINE 2013/01/22 17:14:38 -0500 GKC8391 Missy IP-BLOCK 69.6.27.100 (Type: outgoing) 2013/01/22 17:15:11 -0500 GKC8391 Missy DETECTION C:\Documents and Settings\Missy\Local Settings\Temp\~!#12A.tmp Trojan.Medfos QUARANTINE 2013/01/22 20:03:54 -0500 GKC8391 Bill_2 MESSAGE Stopping IP protection 2013/01/22 20:03:54 -0500 GKC8391 Bill_2 MESSAGE IP Protection stopped 9) Screen shot of quarantine list shown below. 10) I unplugged the network cable after reading similar posts. 11) A Malwarebytes scan from this morning (01/23/2013) shows no detections. No doubt this is not the end of it. I will not be able to use system restore to correct the problem. I am at work now and will download DDS to a flash drive and take home with me. I will run it tonight and post resulting logs from another PC. I am running RoboForm password manager application, on the infected PC, which utilizes encryption. Do I need to be concerned about stolen passwords? Feel free to post any other instructions for me in the mean time. Thanks!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.