Jump to content

ingloriousBIG

Honorary Members
 View Profile  See their activity

  • Posts

    41

  • Joined

  • Last visited

Reputation

0 Neutral
  1. ingloriousBIG
    http://www.pcpitstop.com/betapit/sec.asp?conid=23113057
  2. ingloriousBIG
    I can't seem to download the plugin for the pc testing. Once downloaded I can't locate npmeadax.dll to put into the plugins folder.
  3. ingloriousBIG
    Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:50:12 PM, on 12/20/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16945) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\zHotkey.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\eMachines Bay Reader\shwiconem.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1251683478609 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 7554 bytes
  4. ingloriousBIG
    ComboFix 09-12-19.04 - Jon 12/20/2009 15:32:37.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.256 [GMT -8:00] Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD} . ((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 ))))))))))))))))))))))))))))))) . 2009-12-18 03:52 . 2009-12-18 03:52 -------- d-----w- c:\documents and settings\Jon\Application Data\Malwarebytes 2009-12-18 03:52 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-18 03:52 . 2009-12-18 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-12-18 03:52 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-18 03:52 . 2009-12-18 03:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-18 03:04 . 2009-12-18 03:04 -------- d--h--w- c:\windows\PIF 2009-12-18 02:58 . 2009-12-18 02:58 -------- d-----w- c:\program files\Trend Micro 2009-12-14 05:37 . 2009-12-14 05:37 -------- d-----w- c:\windows\system32\scripting 2009-12-14 05:37 . 2009-12-14 05:37 -------- d-----w- c:\windows\l2schemas 2009-12-14 05:37 . 2009-12-14 05:37 -------- d-----w- c:\windows\system32\en 2009-12-08 23:49 . 2009-12-16 22:54 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\Temp 2009-12-08 23:45 . 2009-12-08 23:51 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\Google 2009-11-26 06:00 . 2009-11-26 07:02 -------- d-----w- c:\documents and settings\Jon\Application Data\Move Networks . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-19 00:25 . 2004-05-12 09:55 96512 ------w- c:\windows\system32\drivers\atapi.sys 2009-12-15 01:12 . 2009-09-02 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-12-14 05:50 . 2004-05-12 09:50 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat 2009-12-14 05:04 . 2009-10-24 05:38 -------- d-----w- c:\documents and settings\Jon\Application Data\AdobeUM 2009-12-09 11:09 . 2009-10-28 10:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-11-20 08:44 . 2009-09-02 03:29 70264 ----a-w- c:\documents and settings\Allan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-20 08:24 . 2009-11-20 08:19 -------- d-----w- c:\documents and settings\Allan\Application Data\Move Networks 2009-11-20 08:20 . 2009-11-20 08:20 127872 ----a-w- c:\documents and settings\Allan\Application Data\Move Networks\uninstall.exe 2009-11-20 08:19 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Allan\Application Data\Move Networks\plugins\npqmp071503000010.dll 2009-11-16 18:59 . 2009-09-02 04:08 70264 ----a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-07 10:37 . 2009-11-07 10:37 -------- d-----w- c:\program files\MSBuild 2009-11-07 10:37 . 2009-11-07 10:37 -------- d-----w- c:\program files\Reference Assemblies 2009-11-07 10:30 . 2009-11-07 10:30 -------- d-----w- c:\program files\MSXML 6.0 2009-11-03 08:26 . 2004-05-12 10:19 -------- d-----w- c:\program files\Microsoft Works 2009-10-29 07:46 . 2006-06-23 18:33 832512 ------w- c:\windows\system32\wininet.dll 2009-10-29 07:46 . 2009-09-01 20:46 78336 ------w- c:\windows\system32\ieencode.dll 2009-10-29 07:46 . 2004-05-12 09:42 17408 ------w- c:\windows\system32\corpol.dll 2009-10-28 11:31 . 2009-10-28 09:40 -------- d-----w- c:\documents and settings\Jon\Application Data\GetRightToGo 2009-10-28 09:25 . 2009-10-28 09:25 -------- d-----w- c:\program files\MSECache 2009-10-21 05:38 . 2009-09-01 20:46 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-21 05:38 . 2009-09-01 20:45 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-20 16:20 . 2009-09-01 20:46 265728 ----a-w- c:\windows\system32\drivers\http.sys 2009-10-13 10:30 . 2006-05-14 09:13 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2004-05-12 09:43 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2004-05-12 09:43 79872 ----a-w- c:\windows\system32\raschap.dll 2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll 2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll 2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll 2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll 2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll 2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll 2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968] "Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-08 135664] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CHotkey"="zHotkey.exe" [2003-06-03 496640] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-23 71280] "NAV CfgWiz"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 124096] "SunKistEM"="c:\program files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 135168] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-01 149280] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-09-01 95960] "OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464] "OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] BigFix.lnk - c:\program files\BigFix\BigFix.exe [2004-5-12 1742384] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [9/1/2009 10:53 AM 704384] R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [9/1/2009 10:51 AM 1195008] R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [9/1/2009 10:51 AM 31128] R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [9/1/2009 10:53 AM 257432] S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?] . ------- Supplementary Scan ------- . uStart Page = hxxp://www.emachines.com/ uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\yodx80lh.default\ FF - plugin: c:\documents and settings\Allan\Application Data\Move Networks\plugins\npqmp071503000010.dll FF - plugin: c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-20 15:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3736) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-12-20 15:46:13 ComboFix-quarantined-files.txt 2009-12-20 23:45 ComboFix2.txt 2009-12-19 23:16 Pre-Run: 28,933,685,248 bytes free Post-Run: 28,901,220,352 bytes free - - End Of File - - 3B706F8F76922604B209ABAC2D927144
  5. ingloriousBIG
    im not sure if those are the results you were looking for. I used to use avira but my computer was ridiculously slow when it was installed. So to answer you question, no i'm not using any antivirus protection at the moment. If you could suggest an antivirus program that didnt keep my programs from moving at a snails pace literally, then I would appreciate it.
  6. ingloriousBIG
    File SandBox.sys received on 2009.12.01 09:46:18 (UTC) Antivirus Version Last Update Result a-squared 4.5.0.43 2009.12.01 - AhnLab-V3 5.0.0.2 2009.12.01 - AntiVir 7.9.1.88 2009.12.01 - Antiy-AVL 2.0.3.7 2009.12.01 - Authentium 5.2.0.5 2009.12.01 - Avast 4.8.1351.0 2009.11.30 - AVG 8.5.0.426 2009.12.01 - BitDefender 7.2 2009.12.01 - CAT-QuickHeal 10.00 2009.12.01 - ClamAV 0.94.1 2009.12.01 - Comodo 3099 2009.12.01 - DrWeb 5.0.0.12182 2009.12.01 - eSafe 7.0.17.0 2009.11.30 - eTrust-Vet 35.1.7150 2009.12.01 - F-Prot 4.5.1.85 2009.11.30 - F-Secure 9.0.15370.0 2009.11.29 - Fortinet 4.0.14.0 2009.12.01 - GData 19 2009.12.01 - Ikarus T3.1.1.74.0 2009.12.01 - Jiangmin 11.0.800 2009.12.01 - K7AntiVirus 7.10.906 2009.11.27 - Kaspersky 7.0.0.125 2009.12.01 - McAfee 5818 2009.11.30 - McAfee+Artemis 5818 2009.11.30 - McAfee-GW-Edition 6.8.5 2009.12.01 - Microsoft 1.5302 2009.12.01 - NOD32 4650 2009.11.30 - Norman 6.03.02 2009.11.30 - nProtect 2009.1.8.0 2009.11.28 - Panda 10.0.2.2 2009.11.30 - PCTools 7.0.3.5 2009.12.01 - Prevx 3.0 2009.12.01 - Rising 22.24.01.04 2009.12.01 - Sophos 4.48.0 2009.12.01 - Sunbelt 3.2.1858.2 2009.12.01 - Symantec 1.4.4.12 2009.12.01 - TheHacker 6.5.0.2.082 2009.11.30 - TrendMicro 9.100.0.1001 2009.12.01 - VBA32 3.12.12.0 2009.11.30 - ViRobot 2009.12.1.2064 2009.12.01 - VirusBuster 5.0.21.0 2009.11.30 - Additional information File size: 704384 bytes MD5 : 57ef0a92bada411c563384c08a4a25cd SHA1 : a339c364e54d69cbaf2a2701ee3adac5dd94ff6d SHA256: dcdb8354744e6ed8afc7dc605592811425d97ff567178b92a94c1318bb2ffcc0 PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x317A0<br> timedatestamp.....: 0x49D9B126 (Mon Apr 6 09:37:10 2009)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 5 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x2A0 0x9C944 0x9C960 6.21 da2364b6b7818dfda3fc00f7b3f9521b<br>.data 0x9CC00 0x44F4 0x4500 1.15 ca80c08cb675b67711af6e5f4605acd5<br>INIT 0xA1100 0xEDC 0xEE0 5.61 2d3c2bc3f8f2d6864c49841eddc372c5<br>.rsrc 0xA1FE0 0x398 0x3A0 3.35 5e72c3413e829c35ec0e716aeb6f99e5<br>.reloc 0xA2380 0x81AC 0x81C0 6.81 f383a0d9ef7c63e9421d0c3d349b2968<br> <br> ( 2 imports )<br> <br>> hal.dll: KeQueryPerformanceCounter, KeGetCurrentIrql, HalMakeBeep<br>> ntoskrnl.exe: ZwOpenSection, RtlNtStatusToDosErrorNoTeb, ZwCreateFile, IoCreateFile, ZwOpenFile, ObfDereferenceObject, ZwClose, ZwWaitForSingleObject, ZwSetEvent, ZwQueryDirectoryFile, ZwSetInformationFile, ZwDeleteFile, ZwMakeTemporaryObject, ZwCreateSymbolicLinkObject, ZwOpenKey, ZwCreateKey, ZwDeleteKey, ZwEnumerateKey, ZwEnumerateValueKey, memset, ZwQueryKey, ZwQueryValueKey, ZwSetValueKey, ZwReplaceKey, ZwSaveKey, ZwDeleteValueKey, NtSetInformationFile, NtBuildNumber, ZwSetSystemInformation, ZwLoadDriver, ZwUnloadDriver, ZwOpenThread, ZwOpenProcess, IoGetCurrentProcess, ZwTerminateProcess, ZwRequestWaitReplyPort, memcpy, _allshl, _aullshr, KeDelayExecutionThread, SeCreateClientSecurity, KeGetCurrentThread, SeTokenType, IoDeleteDevice, IoDeleteSymbolicLink, IoUnregisterShutdownNotification, InterlockedCompareExchange, PsCreateSystemThread, KeInitializeEvent, IoRegisterShutdownNotification, IoCreateUnprotectedSymbolicLink, IoCreateDevice, RtlInitUnicodeString, IofCompleteRequest, RtlCopyUnicodeString, PsTerminateSystemThread, KeClearEvent, KeReadStateEvent, InterlockedExchangeAdd, ExAllocatePoolWithTag, ExFreePool, _strnicmp, KeWaitForSingleObject, KeSetEvent, KeQuerySystemTime, IoIsSystemThread, IoThreadToProcess, NtQueryInformationProcess, KeDetachProcess, PsGetProcessExitTime, KeAttachProcess, KeIsExecutingDpc, ExGetPreviousMode, MmSectionObjectType, ObReferenceObjectByHandle, PsLookupProcessByProcessId, PsIsThreadTerminating, PsLookupThreadByThreadId, ZwQueryInformationProcess, ObOpenObjectByPointer, PsProcessType, MmIsAddressValid, RtlNtStatusToDosError, PsThreadType, ObReferenceObjectByPointer, ObReferenceObjectByName, IoFileObjectType, PsGetCurrentProcessId, strncpy, RtlIsNameLegalDOS8Dot3, RtlAnsiStringToUnicodeString, RtlUnicodeStringToAnsiString, RtlUpcaseUnicodeString, ZwQueryObject, IoGetDeviceObjectPointer, wcschr, ZwQuerySymbolicLinkObject, ZwOpenSymbolicLinkObject, RtlMapGenericMask, IoQueryFileInformation, IofCallDriver, IoAllocateIrp, IoFreeIrp, IoFreeMdl, MmUnlockPages, MmUnmapLockedPages, MmMapLockedPages, IoGetRelatedDeviceObject, IoSetInformation, ExEventObjectType, _allmul, _aulldiv, RtlImageNtHeader, ZwQuerySystemInformation, _stricmp, ZwUnmapViewOfSection, ZwMapViewOfSection, KeServiceDescriptorTable, KeAddSystemServiceTable, KeInsertQueueApc, KeInitializeApc, MmCreateSection, MmUnmapViewOfSection, MmMapViewOfSection, KeNumberProcessors, PsGetVersion, RtlQueryRegistryValues, RtlAppendUnicodeToString, RtlWriteRegistryValue, _snwprintf, KeBugCheckEx, DbgBreakPoint, RtlCompareMemory, RtlTimeToTimeFields, ExSystemTimeToLocalTime, InterlockedExchange, ZwQueryInformationFile, MmUnmapIoSpace, MmMapIoSpace, RtlEnlargedIntegerMultiply, ZwReadFile, DbgPrint, _aullrem, RtlUnwind, InterlockedIncrement, InterlockedDecrement, ObQueryNameString, ZwCreateSection<br> <br> ( 0 exports )<br> TrID : File type identification<br>Windows Screen Saver (51.1%)<br>Win32 Executable Generic (33.2%)<br>Generic Win/DOS Executable (7.8%)<br>DOS Executable Generic (7.8%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) ssdeep: 12288:bvtxGaBa6SUnSCjgXNLlmvEN2vSfDJEST8kmDKCU2VCM1HE+a:bvNBaLSbgXNLlmvEN2vAVlT8 dDKh2VCV PEiD : - RDS : NSRL Reference Data Set<br>-
  7. ingloriousBIG
    Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:20:39 PM, on 12/19/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16945) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\zHotkey.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\eMachines Bay Reader\shwiconem.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1251683478609 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 7508 bytes
  8. ingloriousBIG
    ComboFix 09-12-18.03 - Jon 12/19/2009 14:49:01.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.232 [GMT -8:00] Running from: c:\documents and settings\Jon\Desktop\KittyFix.exe FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-1433678514-3411340332-2596020146-1003 c:\recycler\S-1-5-21-515967899-1580436667-725345543-1003 Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_IAS -------\Legacy_WINSTS ((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 ))))))))))))))))))))))))))))))) . 2009-12-18 03:52 . 2009-12-18 03:52 -------- d-----w- c:\documents and settings\Jon\Application Data\Malwarebytes 2009-12-18 03:52 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-18 03:52 . 2009-12-18 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-12-18 03:52 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-18 03:52 . 2009-12-18 03:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-18 03:04 . 2009-12-18 03:04 -------- d--h--w- c:\windows\PIF 2009-12-18 02:58 . 2009-12-18 02:58 -------- d-----w- c:\program files\Trend Micro 2009-12-14 05:37 . 2009-12-14 05:37 -------- d-----w- c:\windows\system32\scripting 2009-12-14 05:37 . 2009-12-14 05:37 -------- d-----w- c:\windows\l2schemas 2009-12-14 05:37 . 2009-12-14 05:37 -------- d-----w- c:\windows\system32\en 2009-12-08 23:49 . 2009-12-16 22:54 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\Temp 2009-12-08 23:45 . 2009-12-08 23:51 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\Google 2009-11-26 06:00 . 2009-11-26 07:02 -------- d-----w- c:\documents and settings\Jon\Application Data\Move Networks 2009-11-20 08:19 . 2009-11-20 08:24 -------- d-----w- c:\documents and settings\Allan\Application Data\Move Networks . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-19 00:25 . 2004-05-12 09:55 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2009-12-15 01:12 . 2009-09-02 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-12-14 05:50 . 2004-05-12 09:50 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat 2009-12-14 05:04 . 2009-10-24 05:38 -------- d-----w- c:\documents and settings\Jon\Application Data\AdobeUM 2009-12-09 11:09 . 2009-10-28 10:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-11-20 08:44 . 2009-09-02 03:29 70264 ----a-w- c:\documents and settings\Allan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-20 08:20 . 2009-11-20 08:20 127872 ----a-w- c:\documents and settings\Allan\Application Data\Move Networks\uninstall.exe 2009-11-20 08:19 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Allan\Application Data\Move Networks\plugins\npqmp071503000010.dll 2009-11-16 18:59 . 2009-09-02 04:08 70264 ----a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-07 10:37 . 2009-11-07 10:37 -------- d-----w- c:\program files\MSBuild 2009-11-07 10:37 . 2009-11-07 10:37 -------- d-----w- c:\program files\Reference Assemblies 2009-11-07 10:30 . 2009-11-07 10:30 -------- d-----w- c:\program files\MSXML 6.0 2009-11-03 08:26 . 2004-05-12 10:19 -------- d-----w- c:\program files\Microsoft Works 2009-10-29 07:46 . 2006-06-23 18:33 832512 ----a-w- c:\windows\system32\wininet.dll 2009-10-29 07:46 . 2009-09-01 20:46 78336 ------w- c:\windows\system32\ieencode.dll 2009-10-29 07:46 . 2004-05-12 09:42 17408 ------w- c:\windows\system32\corpol.dll 2009-10-28 11:31 . 2009-10-28 09:40 -------- d-----w- c:\documents and settings\Jon\Application Data\GetRightToGo 2009-10-28 09:25 . 2009-10-28 09:25 -------- d-----w- c:\program files\MSECache 2009-10-21 05:38 . 2009-09-01 20:46 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-21 05:38 . 2009-09-01 20:45 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-20 16:20 . 2009-09-01 20:46 265728 ----a-w- c:\windows\system32\drivers\http.sys 2009-10-13 10:30 . 2006-05-14 09:13 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2004-05-12 09:43 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2004-05-12 09:43 79872 ----a-w- c:\windows\system32\raschap.dll 2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll 2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll 2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll 2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll 2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll 2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll 2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968] "Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-08 135664] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CHotkey"="zHotkey.exe" [2003-06-03 496640] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-23 71280] "NAV CfgWiz"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 124096] "SunKistEM"="c:\program files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 135168] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-01 149280] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-09-01 95960] "OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464] "OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] BigFix.lnk - c:\program files\BigFix\BigFix.exe [2004-5-12 1742384] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= R3 ndisdrv;ndisdrv;c:\windows\system32\ndisdrv.sys [x] S1 SandBox;SandBox;c:\windows\System32\drivers\SandBox.sys [2009-04-06 704384] S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2009-04-28 1195008] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] S3 afw;Agnitum firewall driver;c:\windows\system32\DRIVERS\afw.sys [2009-02-19 31128] S3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-02-10 257432] . ------- Supplementary Scan ------- . uStart Page = hxxp://www.emachines.com/ uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\yodx80lh.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - plugin: c:\documents and settings\Allan\Application Data\Move Networks\plugins\npqmp071503000010.dll FF - plugin: c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - HKU-Default-Run-notepad - c:\windows\system32\config\SYSTEM~1\ntload.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-19 15:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2432) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\progra~1\COMMON~1\AOL\ACS\acsd.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Norton AntiVirus\navapsvc.exe c:\program files\Norton AntiVirus\SAVScan.exe c:\windows\wanmpsvc.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\windows\system32\wscntfy.exe c:\windows\zHotkey.exe c:\program files\iPod\bin\iPodService.exe c:\program files\AIM6\aolsoftware.exe . ************************************************************************** . Completion time: 2009-12-19 15:16:05 - machine was rebooted ComboFix-quarantined-files.txt 2009-12-19 23:16 Pre-Run: 27,159,076,864 bytes free Post-Run: 28,998,504,448 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn - - End Of File - - AAE241DC310C6D7947C5494AE71BC32A
  9. ingloriousBIG
    Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:27:13 PM, on 12/19/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16945) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\zHotkey.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\eMachines Bay Reader\shwiconem.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM6\aim6.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKUS\S-1-5-18\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntload.dll,_IWMPEvents@0 (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\WINDOWS\TEMP\dhndbye42s.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntload.dll,_IWMPEvents@0 (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1251683478609 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 7999 bytes
  10. ingloriousBIG
    Malwarebytes' Anti-Malware 1.42 Database version: 3383 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 12/19/2009 2:08:25 PM mbam-log-2009-12-19 (14-08-25).txt Scan type: Quick Scan Objects scanned: 119828 Time elapsed: 47 minute(s), 10 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Allan\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
  11. ingloriousBIG
    The MBAM instructions from myantispyware.com?
  12. ingloriousBIG
    DDS (Ver_09-12-01.01) - NTFSx86 Run by Jon at 23:04:11.39 on Thu 12/17/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.36 [GMT -8:00] FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\zHotkey.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\eMachines Bay Reader\shwiconem.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Jon\Desktop\dds.pif ============== Pseudo HJT Report =============== uStart Page = hxxp://www.emachines.com/ uSearch Bar = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/ uInternet Settings,ProxyOverride = *.local uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Google Update] "c:\documents and settings\jon\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [CHotkey] zHotkey.exe mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [NAV CfgWiz] c:\program files\common files\symantec shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" mRun: [sunKistEM] c:\program files\emachines bay reader\shwiconem.exe mRun: [<NO NAME>] mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump:os_startup mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" dRun: [notepad] rundll32.exe c:\windows\system32\config\system~1\ntload.dll,_IWMPEvents@0 dRun: [ygua8e7yhuiesfha876yfauy8fe] c:\windows\temp\dhndbye42s.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe mPolicies-system: EnableLUA = 0 (0x0) dPolicies-explorer: NoSetActiveDesktop = 1 (0x1) dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) dPolicies-system: DisableTaskMgr = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251683478609 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: igfxcui - igfxsrvc.dll AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\jon\applic~1\mozilla\firefox\profiles\yodx80lh.default\ FF - plugin: c:\documents and settings\allan\application data\move networks\plugins\npqmp071503000010.dll FF - plugin: c:\documents and settings\jon\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-9-1 31128] R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-9-1 257432] =============== Created Last 30 ================ 2009-12-18 03:52:19 0 d-----w- c:\docume~1\jon\applic~1\Malwarebytes 2009-12-18 03:52:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-18 03:52:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-18 03:52:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-12-18 03:52:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-18 03:04:23 0 d--h--w- c:\windows\PIF 2009-12-18 02:58:55 0 d-----w- c:\program files\Trend Micro 2009-12-14 05:37:39 0 d-----w- c:\windows\system32\scripting 2009-12-14 05:37:21 0 d-----w- c:\windows\l2schemas 2009-12-14 05:37:15 0 d-----w- c:\windows\system32\en ==================== Find3M ==================== 2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll 2009-10-29 07:46:52 78336 ------w- c:\windows\system32\ieencode.dll 2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll 2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys 2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll 2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll 2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll 2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll 2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll 2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll 2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll ============= FINISH: 23:51:20.65 ===============
  13. ingloriousBIG
    Hey screen317, I wish I saw your post before I proceeded with the help I was given from someone that had a similar problem. Now I'm having new problems with redirecting links on google and others.
  14. ingloriousBIG
    Hello everyone! I'm in some trouble with a problem on my computer. Nothing yet has happened but there is a prompt on my desktop during startup warning me about imminent problems. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:59:22 PM, on 12/17/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16945) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\zHotkey.exe C:\WINDOWS\system32\winupdate86.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\eMachines Bay Reader\shwiconem.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM6\aim6.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BigFix\BigFix.exe C:\DOCUME~1\Jon\LOCALS~1\Temp\taskmgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\DOCUME~1\Jon\LOCALS~1\Temp\setup.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll F2 - REG:system.ini: Shell=Explorer.exe logon.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe O2 - BHO: C:\WINDOWS\system32\twxufij.dll - {A5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\twxufij.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe O4 - HKLM\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\notepad.dll,_IWMPEvents@0 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [notepad] rundll32.exe C:\DOCUME~1\Jon\ntload.dll,_IWMPEvents@0 O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\Jon\LOCALS~1\Temp\setup.exe O4 - HKUS\S-1-5-18\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntload.dll,_IWMPEvents@0 (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\WINDOWS\TEMP\dhndbye42s.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntload.dll,_IWMPEvents@0 (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1251683478609 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll O22 - SharedTaskScheduler: ujhsf879fiosdfhgs98fudifmnddfdfd - {A5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\twxufij.dll O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 9024 bytes
  15. ingloriousBIG
    Hey screen317 I bought a external hard drive to backup my files and just restored my whole computer. Thank you for the help. What programs should I dl to avoid having this happen to me again?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.