Jump to content

mercgt73

Members
 View Profile  See their activity

  • Posts

    6

  • Joined

  • Last visited

Reputation

0 Neutral
  1. mercgt73
    Kenny, thank you very much for all of your help! I don't know if you are getting recognized by offering this kind of quality and punctual assistance, but you should be! Thanks again and I wish you the best of luck. -Rusty
  2. mercgt73
    I ran the AVG utility, then ran the script onto ComboFix. Everything seemed to work, except after ComboFix, the computer did not reboot, but left my in a wallpaper only desktop. So I rebooted manually. Here is my latest HJT log, Uninstall List and ComboFix log. Thanks again, HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:04:39 PM, on 8/20/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\notepad.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200336398048 O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 4442 bytes Uninstall List Ad-Aware SE Personal Adobe Flash Player ActiveX ATI Control Panel ATI Display Driver Avira AntiVir Personal - Free Antivirus Big Fish Games Client CCleaner (remove only) HighMAT Extension to Microsoft Windows XP CD Writing Wizard HijackThis 2.0.2 Hotfix for Windows Internet Explorer 7 (KB947864) HP Image Zone 3.5 HP Photo and Imaging 2.0 - Deskjet Series hp print screen utility InterActual Player Java 2 Runtime Environment Standard Edition v1.3.1 Java 2 Runtime Environment Standard Edition v1.3.1_02 Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Data Access Components KB870669 Microsoft Internationalized Domain Names Mitigation APIs Microsoft Money 2004 Microsoft Money 2004 System Pack Microsoft National Language Support Downlevel APIs Microsoft Office Professional Edition 2003 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Web Publishing Wizard 1.52 Microsoft Works 7.0 Mozilla Firefox (3.5.2) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) Quickstart American Sign Language RealPlayer Basic Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Media Player (KB973540) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Shanghai II Shockwave SoftK56 Data Fax CARP SoundMAX Spybot - Search & Destroy Super Collapse! 3 Synaptics Pointing Device Driver The Print Shop 22 The Sultan's Labyrinth Update for Windows Internet Explorer 8 (KB968220) Update for Windows XP (KB968389) Update for Windows XP (KB973815) Viewpoint Media Player Winamp (remove only) Windows Backup Utility Windows Internet Explorer 8 Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Service Pack 3 WinRAR archiver WLAN Utility ComboFix log ComboFix 09-08-19.0C - ODStore 08/20/2009 18:45.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.147 [GMT -4:00] Running from: c:\documents and settings\ODStore\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\ODStore\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FILE :: "c:\program files\temp01" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\temp01 . ((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 ))))))))))))))))))))))))))))))) . 2009-08-20 11:02 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll 2009-08-20 11:02 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll 2009-08-20 11:02 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll 2009-08-20 11:02 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys 2009-08-18 01:45 . 2009-08-18 01:45 -------- d-----w- c:\program files\Trend Micro 2009-08-18 01:40 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-18 01:40 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-08-18 01:40 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-08-18 01:40 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-08-18 01:40 . 2009-08-18 01:40 -------- d-----w- c:\program files\Avira 2009-08-18 01:40 . 2009-08-18 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-18 01:28 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-08-17 21:55 . 2009-08-17 21:55 -------- d-----w- c:\documents and settings\ODStore\Application Data\Malwarebytes 2009-08-17 21:51 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-17 21:51 . 2009-08-17 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-17 21:51 . 2009-08-17 21:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-17 21:51 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-17 21:15 . 2009-08-17 21:15 -------- d-----w- c:\documents and settings\ODStore\Local Settings\Application Data\Mozilla 2009-08-17 21:09 . 2009-08-17 21:09 -------- d-----w- c:\documents and settings\Administrator.M5312\Local Settings\Application Data\Mozilla 2009-08-17 20:32 . 2009-08-17 20:32 -------- d-sh--w- c:\documents and settings\Administrator.M5312\PrivacIE 2009-08-17 19:09 . 2009-08-17 19:09 -------- d-sh--w- c:\documents and settings\Administrator.M5312\IETldCache 2009-08-17 18:54 . 2009-08-17 18:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-17 18:54 . 2009-08-17 18:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-08-13 00:52 . 2009-08-17 22:54 -------- d-----w- c:\program files\Common Files\Uninstall 2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll 2009-07-31 03:25 . 2002-08-29 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys 2009-07-31 03:25 . 2002-08-29 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys 2009-07-31 02:04 . 2009-07-31 02:04 -------- d-----w- c:\program files\AVG 2009-07-31 01:18 . 2009-07-31 02:15 -------- d-----w- c:\program files\Enigma Software Group 2009-07-31 00:53 . 2009-07-31 00:53 -------- d-----w- c:\windows\system32\wbem\Repository . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-18 01:09 . 2004-06-30 22:34 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-18 01:09 . 2004-06-30 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-12 23:27 . 2004-04-01 11:51 346440 ----a-w- c:\documents and settings\ODStore\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-05 09:01 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-31 16:04 . 2007-09-14 01:23 -------- d-----w- c:\program files\CCleaner 2009-07-31 00:52 . 2009-07-11 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-07-31 00:51 . 2009-07-31 00:51 -------- d-----w- c:\program files\Analog Devices 2009-07-17 19:01 . 2003-06-10 15:38 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2003-06-10 16:23 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-08-24 00:32 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-25 08:25 . 2003-06-10 15:39 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2003-06-10 15:39 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2003-06-10 15:39 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2003-06-10 15:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-25 08:25 . 2003-06-10 15:39 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2003-06-10 15:39 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-24 11:18 . 2003-06-10 15:39 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:36 . 2003-06-10 15:39 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2003-06-10 15:39 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2003-06-10 15:39 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:13 . 2003-06-10 15:38 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:19 . 2003-06-10 15:51 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 06:14 . 2003-06-10 15:39 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-03 19:09 . 2003-05-30 16:00 1291264 ----a-w- c:\windows\system32\quartz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-01-10 126976] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-01-10 581632] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-10-26 77824] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "CARPService"="carpserv.exe" - c:\windows\system32\carpserv.exe [2003-03-06 4608] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=c:\windows\pss\BigFix.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/17/2009 9:40 PM 108289] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\ODStore\Application Data\Mozilla\Firefox\Profiles\8yww0ldt.default\ FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPJava11.dll FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPJava12.dll FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPJava131.dll FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPJava32.dll FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPOJI600.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-20 18:51 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-08-20 18:54 ComboFix-quarantined-files.txt 2009-08-20 22:54 ComboFix2.txt 2009-08-20 12:07 Pre-Run: 49,596,149,760 bytes free Post-Run: 49,584,766,976 bytes free 175 --- E O F --- 2009-08-20 11:37
  3. mercgt73
    Ok, here is my current ComboFix log and HJT log. After the ComboFix initiated reboot, Avira found a Trojan, so I instructed the program to delete it, even though ComboFix said not to run any other programs. It seemed to work, no errors. Thanks again, HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:38:12 AM, on 8/20/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200336398048 O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 4524 bytes ComboFix ComboFix 09-08-19.06 - ODStore 08/20/2009 7:53.1.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.103 [GMT -4:00] Running from: c:\documents and settings\ODStore\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\ODStore\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\NPROTECT c:\recycler\S-1-5-21-1188719606-1815949971-1463336672-1003 c:\recycler\S-1-5-21-1292428093-764733703-1060284298-1003 c:\recycler\S-1-5-21-1353101184-2414000307-2877806252-1003 c:\recycler\S-1-5-21-2005076353-2828285957-2544180883-1003 c:\recycler\S-1-5-21-249990428-3760129390-424924554-1003 c:\recycler\S-1-5-21-2799782368-829724601-3727786964-1003 c:\recycler\S-1-5-21-3392724523-1029035021-2406894538-1003 c:\recycler\S-1-5-21-3916543943-3893865692-4080336539-1003 c:\recycler\S-1-5-21-3927235333-1558023378-2782334703-1003 c:\recycler\S-1-5-21-3967053486-2975820156-2338057258-1003 c:\recycler\S-1-5-21-4256353512-1019056049-1035633023-1003 c:\recycler\S-1-5-21-523428044-3609864676-145746652-1003 c:\recycler\S-1-5-21-535497346-4159974200-2392624545-1003 c:\recycler\S-1-5-21-657033933-3589060671-1351068774-1003 c:\recycler\S-1-5-21-835042311-4268940468-7332569-1003 c:\recycler\S-1-5-21-997517131-3387171402-1561185805-1003 c:\windows\desktop c:\windows\Installer\11d7c.msi c:\windows\Installer\123a9.msi c:\windows\Installer\298a7.msi c:\windows\Installer\30b79.msp c:\windows\Installer\a9033.msp c:\windows\Installer\cf51.msi c:\windows\Installer\db77c.msi c:\windows\system32\_000012_.tmp.dll c:\windows\system32\drivers\ndisrd.sys c:\windows\system32\ndisapi.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NDISRD -------\Legacy_UACd.sys -------\Service_NDISRD -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 ))))))))))))))))))))))))))))))) . 2009-08-20 11:02 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll 2009-08-20 11:02 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll 2009-08-20 11:02 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll 2009-08-20 11:02 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys 2009-08-18 01:45 . 2009-08-18 01:45 -------- d-----w- c:\program files\Trend Micro 2009-08-18 01:40 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-18 01:40 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-08-18 01:40 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-08-18 01:40 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-08-18 01:40 . 2009-08-18 01:40 -------- d-----w- c:\program files\Avira 2009-08-18 01:40 . 2009-08-18 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-18 01:28 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-08-17 21:55 . 2009-08-17 21:55 -------- d-----w- c:\documents and settings\ODStore\Application Data\Malwarebytes 2009-08-17 21:51 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-17 21:51 . 2009-08-17 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-17 21:51 . 2009-08-17 21:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-17 21:51 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-17 21:15 . 2009-08-17 21:15 -------- d-----w- c:\documents and settings\ODStore\Local Settings\Application Data\Mozilla 2009-08-17 21:09 . 2009-08-17 21:09 -------- d-----w- c:\documents and settings\Administrator.M5312\Local Settings\Application Data\Mozilla 2009-08-17 20:32 . 2009-08-17 20:32 -------- d-sh--w- c:\documents and settings\Administrator.M5312\PrivacIE 2009-08-17 19:09 . 2009-08-17 19:09 -------- d-sh--w- c:\documents and settings\Administrator.M5312\IETldCache 2009-08-17 18:54 . 2009-08-17 18:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-17 18:54 . 2009-08-17 18:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-08-13 00:52 . 2009-08-17 22:54 -------- d-----w- c:\program files\Common Files\Uninstall 2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll 2009-07-31 03:25 . 2002-08-29 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys 2009-07-31 03:25 . 2002-08-29 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys 2009-07-31 02:04 . 2009-07-31 02:04 -------- d-----w- c:\program files\AVG 2009-07-31 01:18 . 2009-07-31 02:15 -------- d-----w- c:\program files\Enigma Software Group 2009-07-31 00:53 . 2009-07-31 00:53 -------- d-----w- c:\windows\system32\wbem\Repository . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-18 01:09 . 2004-06-30 22:34 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-18 01:09 . 2004-06-30 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-12 23:27 . 2004-04-01 11:51 346440 ----a-w- c:\documents and settings\ODStore\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-05 09:01 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-31 16:04 . 2007-09-14 01:23 -------- d-----w- c:\program files\CCleaner 2009-07-31 00:52 . 2009-07-11 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-07-31 00:51 . 2009-07-31 00:51 -------- d-----w- c:\program files\Analog Devices 2009-07-17 19:01 . 2003-06-10 15:38 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2003-06-10 16:23 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-08-24 00:32 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-25 08:25 . 2003-06-10 15:39 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2003-06-10 15:39 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2003-06-10 15:39 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2003-06-10 15:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-25 08:25 . 2003-06-10 15:39 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2003-06-10 15:39 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-24 11:18 . 2003-06-10 15:39 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:36 . 2003-06-10 15:39 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2003-06-10 15:39 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2003-06-10 15:39 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:13 . 2003-06-10 15:38 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:19 . 2003-06-10 15:51 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 06:14 . 2003-06-10 15:39 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-03 19:09 . 2003-05-30 16:00 1291264 ----a-w- c:\windows\system32\quartz.dll 2008-06-05 15:03 . 2008-06-05 15:03 0 ----a-w- c:\program files\temp01 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-01-10 126976] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-01-10 581632] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-10-26 77824] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "CARPService"="carpserv.exe" - c:\windows\system32\carpserv.exe [2003-03-06 4608] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=c:\windows\pss\BigFix.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/17/2009 9:40 PM 108289] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . - - - - ORPHANS REMOVED - - - - Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) . ------- Supplementary Scan ------- . uStart Page = uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\ODStore\Application Data\Mozilla\Firefox\Profiles\8yww0ldt.default\ FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPJava11.dll FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPJava12.dll FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPJava131.dll FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPJava32.dll FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPOJI600.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-20 08:02 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2960) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Avira\AntiVir Desktop\avconfig.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-08-20 8:07 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-20 12:07 Pre-Run: 49,542,639,616 bytes free Post-Run: 49,419,096,064 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 233 --- E O F --- 2009-08-20 11:37
  4. mercgt73
    I followed your instructions. Here is my latest MBAM, HJT and RootRepeal logs. Also, during the MBAM Quick scan, Avira Antivirus found 2 Trojans, so I instructed the program to delete them. Thanks again! MBAM Malwarebytes' Anti-Malware 1.40 Database version: 2658 Windows 5.1.2600 Service Pack 3 8/19/2009 2:52:39 PM mbam-log-2009-08-19 (14-52-39).txt Scan type: Quick Scan Objects scanned: 110189 Time elapsed: 11 minute(s), 10 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACrqibmllwyl.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACwmqbwexomp.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\UACamrflnmbch.sys (Trojan.Agent) -> Quarantined and deleted successfully. HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:53:42 PM, on 8/19/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\boom.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200336398048 O20 - AppInit_DLLs: karna.dat O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 4743 bytes RootRepeal ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/08/19 14:59 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API!
  5. mercgt73
    Ok, here is my most current MBAM, HJT and RootRepeal logs. Thanks for your help! MBAM Malwarebytes' Anti-Malware 1.40 Database version: 2644 Windows 5.1.2600 Service Pack 3 8/18/2009 5:39:05 PM mbam-log-2009-08-18 (17-39-05).txt Scan type: Quick Scan Objects scanned: 109612 Time elapsed: 7 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: \\?\globalroot\systemroot\system32\UACetqxxtpdco.dll (Rogue.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: \\?\globalroot\systemroot\system32\UACetqxxtpdco.dll (Rogue.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot. HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:40:06 PM, on 8/18/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\boom.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200336398048 O20 - AppInit_DLLs: karna.dat O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 4782 bytes RootRepeal ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/08/18 17:54 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\WINDOWS\system32\UACetqxxtpdco.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\uacinit.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\UACrqibmllwyl.dat Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\UACwmqbwexomp.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\temp\UAC5a51.tmp Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\drivers\UACamrflnmbch.sys Status: Invisible to the Windows API! Path: C:\Documents and Settings\ODStore\Local Settings\Temp\UACeb36.tmp Status: Invisible to the Windows API! Path: c:\documents and settings\odstore\local settings\application data\mozilla\firefox\profiles\8yww0ldt.default\urlclassifier3.sqlite Status: Size mismatch (API: 25972736, Raw: 25329664) Path: c:\documents and settings\odstore\local settings\application data\mozilla\firefox\profiles\8yww0ldt.default\cache\_cache_001_ Status: Size mismatch (API: 547769, Raw: 542880) Path: c:\documents and settings\odstore\local settings\application data\mozilla\firefox\profiles\8yww0ldt.default\cache\_cache_002_ Status: Size mismatch (API: 393657, Raw: 391948) Path: c:\documents and settings\odstore\local settings\application data\mozilla\firefox\profiles\8yww0ldt.default\cache\_cache_003_ Status: Size mismatch (API: 1068268, Raw: 1006235) Path: C:\Documents and Settings\ODStore\Local Settings\Application Data\Mozilla\Firefox\Profiles\8yww0ldt.default\Cache\3AC1587Cd01 Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\ODStore\Local Settings\Application Data\Mozilla\Firefox\Profiles\8yww0ldt.default\Cache\8028E431d01 Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\ODStore\Local Settings\Application Data\Mozilla\Firefox\Profiles\8yww0ldt.default\Cache\EB5417F0d01 Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\ODStore\Local Settings\Application Data\Mozilla\Firefox\Profiles\8yww0ldt.default\Cache\F6298D07d01 Status: Visible to the Windows API, but not on disk.
  6. mercgt73
    After attempting to remove PAV, I get a persistent infection detected by MBAM. I followed the instructions in the "Im infected thread", so here are my log files. Thank you for your help! Latest mbam log: Malwarebytes' Anti-Malware 1.40 Database version: 2644 Windows 5.1.2600 Service Pack 3 8/17/2009 10:01:49 PM mbam-log-2009-08-17 (22-01-49).txt Scan type: Quick Scan Objects scanned: 109579 Time elapsed: 7 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: \\?\globalroot\systemroot\system32\UACetqxxtpdco.dll (Rogue.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: \\?\globalroot\systemroot\system32\UACetqxxtpdco.dll (Rogue.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot. latest HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:02:44 PM, on 8/17/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\boom.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200336398048 O20 - AppInit_DLLs: karna.dat O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 4744 bytes Thanks again for your help! -Rusty
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.