Jump to content

Mike_Stock

Members
  • Posts

    8
  • Joined

  • Last visited

Everything posted by Mike_Stock

  1. Thank you for the reply. I haven't been on it very much since the "repairs" but so far I am not experiencing anything out of the ordinary. I haven't taken the time to re-install the antivirus programs. Since I wanted to ensure a clean system repair, I removed the Spy-Bot, Norton Internet Security (trial) and AVG. Tomorrow I will do the reinstalls of AVG and Spybot(?). Seems that the rootkit (if that is what my computer had) was impervious to all of those programs. I really appreciate all of your work helping me - Thanks again!
  2. Here are the 3 logs you requested. I successfully completed the process as stated above. However, after I deleted the profile folder as described, the program would not close, so I uninstalled Firefox and downloaded/installed a new version. Several Notes: There were no "Yoog" entries to be found in Firefox when doing the About:config... and I am still seeing "Performance Solution Worldadmarketplace" as a program installed within Add/Remove programs. I originally thought this is where the problems originated - I have never been able to manually remove it. - I guess the logs you see will help tell the story. Thank you again. ComboFix Log ComboFix 09-02-11.03 - Lauren 2009-02-12 9:40:52.6 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.302 [GMT -7:00] Running from: c:\documents and settings\Lauren\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Lauren\Desktop\CFscript.txt * Created a new restore point FILE :: c:\documents and settings\Lauren Stock\My Documents\My Pictures\wallpaper_01_800.jpg c:\program files\folder.htt c:\windows\system32\__svchost.exe c:\windows\SYSTEM32\nmuonjdygdte.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Lauren\Application Data\cogad C:\FOUND.000 c:\found.000\FILE0000.CHK c:\program files\folder.htt c:\windows\SYSTEM32\nmuonjdygdte.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MICROSOFT_INET_SERVICE2 -------\Service_Microsoft Inet Service2 ((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 ))))))))))))))))))))))))))))))) . 2009-02-10 10:29 . 2009-02-10 10:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec 2009-02-10 10:12 . 2009-02-10 10:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton 2009-02-10 09:58 . 2009-02-10 09:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-02-08 22:16 . 2009-02-08 22:16 <DIR> d-------- c:\documents and settings\Guest 2009-02-07 10:23 . 2009-02-07 10:23 <DIR> d-------- c:\program files\Symantec 2009-02-07 10:14 . 2009-02-07 10:14 <DIR> d-------- C:\log 2009-02-07 08:48 . 2009-02-07 08:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations 2009-02-06 21:27 . 2009-02-06 21:28 <DIR> d-------- c:\program files\iTunes 2009-02-06 21:27 . 2009-02-06 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-02-06 21:25 . 2009-02-06 21:25 <DIR> d-------- c:\program files\QuickTime 2009-02-06 21:23 . 2009-02-06 21:23 <DIR> d-------- c:\program files\Common Files\Apple 2009-02-06 21:23 . 2009-02-06 21:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple 2009-02-06 20:06 . 2009-02-06 20:06 <DIR> d-------- C:\VundoFix Backups 2009-02-06 08:43 . 2009-02-06 08:43 <DIR> d-------- c:\program files\Trend Micro 2009-02-05 14:29 . 2009-02-05 14:29 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-05 14:29 . 2009-02-05 14:29 <DIR> d-------- c:\documents and settings\Lauren\Application Data\Malwarebytes 2009-02-05 14:29 . 2009-02-05 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-05 14:29 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys 2009-02-05 14:29 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys 2009-02-05 13:39 . 2009-02-05 13:39 <DIR> d-------- c:\documents and settings\Lauren\Application Data\U3 2009-02-03 19:47 . 2009-02-03 19:47 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy) 2009-02-03 19:47 . 2009-02-03 19:47 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2009-02-03 19:47 . 2009-02-03 19:47 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2009-02-03 19:47 . 2009-02-03 19:47 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2009-02-01 13:22 . 2009-02-01 13:22 <DIR> d-------- c:\program files\Common Files\eSellerate 2009-02-01 13:21 . 2009-02-01 13:21 <DIR> d---s---- c:\documents and settings\All Users\Application Data\Memeo 2009-01-30 13:36 . 2009-01-30 13:36 <DIR> d-------- c:\windows\SYSTEM32\NtmsData 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\IM 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\Chaos Software 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\ArcSoft 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\AOL 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\AdobeUM 2009-01-30 12:33 . 2009-01-30 12:33 <DIR> d-------- c:\documents and settings\Lauren\Application Data\Apple Computer 2009-01-30 12:31 . 2009-01-30 12:31 <DIR> d-------- c:\documents and settings\Lauren . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2006-05-11 18:04 266 --sh--w c:\program files\desktop.ini . ((((((((((((((((((((((((((((( SnapShot_2009-02-11_16.11.33.65 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-11 15:36:06 16,103 ----a-w c:\windows\SYSTEM32\tablet.dat + 2009-02-12 16:46:08 16,103 ----a-w c:\windows\SYSTEM32\tablet.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [bU] "LoadPowerProfile"="powrprof.dll" [2004-08-04 c:\windows\SYSTEM32\powrprof.dll] "LoadQM"="loadqm.exe" [2000-05-03 c:\windows\LOADQM.EXE] c:\documents and settings\All Users\Start Menu\Programs\Startup\ TabUserW.exe.lnk - c:\windows\SYSTEM32\WTablet\TabUserW.exe [2007-07-17 114688] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-11 113664] Quote for the Day.lnk - c:\quote for the day\Qftd.exE [2007-01-14 51856] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.VDOM"= vdowave.drv [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "AOL Fast Start"="c:\program files\AMERICA ONLINE 9.0\AOL.EXE" -b [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "TaskMonitor"=c:\windows\taskmon.exe "AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe "RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER "QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime "SystemTray"=SysTray.ExE "KodakCCS"=c:\windows\System32\Drivers\KodakCCS.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "AOL TopSpeedMonitor"=c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe "AolAcsDaemon1"="c:\program files\COMMON FILES\AOL\ACS\AOLACSD.EXE" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\onenote.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\SYSTEM32\DRIVERS\MRV8K51.sys [2007-10-28 256896] . Contents of the 'Scheduled Tasks' folder 2007-07-12 c:\windows\Tasks\Uniblue SpyEraser.job - c:\program files\SpyEraser\SpyEraser.exe [] 2008-06-26 c:\windows\Tasks\Uniblue SpyEraser Nag.job - c:\program files\SpyEraser\SpyEraser.exe [] 2007-08-05 c:\windows\Tasks\Uniblue SpeedUpMyPC.job - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [] 2009-02-05 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [] . . ------- Supplementary Scan ------- . mWindow Title = Microsoft Internet Explorer provided by America Online uInternet Settings,ProxyOverride = <local> IE: &AOL Toolbar search IE: &Yahoo! Search IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 IE: Yahoo! &Dictionary IE: Yahoo! &Maps IE: Yahoo! &SMS DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Lauren\Application Data\Mozilla\Firefox\Profiles\i16yix1i.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www13.yoog.com/search.php?q= FF - prefs.js: browser.search.selectedEngine - Yoog Search FF - prefs.js: keyword.URL - hxxp://www13.yoog.com/search.php?q= FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll ---- FIREFOX POLICIES ---- FF - user.js: google.toolbar.linkdoctor.enabled - false FF - user.js: browser.search.defaultenginename - Yoog Search FF - user.js: browser.search.defaulturl - hxxp://www13.yoog.com/search.php?q= FF - user.js: browser.search.selectedEngine - Yoog Search FF - user.js: keyword.URL - hxxp://www13.yoog.com/search.php?q= FF - user.js: keyword.enabled - true . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-12 09:47:04 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE c:\windows\SYSTEM32\TABLET.EXE c:\windows\system32\ntvdm.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-02-12 9:51:13 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-12 16:51:10 ComboFix4.txt 2009-02-11 23:15:10 ComboFix5.txt 2009-02-12 16:39:38 ComboFix3.txt 2009-02-12 01:41:16 ComboFix2.txt 2009-02-12 02:44:42 Pre-Run: 2,660,188,160 bytes free Post-Run: 2,651,389,952 bytes free 179 MalwareBytes Log Malwarebytes' Anti-Malware 1.34 Database version: 1753 Windows 5.1.2600 Service Pack 2 2/12/2009 10:42:13 AM mbam-log-2009-02-12 (10-42-13).txt Scan type: Quick Scan Objects scanned: 66411 Time elapsed: 8 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loadpowerprofile (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HIJACKTHIS Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:48:35 AM, on 2/12/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe C:\Program Files\D-Link AirPlus G\AirPlus.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\Tablet.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Evernote.lnk = C:\Documents and Settings\Lauren\Application Data\U3\42553013EC81BD56\0D025345-1033-4F35-A5CE-68CDCDE6CC03\Exec\EvernoteTray.exe O4 - Startup: Memeo AutoSync Launcher.lnk = C:\Program Files\Memeo\AutoSync\MemeoLauncher.exe O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ? O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe -- End of file - 3496 bytes
  3. I really appreciate your help with this. I also am new with this forum and am wondering how best to locate my topic once I leave the website. Anyway, here are the two logs - after the ComboFix program ran, the Spy-Bot program (tea-timer?) resident program popped up even though I thought I disabled it with MSCONFIG on startup. I hope this didn't skew the results. COMBOFIX.TXT: ComboFix 09-02-11.02 - Lauren 2009-02-11 19:14:27.5 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.306 [GMT -7:00] Running from: c:\documents and settings\Lauren\Desktop\ComboFix.exe AV: Norton Internet Security *On-access scanning disabled* (Updated) FW: Norton Internet Security *enabled* . ((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 ))))))))))))))))))))))))))))))) . 2009-02-10 11:14 . 2009-02-10 11:14 <DIR> dr------- c:\program files\Norton Support 2009-02-10 10:29 . 2009-02-10 10:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec 2009-02-10 10:14 . 2009-02-10 10:13 36,272 -ra------ c:\windows\SYSTEM32\DRIVERS\SymIM.sys 2009-02-10 10:13 . 2009-02-10 10:14 <DIR> d-------- c:\program files\Common Files\Symantec Shared 2009-02-10 10:13 . 2009-02-10 10:14 124,464 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS 2009-02-10 10:13 . 2009-02-10 10:14 60,808 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL 2009-02-10 10:12 . 2009-02-10 10:12 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\NIS 2009-02-10 10:12 . 2009-02-10 10:12 <DIR> d-------- c:\program files\Windows Sidebar 2009-02-10 10:12 . 2009-02-10 10:12 <DIR> d-------- c:\program files\Norton Internet Security 2009-02-10 10:12 . 2009-02-10 10:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton 2009-02-10 10:11 . 2009-02-10 10:11 <DIR> d-------- c:\program files\NortonInstaller 2009-02-10 09:58 . 2009-02-10 09:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-02-08 22:16 . 2009-02-08 22:16 <DIR> d-------- c:\documents and settings\Guest 2009-02-08 10:37 . 2009-02-08 10:37 <DIR> d-------- c:\documents and settings\Lauren\Application Data\Symantec 2009-02-07 10:23 . 2009-02-07 10:23 <DIR> d-------- c:\program files\Symantec 2009-02-07 10:14 . 2009-02-07 10:14 <DIR> d-------- C:\log 2009-02-07 10:02 . 2009-02-07 10:02 <DIR> d--hs---- C:\FOUND.000 2009-02-07 08:48 . 2009-02-07 08:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations 2009-02-06 21:27 . 2009-02-06 21:28 <DIR> d-------- c:\program files\iTunes 2009-02-06 21:27 . 2009-02-06 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-02-06 21:26 . 2009-02-06 21:26 <DIR> d-------- c:\program files\Bonjour 2009-02-06 21:25 . 2009-02-06 21:25 <DIR> d-------- c:\program files\QuickTime 2009-02-06 21:23 . 2009-02-06 21:23 <DIR> d-------- c:\program files\Common Files\Apple 2009-02-06 21:23 . 2009-02-06 21:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple 2009-02-06 20:06 . 2009-02-06 20:06 <DIR> d-------- C:\VundoFix Backups 2009-02-06 08:43 . 2009-02-06 08:43 <DIR> d-------- c:\program files\Trend Micro 2009-02-05 14:29 . 2009-02-05 14:29 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-05 14:29 . 2009-02-05 14:29 <DIR> d-------- c:\documents and settings\Lauren\Application Data\Malwarebytes 2009-02-05 14:29 . 2009-02-05 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-05 14:29 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys 2009-02-05 14:29 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys 2009-02-05 13:39 . 2009-02-05 13:39 <DIR> d-------- c:\documents and settings\Lauren\Application Data\U3 2009-02-03 19:47 . 2009-02-03 19:47 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy) 2009-02-03 19:47 . 2009-02-03 19:47 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2009-02-03 19:47 . 2009-02-03 19:47 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2009-02-03 19:47 . 2009-02-03 19:47 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2009-02-02 16:20 . 2009-02-02 16:20 48,266 --a------ c:\windows\SYSTEM32\nmuonjdygdte.exe 2009-02-01 16:19 . 2009-02-01 16:19 <DIR> d-------- c:\documents and settings\Lauren\Application Data\cogad 2009-02-01 13:22 . 2009-02-01 13:22 <DIR> d-------- c:\program files\Common Files\eSellerate 2009-02-01 13:21 . 2009-02-01 13:21 <DIR> d---s---- c:\documents and settings\All Users\Application Data\Memeo 2009-01-30 13:36 . 2009-01-30 13:36 <DIR> d-------- c:\windows\SYSTEM32\NtmsData 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\IM 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\Chaos Software 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\ArcSoft 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\AOL 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\AdobeUM 2009-01-30 12:33 . 2009-01-30 12:33 <DIR> d-------- c:\documents and settings\Lauren\Application Data\Apple Computer 2009-01-30 12:31 . 2009-01-30 12:31 <DIR> d-------- c:\documents and settings\Lauren . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-10 17:14 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF 2009-02-10 17:14 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT 2006-05-11 18:04 266 --sh--w c:\program files\desktop.ini 2006-05-11 18:04 11,079 ---h--w c:\program files\folder.htt . ((((((((((((((((((((((((((((( SnapShot_2009-02-11_16.11.33.65 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-11 15:36:06 16,103 ----a-w c:\windows\SYSTEM32\tablet.dat + 2009-02-12 02:10:12 16,103 ----a-w c:\windows\SYSTEM32\tablet.dat + 2009-02-12 02:11:00 16,384 ----a-w c:\windows\temp\Perflib_Perfdata_79c.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [bU] "LoadPowerProfile"="powrprof.dll" [2004-08-04 c:\windows\SYSTEM32\powrprof.dll] "LoadQM"="loadqm.exe" [2000-05-03 c:\windows\LOADQM.EXE] c:\documents and settings\All Users\Start Menu\Programs\Startup\ TabUserW.exe.lnk - c:\windows\SYSTEM32\WTablet\TabUserW.exe [2007-07-17 114688] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-11 113664] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= file://c:\documents and settings\Lauren Stock\My Documents\My Pictures\wallpaper_01_800.jpg FriendlyName= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.VDOM"= vdowave.drv [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus G Configuration Utility.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus G Configuration Utility.lnk backup=c:\windows\pss\D-Link AirPlus G Configuration Utility.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quote for the Day.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quote for the Day.lnk backup=c:\windows\pss\Quote for the Day.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Lauren Stock^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Lauren Stock\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Lauren^Start Menu^Programs^Startup^Memeo AutoSync Launcher.lnk] path=c:\documents and settings\Lauren\Start Menu\Programs\Startup\Memeo AutoSync Launcher.lnk backup=c:\windows\pss\Memeo AutoSync Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] c:\progra~1\Grisoft\AVG7\avgcc.exe [bU] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 00:56 1667584 c:\program files\messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonAntiBot] -ra------ 2008-09-08 16:48 1378840 c:\program files\Symantec\Norton AntiBot\agent\Bin\NortonAntiBot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Bonjour Service"=2 (0x2) "aspnet_state"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "AOL Fast Start"="c:\program files\AMERICA ONLINE 9.0\AOL.EXE" -b [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "TaskMonitor"=c:\windows\taskmon.exe "AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe "RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER "QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime "SystemTray"=SysTray.ExE "KodakCCS"=c:\windows\System32\Drivers\KodakCCS.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "AOL TopSpeedMonitor"=c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe "AolAcsDaemon1"="c:\program files\COMMON FILES\AOL\ACS\AOLACSD.EXE" "KB918547"=c:\windows\SYSTEM\KB918547\KB918547.EXE "KB891711"=c:\windows\SYSTEM\KB891711\KB891711.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\onenote.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R2 Microsoft Inet Service2;Microsoft Inet Service2; [x] S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1002000.007\SYMEFA.SYS [2009-02-10 309296] S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2009-02-10 255536] S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\ccHPx86.sys [2009-02-10 362544] S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090206.001\IDSxpx86.sys [2009-01-29 276344] S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2009-02-10 115560] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-10 99376] S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\DRIVERS\mrv8k51.sys [2004-01-09 256896] --- Other Services/Drivers In Memory --- *Deregistered* - Alerter *Deregistered* - ALG *Deregistered* - Apple Mobile Device *Deregistered* - AudioSrv *Deregistered* - Browser *Deregistered* - CryptSvc *Deregistered* - DcomLaunch *Deregistered* - Dhcp *Deregistered* - dmserver *Deregistered* - Dnscache *Deregistered* - ERSvc *Deregistered* - EventSystem *Deregistered* - FastUserSwitchingCompatibility *Deregistered* - helpsvc *Deregistered* - iPod Service *Deregistered* - lanmanserver *Deregistered* - lanmanworkstation *Deregistered* - LmHosts *Deregistered* - NDIS *Deregistered* - NdisTapi *Deregistered* - Ndisuio *Deregistered* - NdisWan *Deregistered* - NDProxy *Deregistered* - NetBIOS *Deregistered* - NetBT *Deregistered* - Netman *Deregistered* - Nla *Deregistered* - Norton Internet Security *Deregistered* - Npfs *Deregistered* - Null *Deregistered* - PartMgr *Deregistered* - ParVdm *Deregistered* - PenClass *Deregistered* - PolicyAgent *Deregistered* - PptpMiniport *Deregistered* - ProtectedStorage *Deregistered* - RasAcd *Deregistered* - Rasl2tp *Deregistered* - RasMan *Deregistered* - RasPppoe *Deregistered* - Raspti *Deregistered* - Rdbss *Deregistered* - RDPCDD *Deregistered* - rdpdr *Deregistered* - RemoteRegistry *Deregistered* - RpcSs *Deregistered* - SamSs *Deregistered* - Schedule *Deregistered* - seclogon *Deregistered* - SENS *Deregistered* - SharedAccess *Deregistered* - ShellHWDetection *Deregistered* - Spooler *Deregistered* - sr *Deregistered* - srservice *Deregistered* - SRTSPX *Deregistered* - Srv *Deregistered* - SSDPSRV *Deregistered* - stisvc *Deregistered* - swenum *Deregistered* - SymantecAntiBotAgent *Deregistered* - SymantecAntiBotDriver *Deregistered* - SymantecAntiBotFilter *Deregistered* - SymantecAntiBotShim *Deregistered* - SymantecAntiBotWatcher *Deregistered* - SYMDNS *Deregistered* - SymEFA *Deregistered* - SymEvent *Deregistered* - SYMFW *Deregistered* - SYMIDS *Deregistered* - SymIMMP *Deregistered* - SYMNDIS *Deregistered* - SYMREDRV *Deregistered* - SYMTDI *Deregistered* - TabletService *Deregistered* - TapiSrv *Deregistered* - Tcpip *Deregistered* - TermDD *Deregistered* - TermService *Deregistered* - Themes *Deregistered* - TrkWks *Deregistered* - Update *Deregistered* - VgaSave *Deregistered* - VolSnap *Deregistered* - W32Time *Deregistered* - Wanarp *Deregistered* - WebClient *Deregistered* - winmgmt *Deregistered* - wscsvc *Deregistered* - wuauserv *Deregistered* - WZCSVC [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f3886e0-d17f-11dd-8410-000f3d40fb64}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MYPROG~1\CHAOSS~1\Chaos7\chaos7.exe . Contents of the 'Scheduled Tasks' folder 2007-07-12 c:\windows\Tasks\Uniblue SpyEraser.job - c:\program files\SpyEraser\SpyEraser.exe [] 2008-06-26 c:\windows\Tasks\Uniblue SpyEraser Nag.job - c:\program files\SpyEraser\SpyEraser.exe [] 2007-08-05 c:\windows\Tasks\Uniblue SpeedUpMyPC.job - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [] 2009-02-05 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [] . - - - - ORPHANS REMOVED - - - - BHO-{2ED02B85-7A1C-46C3-A63D-2907408F5C49} - (no file) BHO-{7B31D049-AF36-8912-D1FB-D97CEB62C065} - (no file) BHO-{a3201de9-9f6e-eb29-d026-2feb0a9497e9} - (no file) BHO-{D6893D1B-3172-44E2-B853-9B2537EFB2ED} - (no file) . ------- Supplementary Scan ------- . mLocal Page = c:\windows\SYSTEM\blank.htm mWindow Title = Microsoft Internet Explorer provided by America Online uInternet Settings,ProxyOverride = <local>;*.local IE: &AOL Toolbar search IE: &Yahoo! Search IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 IE: Yahoo! &Dictionary IE: Yahoo! &Maps IE: Yahoo! &SMS Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Lauren\Application Data\Mozilla\Firefox\Profiles\i16yix1i.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www13.yoog.com/search.php?q= FF - prefs.js: browser.search.selectedEngine - Yoog Search FF - prefs.js: keyword.URL - hxxp://www13.yoog.com/search.php?q= FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll ---- FIREFOX POLICIES ---- FF - user.js: google.toolbar.linkdoctor.enabled - false FF - user.js: browser.search.defaultenginename - Yoog Search FF - user.js: browser.search.defaulturl - hxxp://www13.yoog.com/search.php?q= FF - user.js: browser.search.selectedEngine - Yoog Search FF - user.js: keyword.URL - hxxp://www13.yoog.com/search.php?q= FF - user.js: keyword.enabled - true . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-11 19:27:17 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security] "ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3276) c:\windows\system32\msi.dll . Completion time: 2009-02-11 19:44:18 ComboFix-quarantined-files.txt 2009-02-12 02:43:54 ComboFix4.txt 2009-02-09 05:16:48 ComboFix3.txt 2009-02-11 23:15:10 ComboFix5.txt 2009-02-12 02:13:22 ComboFix2.txt 2009-02-12 01:41:16 Pre-Run: 2,711,699,456 bytes free Post-Run: 2,698,756,096 bytes free 323 HIJACKTHIS LOG: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:07:51 PM, on 2/11/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe C:\WINDOWS\System32\Tablet.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2ED02B85-7A1C-46C3-A63D-2907408F5C49} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file) O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL O2 - BHO: (no name) - {7B31D049-AF36-8912-D1FB-D97CEB62C065} - (no file) O2 - BHO: (no name) - {a3201de9-9f6e-eb29-d026-2feb0a9497e9} - (no file) O2 - BHO: (no name) - {D6893D1B-3172-44E2-B853-9B2537EFB2ED} - (no file) O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Evernote.lnk = C:\Documents and Settings\Lauren\Application Data\U3\42553013EC81BD56\0D025345-1033-4F35-A5CE-68CDCDE6CC03\Exec\EvernoteTray.exe O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Microsoft Inet Service2 - Unknown owner - C:\WINDOWS\system32\__svchost.exe (file missing) O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe O23 - Service: SymantecAntiBotAgent - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe O23 - Service: SymantecAntiBotWatcher - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe O24 - Desktop Component 0: (no name) - file://C:\Documents and Settings\Lauren Stock\My Documents\My Pictures\wallpaper_01_800.jpg -- End of file - 5799 bytes Thank you again. Sincerely,
  4. Thank you for your reply. I understand your situation, and thank the volunteers as well. I believe the only issue I am having now is the YOOG search engine that keeps appearing in Firefox 3.0.6. and the (?) Worldadmarketplace pop ups that keep appearing randomly. I looked in the add/remove programs list and there is a button that supposedly removes the program but then a box pops up to enter a CODE to complete the uninstall - and the program keeps reappearing anyway. The popups are the sames ones others have mentioned for antivirus software, computer at risk etc. I just installed the Norton Internet Security 2009 and the Norton ANtibot software programs which supposedly remove rootkits, but it doesn't even recognize the problems. BTW, what is a PM? Thank you, MJS
  5. I don't seem to be getting any help here. Am I posting correctly?? not sure what to do next....
  6. I don't seem to be getting any help here. Am I posting correctly?? not sure what to do next....
  7. I follow the below recommendations from Tigger93 (similar issue from another post concerning malware.trace / vundo and then ran Combofix.exe - Below is also the Comfofix.txt file - THANKS!!! From "Tigger93" While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. * Open Spybot Search & Destroy. * In the Mode menu click "Advanced mode" if not already selected. * Choose "Yes" at the Warning prompt. * Expand the "Tools" menu. * Click "Resident". * Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. * In the File menu click "Exit" to exit Spybot Search & Destroy. COMBOFIX LOG: ComboFix 09-02-05.04 - Lauren 2009-02-06 9:14:27.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.166 [GMT -7:00] Running from: c:\documents and settings\Lauren\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\QMGR0.DAT c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\QMGR1.DAT c:\documents and settings\Lauren\Local Settings\Temporary Internet Files\fbk.sts c:\windows\start.exe c:\windows\system32\fxtpkgel.ini c:\windows\system32\gnfrqlhg.ini c:\windows\system32\imjnlhuu.ini c:\windows\system32\mpsru.ini c:\windows\system32\mpsru.ini2 c:\windows\system32\prdnmyos.ini c:\windows\system32\rtc.dat c:\windows\system32\RunOnce.tmp c:\windows\system32\twhpsoqa.ini c:\windows\system32\xaagjulv.ini c:\windows\Web\default.htt c:\windows\wiaserviv.log ----- BITS: Possible infected sites ----- hxxp://80.93.48.74 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_DOMAINSERVICE ((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 ))))))))))))))))))))))))))))))) . 2009-02-06 09:09 . 2009-02-05 06:06 <DIR> d-------- C:\32788R22FWJFW 2009-02-06 08:43 . 2009-02-06 08:43 <DIR> d-------- c:\program files\Trend Micro 2009-02-05 14:29 . 2009-02-05 14:29 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-05 14:29 . 2009-02-05 14:29 <DIR> d-------- c:\documents and settings\Lauren\Application Data\Malwarebytes 2009-02-05 14:29 . 2009-02-05 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-05 14:29 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys 2009-02-05 14:29 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys 2009-02-05 13:39 . 2009-02-05 13:39 <DIR> d-------- c:\documents and settings\Lauren\Application Data\U3 2009-02-03 20:37 . 2009-02-04 19:16 33,504 --a------ c:\documents and settings\Lauren Stock\Application Data\GDIPFONTCACHEV1.DAT 2009-02-03 19:47 . 2009-02-03 19:47 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy) 2009-02-03 19:47 . 2009-02-03 19:47 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2009-02-03 19:47 . 2009-02-03 19:47 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2009-02-03 19:47 . 2009-02-03 19:47 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2009-02-02 21:18 . 2009-02-02 21:18 <DIR> dr-h----- C:\$VAULT$.AVG 2009-02-02 16:20 . 2009-02-02 16:20 85,301 --a------ c:\windows\SYSTEM32\cont_worldadmarketplace-remove.exe 2009-02-02 16:20 . 2009-02-02 16:20 48,266 --a------ c:\windows\SYSTEM32\nmuonjdygdte.exe 2009-02-01 16:19 . 2009-02-01 16:19 <DIR> d-------- c:\documents and settings\Lauren\Application Data\cogad 2009-02-01 13:22 . 2009-02-01 13:22 <DIR> d-------- c:\program files\Common Files\eSellerate 2009-02-01 13:21 . 2009-02-01 13:21 <DIR> d---s---- c:\documents and settings\All Users\Application Data\Memeo 2009-01-30 13:36 . 2009-01-30 13:36 <DIR> d-------- c:\windows\SYSTEM32\NtmsData 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\IM 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\Chaos Software 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\ArcSoft 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\AOL 2009-01-30 13:28 . 2009-01-30 13:28 <DIR> d-------- c:\documents and settings\Lauren\Application Data\AdobeUM 2009-01-30 12:33 . 2009-01-30 12:33 <DIR> d-------- c:\documents and settings\Lauren\Application Data\Apple Computer 2009-01-30 12:31 . 2009-01-30 12:31 <DIR> d-------- c:\documents and settings\Lauren\Application Data\AVG7 2009-01-30 12:31 . 2009-01-30 12:31 <DIR> d-------- c:\documents and settings\Lauren . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-29 17:07 685,568 ----a-w c:\windows\SYSTEM32\nsg7D.dll 2007-12-17 01:27 0 --sha-w c:\documents and settings\Lauren Stock\Application Data\GDIPFONTCACHEV1f4f8b428701e9add05e927ac.dat 2007-01-21 05:39 946,208 ---ha-r c:\documents and settings\Lauren Stock\USER.DAT 2006-05-11 18:04 266 --sh--w c:\program files\desktop.ini 2006-05-11 18:04 11,079 ---h--w c:\program files\folder.htt 2008-12-29 17:07 654,336 ----a-w c:\program files\mozilla firefox\components\nsworldadmarketplace.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a3201de9-9f6e-eb29-d026-2feb0a9497e9}] 2008-12-29 10:07 685568 --a------ c:\windows\system32\nsg7D.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048] "LoadPowerProfile"="powrprof.dll" [2004-08-04 c:\windows\SYSTEM32\powrprof.dll] "LoadQM"="loadqm.exe" [2000-05-03 c:\windows\LOADQM.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-01-08 219136] c:\documents and settings\All Users\Start Menu\Programs\Startup\ TabUserW.exe.lnk - c:\windows\SYSTEM32\WTablet\TabUserW.exe [2007-07-17 114688] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-11 113664] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= file://c:\documents and settings\Lauren Stock\My Documents\My Pictures\wallpaper_01_800.jpg FriendlyName= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=cvjshz.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.VDOM"= vdowave.drv [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus G Configuration Utility.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus G Configuration Utility.lnk backup=c:\windows\pss\D-Link AirPlus G Configuration Utility.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quote for the Day.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quote for the Day.lnk backup=c:\windows\pss\Quote for the Day.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Lauren Stock^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Lauren Stock\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Lauren^Start Menu^Programs^Startup^Memeo AutoSync Launcher.lnk] path=c:\documents and settings\Lauren\Start Menu\Programs\Startup\Memeo AutoSync Launcher.lnk backup=c:\windows\pss\Memeo AutoSync Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 00:56 1667584 c:\program files\messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "AOL Fast Start"="c:\program files\AMERICA ONLINE 9.0\AOL.EXE" -b [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "TaskMonitor"=c:\windows\taskmon.exe "AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe "RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER "QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime "SystemTray"=SysTray.ExE "KodakCCS"=c:\windows\System32\Drivers\KodakCCS.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "AOL TopSpeedMonitor"=c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe "AolAcsDaemon1"="c:\program files\COMMON FILES\AOL\ACS\AOLACSD.EXE" "KB918547"=c:\windows\SYSTEM\KB918547\KB918547.EXE "KB891711"=c:\windows\SYSTEM\KB891711\KB891711.EXE [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\onenote.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\SYSTEM32\DRIVERS\MRV8K51.sys [2007-10-28 256896] S2 Microsoft Inet Service2;Microsoft Inet Service2;c:\windows\system32\__svchost.exe -A --> c:\windows\system32\__svchost.exe -A [?] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fd50440-cd38-11dd-840a-000f3d40fb64}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fd50441-cd38-11dd-840a-000f3d40fb64}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MYPROG~1\CHAOSS~1\Chaos7\chaos7.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f3886e0-d17f-11dd-8410-000f3d40fb64}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MYPROG~1\CHAOSS~1\Chaos7\chaos7.exe . Contents of the 'Scheduled Tasks' folder 2007-07-12 c:\windows\Tasks\Uniblue SpyEraser.job - c:\program files\SpyEraser\SpyEraser.exe [] 2008-06-26 c:\windows\Tasks\Uniblue SpyEraser Nag.job - c:\program files\SpyEraser\SpyEraser.exe [] 2007-08-05 c:\windows\Tasks\Uniblue SpeedUpMyPC.job - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [] 2009-02-05 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [] . - - - - ORPHANS REMOVED - - - - BHO-{2ED02B85-7A1C-46C3-A63D-2907408F5C49} - (no file) BHO-{7B31D049-AF36-8912-D1FB-D97CEB62C065} - (no file) BHO-{D6893D1B-3172-44E2-B853-9B2537EFB2ED} - (no file) ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file) HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_05\bin\jusched.exe MSConfigStartUp-0b251156 - c:\windows\system32\oyxjsrdn.dll MSConfigStartUp-AOL Fast Start - c:\program files\America Online 9.0\AOL.EXE MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1187914058\ee\AOLSoftware.exe MSConfigStartUp-MCAgentExe - c:\progra~1\MCAFEE.COM\AGENT\mcagent.exe MSConfigStartUp-MCUpdateExe - c:\progra~1\MCAFEE.COM\AGENT\MCUPDATE.EXE MSConfigStartUp-Microsft Windows Adapter 5.1 - c:\documents and settings\Lauren Stock\Application Data\frltmsxcqlf.exe MSConfigStartUp-MPFExe - c:\program files\mcafee.com\personal firewall\MPfTray.exe MSConfigStartUp-nmchwrqipxe - c:\windows\system32\lwxyfcpyoglfpke.dll MSConfigStartUp-VirusScan Online - c:\progra~1\MCAFEE.COM\VSO\mcvsshld.exe MSConfigStartUp-VSOCheckTask - c:\progra~1\MCAFEE.COM\VSO\MCMNHDLR.EXE . ------- Supplementary Scan ------- . uStart Page = hxxp://www.neopets.com/portal/ mLocal Page = c:\windows\SYSTEM\blank.htm mWindow Title = Microsoft Internet Explorer provided by America Online uInternet Settings,ProxyOverride = <local> IE: &AOL Toolbar search - c:\program files\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Lauren\Application Data\Mozilla\Firefox\Profiles\o3ldabv2.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www13.yoog.com/search.php?q= FF - prefs.js: browser.search.selectedEngine - Yoog Search FF - prefs.js: keyword.URL - hxxp://www13.yoog.com/search.php?q= FF - component: c:\program files\Mozilla Firefox\components\nsworldadmarketplace.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll ---- FIREFOX POLICIES ---- FF - user.js: browser.search.selectedEngine - Yoog Search FF - user.js: keyword.URL - hxxp://www13.yoog.com/search.php?q= FF - user.js: keyword.enabled - true FF - user.js: browser.search.defaultenginename - Yoog Search FF - user.js: browser.search.defaulturl - hxxp://www13.yoog.com/search.php?q= . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-06 09:23:21 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\GRISOFT\AVG7\AVGCC.EXE c:\program files\GRISOFT\AVG7\AVGAMSVR.EXE c:\program files\GRISOFT\AVG7\AVGUPSVC.EXE c:\program files\GRISOFT\AVG7\AVGEMC.EXE c:\windows\SYSTEM32\TABLET.EXE c:\windows\SYSTEM32\WSCNTFY.EXE c:\program files\IPOD\BIN\IPODSERVICE.EXE . ************************************************************************** . Completion time: 2009-02-06 9:27:34 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-06 16:27:30 Pre-Run: 3,473,145,856 bytes free Post-Run: 3,462,414,336 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout = 30 default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect 244
  8. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:44:34 AM, on 2/6/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\Tablet.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/portal/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2ED02B85-7A1C-46C3-A63D-2907408F5C49} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL O2 - BHO: (no name) - {7B31D049-AF36-8912-D1FB-D97CEB62C065} - (no file) O2 - BHO: worldadmarketplace - {a3201de9-9f6e-eb29-d026-2feb0a9497e9} - C:\WINDOWS\system32\nsg7D.dll O2 - BHO: (no name) - {D6893D1B-3172-44E2-B853-9B2537EFB2ED} - (no file) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O4 - HKLM\..\Run: [systemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Evernote.lnk = C:\Documents and Settings\Lauren\Application Data\U3\42553013EC81BD56\0D025345-1033-4F35-A5CE-68CDCDE6CC03\Exec\EvernoteTray.exe O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1227845428969 O20 - AppInit_DLLs: cvjshz.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Microsoft Inet Service2 - Unknown owner - C:\WINDOWS\system32\__svchost.exe (file missing) O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe O24 - Desktop Component 0: (no name) - file://C:\Documents and Settings\Lauren Stock\My Documents\My Pictures\wallpaper_01_800.jpg -- End of file - 6910 bytes ********************************* Malware Log after removal of virus: Malwarebytes' Anti-Malware 1.33 Database version: 1654 Windows 5.1.2600 Service Pack 2 2/6/2009 8:41:27 AM mbam-log-2009-02-06 (08-41-27).txt Scan type: Quick Scan Objects scanned: 57047 Time elapsed: 25 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Thank you for your help!!!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.