Jump to content

HolyOne

Members
  • Posts

    20
  • Joined

  • Last visited

Everything posted by HolyOne

  1. I made a thread earlier (http://www.malwarebytes.org/forums/index.php?showtopic=11628&st=0&p=58417entry58417) stating that my anti-virus was taking a ridiculous amount of time to complete a regular scan. I also later noticed that basically anything I installed took ages - or simply froze during the scan. For example, I tried to update iTunes - and it took several hours for it to reach completion - and then it froze. This was the case with most other installations. Installations that normally took minutes were taking hours, or simply not finishing. Recently, today in fact, I found that SHUTTING DOWN my anti-virus resolved all these installation problems. Since everything works fine when my AV is shut down, I'm wondering, if I install a new one, will it do the same thing? Or is this an issue confined to my antivirus, which is by the way, Webroot AntiVirus?
  2. Sorry about the ridiculously late reply guys, I've just been extremely busy and have had next to no time available for getting on the computer. I ran the CHKDSK, and it detected one error. Something to do with a 'cluster' or something that it corrected. Sorry, it's Webroot AntiVirus - not SpySweeper. I've also noticed the following recently: - It's not just my Antivirus that takes longer to scan, MBAM is taking a lot longer as well. The quick scan took over 20 minutes, where it used to take around 5. Things like CCleaner are also taking a bit longer than usual. - I notice immense slowdown when installing programs. For example, I was updating iTunes, and not only did the installation take forever, it seemed to stall several times throughout.
  3. The only other Security Software that would be running at the time would be my firewall, Comodo Firewall Pro. I disabled it prior to running the scan - didn't change anything. Webroot Spy Sweeper with Antispyware. I think it's trash, but my dad bought it because it was cheap. Once the subscription ends in a couple months, going to go with a legit AV like Kaspersky.
  4. @ GT: I ran CCleaner prior to a scan, still no luck. @ AdvancedSetup: I pasted that like you said and let it run. Nothing appeared apart from the command console followed shortly by a reboot.
  5. As instructed, I tried to recreate the scan in Developer mode, but upon initializing the scan, I receive this message:
  6. Several FP's detected in one scan. I restored everything that was quarantined after a little investigation. Malwarebytes' Anti-Malware 1.34 Database version: 1785 Windows 5.1.2600 Service Pack 2 2/21/2009 11:08:01 AM mbam-log-2009-02-21 (11-08-01).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 152802 Time elapsed: 1 hour(s), 29 minute(s), 46 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\ad67c8963e1b88073c74c1941a2c\dotnetfx.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Documents and Settings\louay\Desktop\Converted Files\dotnetfx.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Program Files\Common Files\Logitech\QCDRV\BIN\InstMed.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wextract.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dllcache\wextract.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
  7. Well the problem is that this scan typically took, like you said, about an hour every day to complete. All of a sudden, it's ballooned to over 11 hours.
  8. I have this same problem as well. =\
  9. When trying to run MBAM in developer mode, it tells me: Swissarmy failed to load; Error code: 0 or something to that effect.
  10. I'd like to report in that my MBAM has also detected boot.ini as a False Positive. Unfortunately, I was unable to recreate the FP in Developer Mode, so here is the original log: Malwarebytes' Anti-Malware 1.34Database version: 1783Windows 5.1.2600 Service Pack 2 2/21/2009 8:43:42 AMmbam-log-2009-02-21 (08-43-42).txt Scan type: Quick ScanObjects scanned: 49510Time elapsed: 19 minute(s), 43 second(s) Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1 Memory Processes Infected:(No malicious items detected) Memory Modules Infected:(No malicious items detected) Registry Keys Infected:(No malicious items detected) Registry Values Infected:(No malicious items detected) Registry Data Items Infected:(No malicious items detected) Folders Infected:(No malicious items detected) Files Infected:\boot.ini (Trojan.Agent) -> Quarantined and deleted successfully.
  11. I just ran a quick scan with MBAM, and it showed that the file boot.ini is a Trojan.Agent. I quarantined it and then remembered what boot.ini really is, and restored it. Guessing this is a false positive. If it's restored, I won't need to rebuild it yes? Malwarebytes' Anti-Malware 1.34 Database version: 1783 Windows 5.1.2600 Service Pack 2 2/21/2009 8:43:42 AM mbam-log-2009-02-21 (08-43-42).txt Scan type: Quick Scan Objects scanned: 49510 Time elapsed: 19 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: \boot.ini (Trojan.Agent) -> Quarantined and deleted successfully.
  12. Well, my antivirus is scheduled to run a complete scan every day at 9:00 PM. Typically, this scan takes around an hour or so to complete every day. However, over the past two days, it's taken over 10 hours, and just this morning, it was over 11 hours and it still had not completed. So basically my question is, is this indicative of malware or something else? Thanks.
  13. I ran Dr. Web's express and complete scans, neither of them detected anything. A quick question, when I'm running scans with MBAM, should I do a Quick Scan or a Full Scan - I ask this because you guys always say run the quick scan. Wouldn't the complete scan be the better option because it's more thorough? Or are there other specific reasons for doing so?
  14. A quick question - when I went to reboot after I turned System Restore off, I got the message, "Please do not turn off or unplug your computer; it will automatically turn off." Apparently, Windows was installing updates, however, this screen appeared for several hours. I decided to take the chance and turn off my computer and everything seems to be fine. I've turned off Automatic Updates for the time. Any idea whats causing this problem? I don't have the time to run a Dr.Web CureIt scan at the moment, but I've done everything else, and here's the new HJT log. I'll post back once I run the Dr.Web scan. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:05:58 PM, on 2/12/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\Explorer.EXE C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\dlcccoms.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Styler\Styler.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\mIRC\mIRC.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe" O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [LVCOMSX] "C:\WINDOWS\system32\LVCOMSX.EXE" O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [userFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\Run: [DLCCCATS] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [sUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Startup: Styler.lnk = ? O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://216.185.184.229/ActiveView.cab O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://kwikwash.dipmap.com/cab/OCXChecker_8120.cab O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://kwikwash.dipmap.com/cab/DownloadFile_8110.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- End of file - 9205 bytes
  15. All I have to say is.. what the hell? You'll see once you look at the MBAM log. I also attached the ComboFix log incase that could be of any help. Malwarebytes' Anti-Malware 1.34 Database version: 1750 Windows 5.1.2600 Service Pack 2 2/11/2009 5:44:33 PM mbam-log-2009-02-11 (17-44-33).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 168210 Time elapsed: 40 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\RECYCLER\S-1-5-21-0982818026-0792038349-964117139-9221\service.exe (Trojan.Agent) -> Delete on reboot. C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe (Trojan.Agent) -> Delete on reboot. C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe (Trojan.Agent) -> Delete on reboot. C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe (Backdoor.Bot) -> Delete on reboot. C:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe (Backdoor.Bot) -> Delete on reboot. C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise323.exe (Backdoor.Bot) -> Delete on reboot. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:53:46 PM, on 2/11/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\WINDOWS\system32\dllhost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Styler\Styler.exe C:\WINDOWS\system32\dlcccoms.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\COMODO\COMODO Internet Security\cfpupdat.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe" O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [LVCOMSX] "C:\WINDOWS\system32\LVCOMSX.EXE" O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [userFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\Run: [DLCCCATS] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [sUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Startup: Styler.lnk = ? O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://216.185.184.229/ActiveView.cab O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://kwikwash.dipmap.com/cab/OCXChecker_8120.cab O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://kwikwash.dipmap.com/cab/DownloadFile_8110.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- End of file - 9269 bytes log.txt log.txt
  16. I'm not sure that what Dr. Web found was Malware, as it found the theme I have for my computer, and I've been using it safely for quite a while. As requested, here are the new logs: ComboFix 09-02-10.01 - louay 2009-02-10 15:33:01.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.337 [GMT -7:00] Running from: c:\documents and settings\louay\Desktop\ComboFix.exe AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) FW: Webroot Internet Security Essentials *disabled* * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 ))))))))))))))))))))))))))))))) . 2009-02-08 15:27 . 2009-02-08 15:27 <DIR> d-------- c:\documents and settings\louay\DoctorWeb 2009-02-07 15:04 . 2009-02-07 15:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier 2009-02-07 15:04 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll 2009-02-07 15:04 . 2009-02-07 15:06 4,212 ---h----- c:\windows\system32\zllictbl.dat 2009-02-07 15:02 . 2009-02-07 15:18 <DIR> d-------- c:\windows\Internet Logs 2009-02-05 15:37 . 2009-02-05 15:37 <DIR> d-------- c:\program files\TechSmith 2009-02-05 15:26 . 2009-02-05 15:26 <DIR> d-------- c:\program files\MSBuild 2009-02-05 15:23 . 2009-02-06 22:24 <DIR> d-------- c:\windows\system32\XPSViewer 2009-02-05 15:22 . 2009-02-05 15:22 <DIR> d-------- c:\program files\Reference Assemblies 2009-02-03 15:40 . 2009-02-03 15:40 8,294,454 --a------ c:\windows\startup.bmp 2009-02-03 15:40 . 2006-08-09 20:58 218,624 --a------ c:\windows\system32\uxtheme.backup 2009-02-03 15:31 . 2009-02-06 22:26 <DIR> d-------- c:\windows\VistaMizer 2009-01-31 11:11 . 2009-01-31 11:11 <DIR> d-------- c:\program files\Common Files\Stardock 2009-01-29 18:19 . 2009-01-29 18:19 <DIR> d-------- c:\program files\Puzzle 1500 2009-01-29 18:19 . 2009-01-29 18:19 <DIR> d-------- c:\program files\Managed DirectX (0900) 2009-01-26 16:05 . 2009-01-26 16:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Last.fm 2009-01-26 16:04 . 2009-01-26 16:04 <DIR> d-------- c:\program files\Last.fm 2009-01-26 15:49 . 2009-01-26 15:49 <DIR> d--hs---- c:\documents and settings\louay\IECompatCache 2009-01-26 15:46 . 2009-01-26 15:46 <DIR> d--hs---- c:\documents and settings\louay\IETldCache 2009-01-26 15:38 . 2009-01-26 15:39 <DIR> d--h-c--- c:\windows\ie8 2009-01-26 15:36 . 2009-01-10 22:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll 2009-01-24 11:57 . 2009-01-24 11:57 <DIR> d-------- c:\program files\FormatFactory 2009-01-17 09:18 . 2009-01-17 09:18 <DIR> d-------- C:\Documents 2009-01-15 15:41 . 2009-01-15 15:45 <DIR> d-------- c:\documents and settings\louay\Application Data\BitZipper 2009-01-15 02:22 . 2009-01-15 02:22 49,152 --------- c:\windows\system32\msrating.dll.mui 2009-01-15 02:21 . 2009-01-15 02:21 2,560 --------- c:\windows\system32\mshta.exe.mui 2009-01-15 02:19 . 2009-01-15 02:19 81,920 --------- c:\windows\system32\iedkcs32.dll.mui 2009-01-15 02:19 . 2009-01-15 02:19 4,096 --------- c:\windows\system32\ie4uinit.exe.mui . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-10 22:29 --------- d-----w c:\documents and settings\louay\Application Data\mIRC 2009-02-10 21:32 --------- d-----w c:\program files\mIRC 2009-02-10 00:25 --------- d-----w c:\program files\Dl_cats 2009-02-07 21:55 --------- d-----w c:\program files\OpenOffice.org 2.4 2009-02-07 20:35 --------- d-----w c:\program files\SUPERAntiSpyware 2009-02-07 20:35 --------- d-----w c:\documents and settings\louay\Application Data\OpenOffice.org2 2009-02-07 19:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-02-07 19:02 --------- d-----w c:\program files\Trend Micro 2009-02-07 14:45 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore 2009-02-05 22:16 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-01-31 18:52 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2009-01-31 18:11 --------- d-----w c:\program files\Stardock 2009-01-26 23:05 --------- d-----w c:\program files\iTunes 2009-01-25 23:25 31,760 ----a-w c:\documents and settings\louay\Application Data\GDIPFONTCACHEV1.DAT 2009-01-24 18:45 --------- d-----w c:\program files\Paint.NET 2009-01-23 21:33 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot 2009-01-23 21:32 --------- d-----w c:\program files\Webroot 2009-01-20 16:07 1,553,272 ----a-w c:\windows\WRSetup.dll 2009-01-15 09:05 911,872 ----a-w c:\windows\system32\wininet.dll 2009-01-15 09:05 43,008 ----a-w c:\windows\system32\licmgr10.dll 2009-01-15 09:04 18,944 ----a-w c:\windows\system32\corpol.dll 2009-01-15 09:03 72,704 ----a-w c:\windows\system32\admparse.dll 2009-01-15 09:03 71,680 ----a-w c:\windows\system32\iesetup.dll 2009-01-15 09:03 420,352 ----a-w c:\windows\system32\vbscript.dll 2009-01-15 09:01 34,304 ----a-w c:\windows\system32\imgutil.dll 2009-01-15 09:00 48,128 ----a-w c:\windows\system32\mshtmler.dll 2009-01-15 09:00 45,568 ----a-w c:\windows\system32\mshta.exe 2009-01-15 08:50 156,160 ----a-w c:\windows\system32\msls31.dll 2009-01-14 23:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-14 23:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-01-13 00:05 --------- d-----w c:\documents and settings\louay\Application Data\Notepad++ 2009-01-10 23:40 --------- d-----w c:\program files\CCleaner 2009-01-08 00:26 --------- d-----w c:\program files\Styler 2009-01-08 00:25 --------- d-----w c:\documents and settings\louay\Application Data\Styler 2009-01-03 18:25 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-01 01:22 --------- d-----w c:\program files\Bonjour 2008-12-30 01:00 --------- d-----w c:\program files\MSN Messenger 2008-12-30 00:56 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller 2008-12-30 00:55 --------- d-----w c:\program files\Windows Live 2008-12-30 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller 2008-12-30 00:41 --------- d-----w c:\program files\Messenger Plus! Live 2008-12-30 00:41 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus! 2008-12-22 16:33 --------- d-----w c:\program files\QuickTime 2008-12-22 16:21 --------- d-----w c:\program files\Windows Installer Clean Up 2008-12-22 16:21 --------- d-----w c:\program files\MSECACHE 2008-12-22 14:22 --------- d-----w c:\documents and settings\LocalService\Application Data\Yahoo! 2008-12-22 14:22 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion 2008-12-22 14:21 --------- d-----w c:\program files\Yahoo! 2008-12-22 01:49 --------- d-----w c:\program files\McAfee 2008-12-22 01:45 --------- d-----w c:\program files\Common Files\McAfee 2008-12-22 01:45 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor 2008-12-22 01:45 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee 2008-12-20 19:21 --------- d-----w c:\program files\Notepad++ 2008-12-19 02:49 --------- d-----w c:\program files\Opera 2008-12-18 23:33 410,984 ----a-w c:\windows\system32\deploytk.dll 2008-12-18 23:33 --------- d-----w c:\program files\Java 2008-12-18 23:13 --------- d-----w c:\program files\vixy.net 2008-12-16 23:34 --------- d-----w c:\program files\MediaMonkey 2008-12-12 18:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-12-12 18:11 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-10 23:35 --------- d-----w c:\program files\OpenOffice.org 3 2008-12-10 23:35 --------- d-----w c:\program files\JRE 2008-12-10 23:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-12-10 23:26 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit 2008-11-28 20:22 164 ----a-w C:\install.dat 2008-11-25 00:47 42,354 ----a-w c:\documents and settings\louay\Application Data\wklnhst.dat 2008-07-14 18:08 0 -c--a-w c:\documents and settings\louay\jagex_runescape_preferences.dat 2007-02-13 05:07 251 -c--a-w c:\program files\wt3d.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId] @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}" [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}] 2008-11-13 17:04 238968 --a------ c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-28 4363504] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-07 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600] "SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2005-03-22 339968] "dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-08 185872] "Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "UserFaultCheck"="c:\windows\system32\dumprep.exe" [2004-08-10 10752] "SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-01-20 6278520] "DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728] c:\documents and settings\louay\Start Menu\Programs\Startup\ Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-01-31 3450608] Styler.lnk - c:\documents and settings\louay\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2009-01-07 15086] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-02-07 13:35 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.mpg4"= c:\windows\mpg4c32.dll "vidc.mpg2"= c:\windows\mpg4c32.dll "vidc.mpg3"= c:\windows\mpg4c32.dll "vidc.GEOX"= c:\windows\system32\v8120\GeoCodec.dll "vidc.GEOV"= GeoCodec.dll "vidc.G264"= c:\windows\system32\v8120\GX264.dll "vidc.GM20"= GXGM20.dll "vidc.GMP4"= c:\windows\system32\v8120\GXAMP4.dll "vidc.GM40"= GXAMP4.dll "vidc.MJPG"= m3jpeg32.dll "vidc.dmb1"= m3jpeg32.dll "msacm.geoadpcm"= c:\windows\system32\v8100\GeoADPCM.acm "vidc.GM4H"= c:\windows\system32\v8120\GXAMP4D.dll "vidc.GM4S"= c:\windows\system32\v8120\GXAMP4D.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a--c--- 2005-06-06 23:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE] -----c--- 2005-02-23 15:57 57344 c:\program files\Creative\Mixer\CTSVolFE.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a------ 2005-10-05 03:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] --a--c--- 2005-08-05 13:56 64512 c:\windows\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate] --a------ 2005-06-08 14:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] --a------ 2005-06-08 15:24 458752 c:\program files\Logitech\Video\ISStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] --a------ 2005-06-08 15:14 217088 c:\program files\Logitech\Video\LogiTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder] --a------ 2005-08-24 18:25 101080 c:\program files\Microsoft Location Finder\LocationFinder.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] --a------ 2009-02-07 13:35 1830128 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-10-08 19:45 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2009-01-28 21:56 4363504 c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\v8010\\DMMultiView\\MultiView.exe"= "c:\\Program Files\\v8120\\DMMultiView\\MultiView.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "135:TCP"= 135:TCP:DCOM(135) R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-08-09 29808] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-11-17 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-11-17 55024] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-21 206096] R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2008-11-28 1090936] R3 Angel;Angel MPEG Device;c:\windows\system32\drivers\Angel.sys [2006-11-14 376320] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-02-07 c:\windows\Tasks\cleanmgr.job - c:\windows\system32\cleanmgr.exe [2004-08-10 04:00] 2009-02-08 c:\windows\Tasks\dfrg.job - c:\windows\system32\dfrg.msc [2004-08-10 04:00] 2009-02-10 c:\windows\Tasks\wrSpySweeper_L421E2AA3F4ED4C2BAE764367B9B110DB.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-01-20 09:08] 2009-02-10 c:\windows\Tasks\wrSpySweeper_L421E2AA3F4ED4C2BAE764367B9B110DB.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-01-20 09:08] 2009-02-10 c:\windows\Tasks\wrSpySweeper_L421E2AA3F4ED4C2BAE764367B9B110DB.job - C:\ [2009-02-10 15:32] . - - - - ORPHANS REMOVED - - - - HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe MSConfigStartUp-DSS - c:\windows\BBSTORE\DSS\DSSAGENT.EXE . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} - hxxp://216.185.184.229/ActiveView.cab DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://kwikwash.dipmap.com/cab/OCXChecker_8120.cab DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - hxxp://kwikwash.dipmap.com/cab/DownloadFile_8110.cab FF - ProfilePath - c:\documents and settings\louay\Application Data\Mozilla\Firefox\Profiles\b6ytas10.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=chrff-brandt_off&type=000110X001US&p= FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Opera\program\plugins\NPTURNMED.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-10 15:34:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(728) c:\program files\SUPERAntiSpyware\SASWINLO.DLL . Completion time: 2009-02-10 15:35:49 ComboFix-quarantined-files.txt 2009-02-10 22:35:47 Pre-Run: 210,575,208,448 bytes free Post-Run: 211,050,975,232 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 286 --- E O F --- 2009-02-10 10:00:52 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:40:43 PM, on 2/10/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\dlcccoms.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Styler\Styler.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\explorer.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe" O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [LVCOMSX] "C:\WINDOWS\system32\LVCOMSX.EXE" O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [userFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u O4 - HKLM\..\Run: [DLCCCATS] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [sUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Startup: Styler.lnk = ? O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://216.185.184.229/ActiveView.cab O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://kwikwash.dipmap.com/cab/OCXChecker_8120.cab O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://kwikwash.dipmap.com/cab/DownloadFile_8110.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- End of file - 9110 bytes
  17. Dr. Web Log: LSPatch.exe\data005;C:\Documents and Settings\louay\Local Settings\Application Data\Mozilla\Firefox\Profiles\b6ytas10.default\Cache(6)\29C4C791d01/;Tool.CloseApp;; VistaVG Ultimate with Searchbar\LSPatch.exe;C:\Documents and Settings\louay\Local Settings\Application Data\Mozilla\Firefox\Profiles\b6ytas10.default\Cache(6)\29C4C791d01/;Archive contains infected objects;; 29C4C791d01;C:\Documents and Settings\louay\Local Settings\Application Data\Mozilla\Firefox\Profiles\b6ytas10.default\Cache(6);Archive contains infected objects;Moved.; ---------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:21:17 PM, on 2/8/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\dlcccoms.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Styler\Styler.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe" O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [LVCOMSX] "C:\WINDOWS\system32\LVCOMSX.EXE" O4 - HKLM\..\Run: [KernelFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -k O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [userFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [sUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user') O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Startup: Styler.lnk = ? O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://216.185.184.229/ActiveView.cab O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://kwikwash.dipmap.com/cab/OCXChecker_8120.cab O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://kwikwash.dipmap.com/cab/DownloadFile_8110.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- End of file - 9649 bytes
  18. I followed your instructions. Here are the results: Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\louay>nbtstat -R Successful purge and preload of the NBT Remote Cache Name Table. C:\Documents and Settings\louay>ipconfig /flushdns Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Documents and Settings\louay>arp -d C:\Documents and Settings\louay>netstat -vb Active Connections Proto Local Address Foreign Address State PID TCP lg-eb5fa1895118:1036 localhost:27015 ESTABLISHED 2788 C:\WINDOWS\system32\mswsock.dll C:\WINDOWS\system32\WS2_32.dll C:\Program Files\Common Files\Apple\Mobile Device Support\bin\iTunesMobileDevi ce.dll C:\WINDOWS\system32\ADVAPI32.dll C:\WINDOWS\system32\kernel32.dll [iTunesHelper.exe] TCP lg-eb5fa1895118:27015 localhost:1036 ESTABLISHED 2032 C:\WINDOWS\system32\WS2_32.dll C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDevic eService.exe C:\WINDOWS\system32\ADVAPI32.dll C:\WINDOWS\system32\kernel32.dll [AppleMobileDeviceService.exe] TCP lg-eb5fa1895118:4788 localhost:5152 FIN_WAIT_2 2992 -- unknown component(s) -- [system] TCP lg-eb5fa1895118:4028 ip98-174-28-18.at.at.cox.net:http CLOSE_WAIT 1440 C:\WINDOWS\system32\ws2_32.dll C:\WINDOWS\system32\WININET.dll [jusched.exe] TCP lg-eb5fa1895118:4666 64.78.182.201.webroot.com:http CLOSE_WAIT 1116 C:\WINDOWS\system32\WS2_32.dll C:\WINDOWS\system32\WININET.dll [WRConsumerService.exe] TCP lg-eb5fa1895118:4667 72.5.172.203:http CLOSE_WAIT 1116 C:\WINDOWS\system32\WS2_32.dll C:\WINDOWS\system32\WININET.dll [WRConsumerService.exe] TCP lg-eb5fa1895118:4668 64.78.182.201.webroot.com:http CLOSE_WAIT 1116 C:\WINDOWS\system32\WS2_32.dll C:\WINDOWS\system32\WININET.dll [WRConsumerService.exe] TCP lg-eb5fa1895118:4669 72.5.172.203:http CLOSE_WAIT 1116 C:\WINDOWS\system32\WS2_32.dll C:\WINDOWS\system32\WININET.dll [WRConsumerService.exe] TCP lg-eb5fa1895118:4670 72.5.172.203:http CLOSE_WAIT 1116 C:\WINDOWS\system32\WS2_32.dll C:\WINDOWS\system32\WININET.dll [WRConsumerService.exe] TCP lg-eb5fa1895118:5152 localhost:4788 CLOSE_WAIT 676 C:\WINDOWS\system32\WS2_32.dll C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\bin\MSVCR71.dll C:\WINDOWS\system32\kernel32.dll [jqs.exe] TCP lg-eb5fa1895118:4791 207.68.183.40:http TIME_WAIT 0 TCP lg-eb5fa1895118:4792 65.55.149.122:http TIME_WAIT 0 TCP lg-eb5fa1895118:4794 65.55.15.124:http TIME_WAIT 0 TCP lg-eb5fa1895118:4795 65.55.15.244:http TIME_WAIT 0 TCP lg-eb5fa1895118:4796 iw-in-f99.google.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4798 iw-in-f99.google.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4799 match.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4800 a72-246-89-111.deploy.akamaitechnologies.com:htt p TIME_WAIT 0 TCP lg-eb5fa1895118:4801 208.83.240.16:http TIME_WAIT 0 TCP lg-eb5fa1895118:4802 ip98-174-28-66.at.at.cox.net:http TIME_WAIT 0 TCP lg-eb5fa1895118:4803 a72-246-89-111.deploy.akamaitechnologies.com:htt p TIME_WAIT 0 TCP lg-eb5fa1895118:4805 surfcanyon.peakwebhosting.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4806 a-70-183-191-88.deploy.akamaitechnologies.com:ht tp TIME_WAIT 0 TCP lg-eb5fa1895118:4807 iw-in-f99.google.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4809 www.dslreports.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4811 c18-rb-gtm1-tron-xw-lb.cnet.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4812 pcpitstop.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4814 205.227.136.88:http TIME_WAIT 0 TCP lg-eb5fa1895118:4815 205.227.136.90:http TIME_WAIT 0 TCP lg-eb5fa1895118:4816 c18-rb-gtm2-tron-xw-lb.cnet.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4817 mail.webproworld.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4819 205.227.136.88:http TIME_WAIT 0 TCP lg-eb5fa1895118:4820 surfcanyon.peakwebhosting.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4825 alpha.malwarebytes.org:http TIME_WAIT 0 TCP lg-eb5fa1895118:4834 iw-in-f127.google.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4835 204.160.104.126:http TIME_WAIT 0 TCP lg-eb5fa1895118:4837 saturn.mycity.co.yu:http TIME_WAIT 0 TCP lg-eb5fa1895118:4842 iw-in-f127.google.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4844 207.46.216.54:http TIME_WAIT 0 TCP lg-eb5fa1895118:4845 wwwbaytest2.microsoft.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4846 zone.msn.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4847 kasperskycom9.kaspersky-labs.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4848 secure.logmein.com:https TIME_WAIT 0 TCP lg-eb5fa1895118:4849 a72-246-47-190.deploy.akamaitechnologies.com:htt p TIME_WAIT 0 TCP lg-eb5fa1895118:4852 69.25.20.48:https TIME_WAIT 0 TCP lg-eb5fa1895118:4854 207.68.183.40:http TIME_WAIT 0 TCP lg-eb5fa1895118:4855 199.7.71.72:http TIME_WAIT 0 TCP lg-eb5fa1895118:4856 OCSP.NYC3.verisign.com:http TIME_WAIT 0 TCP lg-eb5fa1895118:4857 199.7.71.72:http TIME_WAIT 0 TCP lg-eb5fa1895118:4858 fe.feeds.del.vip.ac4.yahoo.net:http TIME_WAIT 0 TCP lg-eb5fa1895118:4859 fe.feeds.del.vip.ac4.yahoo.net:http TIME_WAIT 0 TCP lg-eb5fa1895118:4749 localhost:5152 TIME_WAIT 0 C:\Documents and Settings\louay>ipconfig /flushdarp a Error: unrecongnized or incomplete command line. USAGE: ipconfig [/? | /all | /renew [adapter] | /release [adapter] | /flushdns | /displaydns | /registerdns | /showclassid adapter | /setclassid adapter [classid] ] where adapter Connection name (wildcard characters * and ? allowed, see examples) Options: /? Display this help message /all Display full configuration information. /release Release the IP address for the specified adapter. /renew Renew the IP address for the specified adapter. /flushdns Purges the DNS Resolver cache. /registerdns Refreshes all DHCP leases and re-registers DNS names /displaydns Display the contents of the DNS Resolver Cache. /showclassid Displays all the dhcp class IDs allowed for adapter. /setclassid Modifies the dhcp class id. The default is to display only the IP address, subnet mask and default gateway for each adapter bound to TCP/IP. For Release and Renew, if no adapter name is specified, then the IP address leases for all adapters bound to TCP/IP will be released or renewed. For Setclassid, if no ClassId is specified, then the ClassId is removed. Examples: > ipconfig ... Show information. > ipconfig /all ... Show detailed information > ipconfig /renew ... renew all adapters > ipconfig /renew EL* ... renew any connection that has its name starting with EL > ipconfig /release *Con* ... release all matching connections, eg. "Local Area Connection 1" or "Local Area Connection 2" C:\Documents and Settings\louay> C:\Documents and Settings\louay>arp -d C:\Documents and Settings\louay> C:\Documents and Settings\louay>
  19. Let me start off by thanking you for your help AdvancedSetup. And I followed your instructions, here are the contents of the Kaspersky Scan Log: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, February 7, 2009 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, February 07, 2009 23:01:24 Records in database: 1766336 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Files scanned: 87684 Threat name: 1 Infected objects: 1 Suspicious objects: 0 Duration of the scan: 01:33:06 File name / Threat name / Threats count C:\Documents and Settings\louay\Local Settings\Application Data\Mozilla\Firefox\Profiles\b6ytas10.default\Cache(6)\29C4C791d01 Infected: not-a-virus:RiskTool.Win32.CloseApp.a 1 The selected area was scanned. -------------------------------------- Now, I was speaking to a friend, and he told me that there is a possibility that the malware had left a backdoor of sorts onto my computer, and the only way to check this is due to a port scan. Realistically, should I be worried about a 'backdoor' having been left on my computer?
  20. I've recently discovered that my computer had several trojans, and a Rogue Antivirus as well. I've removed everything that's been found, but I'd like some reassurance before I return to using the computer normally as we do things like online banking on it, and I definitely do not want the security of my computer compromised whilst doing that. Here are the logs - and thanks in advance. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:18:27 PM, on 2/7/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dllhost.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\dlcccoms.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN C:\Program Files\Styler\Styler.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\mIRC\mIRC.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe" O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [LVCOMSX] "C:\WINDOWS\system32\LVCOMSX.EXE" O4 - HKLM\..\Run: [KernelFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -k O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [userFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u O4 - HKLM\..\Run: [DLCCCATS] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [sUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user') O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Startup: Styler.lnk = ? O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://216.185.184.229/ActiveView.cab O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://kwikwash.dipmap.com/cab/OCXChecker_8120.cab O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://kwikwash.dipmap.com/cab/DownloadFile_8110.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- End of file - 9891 bytes Malwarebytes' Anti-Malware 1.33 Database version: 1736 Windows 5.1.2600 Service Pack 2 2/7/2009 1:23:25 PM mbam-log-2009-02-07 (13-23-25).txt Scan type: Full Scan (C:\|) Objects scanned: 157060 Time elapsed: 1 hour(s), 3 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.