Jump to content

Multiple recurring infections

JohnPf

By JohnPf
in Resolved Malware Removal Logs

 Share

Recommended Posts

JohnPf

JohnPf

Posted
Posted

Hello All,

Yesterday, I became infected with several malwares (e.g. AntivirusPlus, MS Antivirus 2009, etc.). Since then I have downloaded and run:

* chkdsk

* Avast

* SpyHunter

* Super AntiSpyware

* MalwareBytes

After countless scans with these tools, the problem has gotten much better, but does not completely go away.

I have several symptoms:

1. My system task tray has a red x with "Warning! You have a security problem" that pops up about every 30 seconds.

2. I get a popup window every so often with "Alert! You have a security problem! Do you want to scan your computer for viruses?" I always click cancel.

3. I get a Windows Internet Explorer window about every 10 minutes trying to link to some site

Per your instructions, I have captured logs from Malwarebytes' Anti-Malware and Hijackthis (below)

The problem persists. Please analyze the logs and tell me what I need to do to get rid of this bug(s).

Many thanks,

John

************************************

mbam log

Malwarebytes' Anti-Malware 1.34

Database version: 1798

Windows 5.1.2600 Service Pack 3

2/24/2009 7:24:42 AM

mbam-log-2009-02-24 (07-24-41).txt

Scan type: Quick Scan

Objects scanned: 71707

Time elapsed: 11 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*************************************

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:08:57 AM, on 2/24/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\system32\userinit.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\system32\timeserv.exe

C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\WINDOWS\system32\userinit.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\hh.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - (no file)

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [spyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -scan

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exe

O8 - Extra context menu item: Answers... - file://C:\Program Files\1-Click Answers\Html\atiemenu.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {54FD7DE0-D80D-11D3-942C-00105A177F53} (Atlas Directories) - http://atlas.veritas.com/avf/pics/_applets...ls/AtlasLib.cab

O16 - DPF: {CA60EBF6-B07F-11D2-B56A-005004052157} - http://atlas.veritas.com/avf/pics/_applets...ActiveProj1.cab

O16 - DPF: {ED324F9E-715D-4BE2-B6DF-44FCB674AADF} (DDSC Class) - http://bnet/backupexec/Portal/resources/msddsc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = slo.rnd.veritas.com

O17 - HKLM\Software\..\Telephony: DomainName = slo.rnd.veritas.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = slo.rnd.veritas.com

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE

O23 - Service: Google Update Service (gupdate1c926ee5499055a) (gupdate1c926ee5499055a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe

O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: VERITAS Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--

End of file - 9162 bytes

Link to post
Share on other sites
Tigger93

Tigger93

Posted
Posted

Hi. <_<

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites
JohnPf

JohnPf

Posted
  • Author
Posted

Hi Tigger,

I ran ComboFix and a new Hijackthis. The logs are as follows. This is really taking a heavy toll on me....

Many thanks,

John

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:05, on 2009-02-25

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\system32\timeserv.exe

C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - (no file)

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [spyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -scan

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exe

O8 - Extra context menu item: Answers... - file://C:\Program Files\1-Click Answers\Html\atiemenu.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {54FD7DE0-D80D-11D3-942C-00105A177F53} (Atlas Directories) - http://atlas.veritas.com/avf/pics/_applets...ls/AtlasLib.cab

O16 - DPF: {CA60EBF6-B07F-11D2-B56A-005004052157} - http://atlas.veritas.com/avf/pics/_applets...ActiveProj1.cab

O16 - DPF: {ED324F9E-715D-4BE2-B6DF-44FCB674AADF} (DDSC Class) - http://bnet/backupexec/Portal/resources/msddsc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = slo.rnd.veritas.com

O17 - HKLM\Software\..\Telephony: DomainName = slo.rnd.veritas.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = slo.rnd.veritas.com

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE

O23 - Service: Google Update Service (gupdate1c926ee5499055a) (gupdate1c926ee5499055a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe

O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: VERITAS Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--

End of file - 8992 bytes

************************************************

ComboFix Log

ComboFix 09-02-24.02 - v023009 2009-02-25 7:40:07.1 - NTFSx86

Running from: c:\documents and settings\JPfost\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090225-1] *On-access scanning enabled* (Updated)

.

The following files were disabled during the run:

c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\.log

c:\windows\a3kebook.ini

c:\windows\akebook.ini

c:\windows\ANS2000.INI

c:\windows\system32\dbxDgrevCheck.dll

c:\windows\system32\init32.exe

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.

((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))

.

2009-02-25 07:30 . 2009-02-25 07:32 <DIR> d-------- C:\32788R22FWJFW

2009-02-24 08:08 . 2009-02-24 08:08 <DIR> d-------- c:\program files\Trend Micro

2009-02-23 19:48 . 2009-02-25 07:27 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-23 19:48 . 2009-02-23 19:48 <DIR> d-------- c:\documents and settings\JPfost\Application Data\SUPERAntiSpyware.com

2009-02-23 19:48 . 2009-02-23 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-23 18:37 . 2009-02-23 18:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-23 18:37 . 2009-02-23 18:37 <DIR> d-------- c:\documents and settings\JPfost\Application Data\Malwarebytes

2009-02-23 18:37 . 2009-02-23 18:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-23 18:37 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-23 18:37 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-23 17:25 . 2009-02-23 17:25 <DIR> d-------- c:\program files\Enigma Software Group

2009-02-23 13:02 . 2009-02-23 13:02 81 --a------ c:\windows\system32\dmns.cfg

2009-02-23 12:59 . 2009-02-23 12:59 5 --a------ c:\windows\system32\avp.id

2009-02-22 16:29 . 2009-02-22 16:27 322,020 --a------ c:\windows\thx.wav

2009-02-22 16:21 . 2009-02-22 16:23 <DIR> d-------- c:\program files\QuickTime

2009-02-22 16:21 . 2009-02-22 16:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer

2009-02-22 08:35 . 2009-02-22 08:35 165 --a------ c:\windows\startUp manager.INI

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-25 06:39 --------- d-----w c:\program files\Mozilla Thunderbird

2009-02-25 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-02-24 03:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-23 22:10 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-02-23 19:31 --------- d-----w c:\documents and settings\JPfost\Application Data\FileZilla

2009-02-19 20:37 --------- d-----w c:\program files\Thumbs7

2009-02-19 14:50 --------- d-----w c:\documents and settings\JPfost\Application Data\uTorrent

2009-02-19 12:43 --------- d-----w c:\program files\Advanced System Optimizer

2009-02-13 21:28 --------- d-----w c:\program files\Agent

2009-02-13 20:01 --------- d-----w c:\program files\FileZilla FTP Client

2009-02-08 14:24 --------- d-----w c:\program files\Google

2009-02-02 17:09 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip

2009-01-25 04:40 --------- d-----w c:\program files\Alwil Software

2009-01-06 23:41 --------- d-----w c:\program files\IrfanView

2008-12-30 23:55 --------- d-----w c:\program files\Citrix

2008-12-30 23:54 60,744 ----a-w c:\documents and settings\JPfost\g2mdlhlpx.exe

2008-09-17 14:59 25,712 ----a-w c:\documents and settings\JPfost\Application Data\GDIPFONTCACHEV1.DAT

2005-08-21 20:07 32 -csha-w c:\windows\{1600058C-DD77-45EC-BDAC-462B40F36CB7}.dat

2005-08-21 20:08 32 --sha-w c:\windows\{2A0B546C-6982-4344-9661-0462E4B79773}.dat

2005-08-21 20:09 32 --sha-w c:\windows\{9686CF6E-A046-41FD-B7C9-80C3C10A64A3}.dat

2005-08-21 20:07 32 -csha-w c:\windows\{9A5D6CDF-2087-460E-88BE-B099046E39C7}.dat

2005-08-21 20:09 32 --sha-w c:\windows\{9CBDA4AD-338C-4AF0-9F49-3B45BACE34A4}.dat

2005-08-21 20:07 32 -csha-w c:\windows\{D1234BB9-0306-4E4D-9503-3F5FDDDCC624}.dat

2005-08-21 20:09 32 --sha-w c:\windows\system32\{246A97AC-24AD-4730-A76F-65D0280D732D}.dat

2005-08-21 20:07 32 --sha-w c:\windows\system32\{35D387D3-FC50-4124-B8E7-F7B628A896EF}.dat

2005-08-21 20:08 32 --sha-w c:\windows\system32\{9C5241C7-3847-45AA-BBCD-A428E06947EB}.dat

2005-08-21 20:07 32 --sha-w c:\windows\system32\{B7BC1066-FAE8-4108-A99D-F770D0C5FF72}.dat

2005-08-21 20:07 32 --sha-w c:\windows\system32\{EB8BC256-27F0-4F18-87D4-BCECF8657AA2}.dat

2005-08-21 20:09 32 --sha-w c:\windows\system32\{F63C129E-5E43-44AF-B658-6FA27DB58F9E}.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]

"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-01-14 35328]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-01-13 864256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

1-Click Answers.lnk - c:\program files\1-Click Answers\answers.exe [2008-08-23 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\TNG-Book\\TNG on USB Drive\\TNG701onMowesII_extracted\\apache2\\bin\\httpd.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2003-11-07 17792]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-24 114768]

R1 GhPciScan;GhostPciScanner;c:\program files\Norton SystemWorks\Norton Ghost\GhPciScan.sys [2002-08-14 5632]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-24 20560]

R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [2005-08-21 135168]

R2 TimeServ;Time Service;c:\windows\system32\TIMESERV.EXE [2003-08-29 141584]

R2 VRTSChangeJournalReader;VERITAS Backup Exec DLO Agent Change Journal Reader;c:\program files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe [2004-08-01 271456]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

S2 gupdate1c926ee5499055a;Google Update Service (gupdate1c926ee5499055a);c:\program files\Google\Update\GoogleUpdate.exe [2008-10-05 133104]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-02-23 38496]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f58dfa46-df8a-11d9-9659-000874d6124a}]

\Shell\AutoRun\command - F:\PortableRoboForm.exe

.

Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\GoogleUpdateTaskMachine.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-05 05:55]

2009-02-21 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

- c:\program files\Norton SystemWorks\OBC.exe [2002-09-29 20:57]

2009-02-21 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job

- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-05-17 c:\windows\Tasks\Uniblue SpeedUpMyPC.job

- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

ShellIconOverlayIdentifiers-{1E5E1445-6CEA-4761-8E45-AA19F654571E} - (no file)

ShellIconOverlayIdentifiers-{1AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C} - (no file)

MSConfigStartUp-Startup Manager - c:\documents and settings\JPfost\Application Data\Systweak\ASO 2\smstartUp manager.exe

.

------- Supplementary Scan -------

.

uStart Page =

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Search

IE: Answers... - file://c:\program files\1-Click Answers\Html\atiemenu.htm

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: {54FD7DE0-D80D-11D3-942C-00105A177F53} - hxxp://atlas.veritas.com/avf/pics/_applets/docshare/xcontrols/AtlasLib.cab

DPF: {CA60EBF6-B07F-11D2-B56A-005004052157} - hxxp://atlas.veritas.com/avf/pics/_applets/docshare/xcontrols/AtlasEditorActiveProj1.cab

DPF: {ED324F9E-715D-4BE2-B6DF-44FCB674AADF} - hxxp://bnet/backupexec/Portal/resources/msddsc.cab

FF - ProfilePath - c:\documents and settings\JPfost\Application Data\Mozilla\Firefox\Profiles\fvs08eqt.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - component: c:\documents and settings\JPfost\Application Data\Mozilla\Firefox\Profiles\fvs08eqt.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\documents and settings\JPfost\Application Data\Mozilla\Firefox\Profiles\fvs08eqt.default\extensions\[email protected]\components\coolirisstub.dll

FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-25 07:53:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\progra~1\NORTON~1\NORTON~1\GHOSTS~2.EXE

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

c:\progra~1\Iomega\System32\AppServices.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\NORTON~1\SPEEDD~1\NOPDB.EXE

c:\program files\Iomega\AutoDisk\ADService.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Completion time: 2009-02-25 8:02:44 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-25 16:02:30

Pre-Run: 2,700,218,368 bytes free

Post-Run: 3,386,892,288 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

multi(0)disk(0)rdisk(0)partition(2)\WINNT="Microsoft Windows 2000 Professional" /fastdetect

212 --- E O F --- 2009-02-25 05:23:35

Link to post
Share on other sites
JohnPf

JohnPf

Posted
  • Author
Posted

Hi Tigger,

Just by running ComboFix to generate the log (prior post), the offenses have stopped and the red icon with the "X" is no longer present in the task menu.

I have only restarted Avast for ongoing protection.

However, I am reluctant to do anything until I hear from you.

Many thanks,

John

Link to post
Share on other sites
JohnPf

JohnPf

Posted
  • Author
Posted

Hi Tigger,

Being the impatient bloke that I am, I went ahead and ran Malwarebytes Anti-Malware and Avast system scans. They captured a number of residual infected files.

Again, everything seems to be okay now.

Is there anything else that I should do based on the logs provided above?

Again, many thanks,

John

Link to post
Share on other sites
Tigger93

Tigger93

Posted
Posted

A few things.

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\system32\dmns.cfg

c:\windows\system32\avp.id

Folder::

C:\32788R22FWJFW

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites
JohnPf

JohnPf

Posted
  • Author
Posted

Hello Tiggre,

Following are the new HJT and ComboFix Logs.

Thanks,

John

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:58, on 2009-02-25

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\system32\timeserv.exe

C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\1-Click Answers\answers.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\1-CLIC~1\agtserv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - (no file)

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [spyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -scan

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exe

O8 - Extra context menu item: Answers... - file://C:\Program Files\1-Click Answers\Html\atiemenu.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {54FD7DE0-D80D-11D3-942C-00105A177F53} (Atlas Directories) - http://atlas.veritas.com/avf/pics/_applets...ls/AtlasLib.cab

O16 - DPF: {CA60EBF6-B07F-11D2-B56A-005004052157} - http://atlas.veritas.com/avf/pics/_applets...ActiveProj1.cab

O16 - DPF: {ED324F9E-715D-4BE2-B6DF-44FCB674AADF} (DDSC Class) - http://bnet/backupexec/Portal/resources/msddsc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = slo.rnd.veritas.com

O17 - HKLM\Software\..\Telephony: DomainName = slo.rnd.veritas.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = slo.rnd.veritas.com

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE

O23 - Service: Google Update Service (gupdate1c926ee5499055a) (gupdate1c926ee5499055a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe

O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: VERITAS Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--

End of file - 9333 bytes

***********************************************

ComboFix Log

ComboFix 09-02-24.02 - v023009 2009-02-25 10:35:32.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.74 [GMT -8:00]

Running from: c:\documents and settings\JPfost\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\JPfost\Desktop\CFScript.txt

* Created a new restore point

FILE ::

c:\windows\system32\avp.id

c:\windows\system32\dmns.cfg

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\avp.id

c:\windows\system32\dmns.cfg

F:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))

.

2009-02-24 08:08 . 2009-02-24 08:08 <DIR> d-------- c:\program files\Trend Micro

2009-02-23 19:48 . 2009-02-25 07:27 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-23 19:48 . 2009-02-23 19:48 <DIR> d-------- c:\documents and settings\JPfost\Application Data\SUPERAntiSpyware.com

2009-02-23 19:48 . 2009-02-23 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-23 18:37 . 2009-02-23 18:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-23 18:37 . 2009-02-23 18:37 <DIR> d-------- c:\documents and settings\JPfost\Application Data\Malwarebytes

2009-02-23 18:37 . 2009-02-23 18:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-23 18:37 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-23 18:37 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-23 17:25 . 2009-02-23 17:25 <DIR> d-------- c:\program files\Enigma Software Group

2009-02-22 16:29 . 2009-02-22 16:27 322,020 --a------ c:\windows\thx.wav

2009-02-22 16:21 . 2009-02-22 16:23 <DIR> d-------- c:\program files\QuickTime

2009-02-22 16:21 . 2009-02-22 16:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer

2009-02-22 08:35 . 2009-02-22 08:35 165 --a------ c:\windows\startUp manager.INI

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-25 18:27 --------- d-----w c:\program files\Mozilla Thunderbird

2009-02-25 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-02-24 03:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-23 22:10 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-02-23 19:31 --------- d-----w c:\documents and settings\JPfost\Application Data\FileZilla

2009-02-19 20:37 --------- d-----w c:\program files\Thumbs7

2009-02-19 14:50 --------- d-----w c:\documents and settings\JPfost\Application Data\uTorrent

2009-02-19 12:43 --------- d-----w c:\program files\Advanced System Optimizer

2009-02-13 21:28 --------- d-----w c:\program files\Agent

2009-02-13 20:01 --------- d-----w c:\program files\FileZilla FTP Client

2009-02-08 14:24 --------- d-----w c:\program files\Google

2009-02-02 17:09 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip

2009-01-25 04:40 --------- d-----w c:\program files\Alwil Software

2009-01-06 23:41 --------- d-----w c:\program files\IrfanView

2008-12-30 23:55 --------- d-----w c:\program files\Citrix

2008-12-30 23:54 60,744 ----a-w c:\documents and settings\JPfost\g2mdlhlpx.exe

2008-09-17 14:59 25,712 ----a-w c:\documents and settings\JPfost\Application Data\GDIPFONTCACHEV1.DAT

2005-08-21 20:07 32 -csha-w c:\windows\{1600058C-DD77-45EC-BDAC-462B40F36CB7}.dat

2005-08-21 20:08 32 --sha-w c:\windows\{2A0B546C-6982-4344-9661-0462E4B79773}.dat

2005-08-21 20:09 32 --sha-w c:\windows\{9686CF6E-A046-41FD-B7C9-80C3C10A64A3}.dat

2005-08-21 20:07 32 -csha-w c:\windows\{9A5D6CDF-2087-460E-88BE-B099046E39C7}.dat

2005-08-21 20:09 32 --sha-w c:\windows\{9CBDA4AD-338C-4AF0-9F49-3B45BACE34A4}.dat

2005-08-21 20:07 32 -csha-w c:\windows\{D1234BB9-0306-4E4D-9503-3F5FDDDCC624}.dat

2005-08-21 20:09 32 --sha-w c:\windows\system32\{246A97AC-24AD-4730-A76F-65D0280D732D}.dat

2005-08-21 20:07 32 --sha-w c:\windows\system32\{35D387D3-FC50-4124-B8E7-F7B628A896EF}.dat

2005-08-21 20:08 32 --sha-w c:\windows\system32\{9C5241C7-3847-45AA-BBCD-A428E06947EB}.dat

2005-08-21 20:07 32 --sha-w c:\windows\system32\{B7BC1066-FAE8-4108-A99D-F770D0C5FF72}.dat

2005-08-21 20:07 32 --sha-w c:\windows\system32\{EB8BC256-27F0-4F18-87D4-BCECF8657AA2}.dat

2005-08-21 20:09 32 --sha-w c:\windows\system32\{F63C129E-5E43-44AF-B658-6FA27DB58F9E}.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]

"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-01-14 35328]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-01-13 864256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

1-Click Answers.lnk - c:\program files\1-Click Answers\answers.exe [2008-08-23 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\TNG-Book\\TNG on USB Drive\\TNG701onMowesII_extracted\\apache2\\bin\\httpd.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2003-11-07 17792]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-24 114768]

R1 GhPciScan;GhostPciScanner;c:\program files\Norton SystemWorks\Norton Ghost\GhPciScan.sys [2002-08-14 5632]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-24 20560]

R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [2005-08-21 135168]

R2 TimeServ;Time Service;c:\windows\system32\TIMESERV.EXE [2003-08-29 141584]

R2 VRTSChangeJournalReader;VERITAS Backup Exec DLO Agent Change Journal Reader;c:\program files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe [2004-08-01 271456]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

S2 gupdate1c926ee5499055a;Google Update Service (gupdate1c926ee5499055a);c:\program files\Google\Update\GoogleUpdate.exe [2008-10-05 133104]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f58dfa46-df8a-11d9-9659-000874d6124a}]

\Shell\AutoRun\command - F:\PortableRoboForm.exe

.

Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\GoogleUpdateTaskMachine.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-05 05:55]

2009-02-21 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

- c:\program files\Norton SystemWorks\OBC.exe [2002-09-29 20:57]

2009-02-21 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job

- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-05-17 c:\windows\Tasks\Uniblue SpeedUpMyPC.job

- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

.

.

------- Supplementary Scan -------

.

uStart Page =

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Search

IE: Answers... - file://c:\program files\1-Click Answers\Html\atiemenu.htm

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: {54FD7DE0-D80D-11D3-942C-00105A177F53} - hxxp://atlas.veritas.com/avf/pics/_applets/docshare/xcontrols/AtlasLib.cab

DPF: {CA60EBF6-B07F-11D2-B56A-005004052157} - hxxp://atlas.veritas.com/avf/pics/_applets/docshare/xcontrols/AtlasEditorActiveProj1.cab

DPF: {ED324F9E-715D-4BE2-B6DF-44FCB674AADF} - hxxp://bnet/backupexec/Portal/resources/msddsc.cab

FF - ProfilePath - c:\documents and settings\JPfost\Application Data\Mozilla\Firefox\Profiles\fvs08eqt.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - component: c:\documents and settings\JPfost\Application Data\Mozilla\Firefox\Profiles\fvs08eqt.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\documents and settings\JPfost\Application Data\Mozilla\Firefox\Profiles\fvs08eqt.default\extensions\[email protected]\components\coolirisstub.dll

FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-25 10:39:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-02-25 10:44:31

ComboFix-quarantined-files.txt 2009-02-25 18:43:52

ComboFix2.txt 2009-02-25 16:02:49

Pre-Run: 3,519,066,112 bytes free

Post-Run: 3,363,688,448 bytes free

178 --- E O F --- 2009-02-25 05:23:35

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.