Jump to content

numerous problems, log attached, please help


Recommended Posts

So here's my original complaint, posted in the main forum:

Got the usual bogus spyware popups and the accompanying google redirects, MBAM has removed them before but this time was different. MBAM wouldn't run, so renamed it (actually created a copy with a random name), and that ran fine. It got rid of the bogus spyware, but this time still having a few leftover issues:

- MBAM still won't run under its usual name, either by clicking or by typing in run window. This is in either regular or safe mode. Therefore, cannot do update, since when I update the random name version, it downloads the updates and then tries to run MBAM, which of course, doesn't run.

- having login issues at some sites with logins (such as youtube, yahoo mail), but not all of them. Sites that won't log in anymore just sit on the login screen after I enter until they time out and show a page not found in explorer

And an update:

Today couldn't run MBAM under any name, and couldn't load page for avira or hjt as advised. So went to laptop, downloaded onto flash drive and tried to run on this computer. MBAM and avira wouldn't run from the flash, but HJT did, log pasted below. Also, google is now redirecting to some nonsense called toseeka.com

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:27:40 PM, on 2/25/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\System32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINDOWS\system32\LxrSII1s.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\ssoftsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

c:\windows\system32\hkcmd.exe

c:\program files\common files\symantec shared\ccapp.exe

c:\program files\adaptec\easy cd creator 5\directcd\directcd.exe

c:\program files\creative\sharedll\ctnotify.exe

c:\program files\creative\nomad jukebox 3\playcenter2\ctnmrun.exe

c:\program files\lexmark x6100 series\lxbfbmgr.exe

c:\program files\verizon\mccitrayapp.exe

c:\program files\java\jre6\bin\jusched.exe

c:\program files\common files\real\update_ob\realsched.exe

c:\program files\common files\{24ba00fb-07c9-1033-1120-020326200001}\update.exe

c:\program files\messenger\msmsgs.exe

c:\program files\creative\sync manager unicode\ctsyncu.exe

c:\windows\system32\ctfmon.exe

c:\program files\lexmark x6100 series\lxbfbmon.exe

C:\Program Files\Creative\Sharedll\Mediadet.exe

c:\program files\common files\nikon\monitor\nkmonitor.exe

c:\program files\zone_alarm\zonealarm\zonealarm.exe

c:\windows\system32\zonelabs\vsmon.exe

c:\program files\internet explorer\iexplore.exe

c:\program files\internet explorer\iexplore.exe

c:\windows\system32\rundll32.exe

f:\new folder\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - C:\WINDOWS\system32\AcroIEHelpe5.dll

O2 - BHO: (no name) - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [CTStartup] c:\program files\creative\splash screen\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [NOMAD Detector] C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE

O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [NOMAD Detector] "c:\program files\creative\nomad jukebox 3\playcenter2\ctnmrun.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Policies\Explorer\Run: [{24BA00FB-07C9-1033-1120-020326200001}] "C:\Program Files\Common Files\{24BA00FB-07C9-1033-1120-020326200001}\Update.exe" mc-110-12-0000103

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\zone_alarm\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Schoolpop - file://C:\Program Files\SchoolpopShoppingBuddy\System\Temp\schoolpop_script0.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Schoolpop - {B46F2A6A-3216-461c-BEEA-FBE442469812} - file://C:\Program Files\SchoolpopShoppingBuddy\System\Temp\schoolpop_script0.htm (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.ritzpix.com/net/Uploader/ImageUploader3.cab

O16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader41.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe

O18 - Filter hijack: text/html - {a617265e-df50-4ee2-8f8a-5a52fe8657d0} - C:\WINDOWS\system32\mst122.dll

O20 - AppInit_DLLs: karna.dat pqkloo.dll uoilab.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe

O23 - Service: NAV Alert - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)

O23 - Service: NAV Auto-Protect - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Program Scheduler - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--

End of file - 12612 bytes

Link to post
Share on other sites

  • Root Admin

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Then try to run this.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click
dds.scr
to run the tool.
When done, the
DDS.txt
will open.
Click Yes at the next prompt for Optional Scan.
  • When done, DDS will open two (2) logs:

  1. DDS.txt

  2. Attach.txt

  • Save both reports to your desktop

  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Then try to run this.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:
You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.
Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:
The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.
Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Couldn't go to either of those pages on this computer, but saved from laptop to flash drive and copied to desktop. Logs pasted below. Please adive of next actions. Thanks.

DDS (Ver_09-02-01.01) - NTFSx86

Run by jh at 20:09:36.95 on Thu 02/26/2009

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.799 [GMT -8:00]

AV: Norton AntiVirus *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\WINDOWS\system32\LxrSII1s.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\ssoftsrv.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

c:\program files\common files\symantec shared\ccapp.exe

c:\program files\adaptec\easy cd creator 5\directcd\directcd.exe

c:\program files\creative\sharedll\ctnotify.exe

c:\program files\creative\nomad jukebox 3\playcenter2\ctnmrun.exe

c:\program files\lexmark x6100 series\lxbfbmgr.exe

c:\program files\java\jre6\bin\jusched.exe

c:\program files\common files\real\update_ob\realsched.exe

c:\program files\common files\{24ba00fb-07c9-1033-1120-020326200001}\update.exe

c:\program files\messenger\msmsgs.exe

c:\program files\creative\sync manager unicode\ctsyncu.exe

c:\windows\system32\ctfmon.exe

c:\program files\common files\nikon\monitor\nkmonitor.exe

c:\program files\zone_alarm\zonealarm\zonealarm.exe

C:\Program Files\Creative\Sharedll\Mediadet.exe

c:\program files\lexmark x6100 series\lxbfbmon.exe

c:\program files\yahoo!\messenger\ymsgr_tray.exe

c:\program files\verizon\mccibrowser.exe

c:\windows\system32\zonelabs\vsmon.exe

c:\program files\internet explorer\iexplore.exe

c:\documents and settings\jh\desktop\dds.scr

c:\documents and settings\jh\desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uWindow Title = Microsoft Internet Explorer provided by Comcast

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

mWindow Title = Microsoft Internet Explorer provided by Comcast

uSearchAssistant = hxxp://www.google.com

mSearchAssistant = hxxp://www.google.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Reader Link Helper: {b782ede4-ccb3-4e3e-981f-96c68116f38c} - c:\windows\system32\AcroIEHelpe5.dll

BHO: {C5BF49A2-94F3-42BD-F434-3604812C8955} - No File

TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: MoneySide: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft money\system\mnyviewer.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe

uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"

uRun: [NOMAD Detector] "c:\program files\creative\nomad jukebox 3\playcenter2\ctnmrun.exe"

uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\yahoomessenger.exe" -quiet

uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [ccRegVfy] "c:\program files\common files\symantec shared\ccRegVfy.exe"

mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"

mRun: [AdaptecDirectCD] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe

mRun: [Disc Detector] c:\program files\creative\sharedll\CtNotify.exe

mRun: [CTStartup] c:\program files\creative\splash screen\CTEaxSpl.EXE /run

mRun: [NOMAD Detector] c:\program files\creative\nomad jukebox 3\playcenter2\CTNMRUN.EXE

mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer

mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

uExplorerRun: [{24BA00FB-07C9-1033-1120-020326200001}] "c:\program files\common files\{24ba00fb-07c9-1033-1120-020326200001}\Update.exe" mc-110-12-0000103

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zoneal~1.lnk - c:\program files\zone_alarm\zonealarm\zonealarm.exe

mPolicies-explorer: <NO NAME> =

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: Schoolpop - file://c:\program files\schoolpopshoppingbuddy\system\temp\schoolpop_script0.htm

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe

IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/

IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/

IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll

DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab

DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab

DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab

DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://www.ritzpix.com/net/Uploader/ImageUploader3.cab

DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} - hxxp://www.ritzpix.com/net/Uploader/LPUploader41.cab

DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe

Filter: text/html - {a617265e-df50-4ee2-8f8a-5a52fe8657d0} - c:\windows\system32\mst122.dll

Notify: igfxcui - igfxsrvc.dll

AppInit_DLLs: karna.dat pqkloo.dll uoilab.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jh\applic~1\mozilla\firefox\profiles\t42pdmo5.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll

FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----

FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.19

============= SERVICES / DRIVERS ===============

R1 GhPciScan;GhostPciScanner;c:\program files\norton systemworks\norton ghost\GhPciScan.sys [2002-8-14 5632]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-3-24 141312]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2003-3-7 317128]

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-2-4 70016]

R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2003-4-26 22400]

R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2004-2-1 35552]

R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2004-5-21 114944]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081001.003\NAVENG.Sys [2008-10-1 89104]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081001.003\NavEx15.Sys [2008-10-1 873552]

R3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2004-2-1 235744]

R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-3-6 177048]

S0 Cdr4vsd;Cdr4vsd; [x]

S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2003-9-1 99352]

S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-19 10664]

S3 NAV Alert;NAV Alert;c:\progra~1\navnt\alertsvc.exe --> c:\progra~1\navnt\alertsvc.exe [?]

S3 NAVAP;NAVAP;c:\windows\system32\drivers\navap.sys [2003-3-4 183520]

============== File Associations ===============

inffile=c:\windows\NOTEPAD.EXE %1

inifile=c:\windows\NOTEPAD.EXE %1

txtfile=c:\windows\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-02-23 22:01 <DIR> --d----- c:\program files\m1

2009-02-23 21:36 79,648 a------- c:\windows\system32\AcroIEHelpe5.dll

2009-02-21 12:03 <DIR> --d----- c:\documents and settings\jh\.java

2009-02-06 20:04 410,984 a------- c:\windows\system32\deploytk.dll

2009-02-01 10:15 897 -------- c:\windows\system32\liveupdt.tri

==================== Find3M ====================

2009-02-22 09:19 850,944 a------- c:\windows\system32\wininet.dll

2009-02-22 09:19 21,504 a------- c:\windows\system32\powrprof.dll

2009-01-04 18:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-04 18:38 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-01-01 18:05 71,299 a------- c:\windows\system32\rn.tmp

2008-10-22 19:16 2,351,120 a------- c:\program files\mbam-setup.exe

2008-10-21 19:51 1,662,875 a------- c:\program files\SmitfraudFix.exe

2008-10-21 19:39 690,568 a------- c:\program files\rr-free-setup.exe

2008-10-21 14:46 16,034 a------- c:\docume~1\jh\applic~1\ewyfuniq.com

2008-10-21 14:46 10,657 a------- c:\docume~1\alluse~1\applic~1\gasazehut.dat

2008-10-17 19:28 13,268 a------- c:\docume~1\jh\applic~1\eleresyxe.bin

2008-05-31 16:33 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT

2003-07-30 20:50 226,464 a------- c:\program files\common files\yahoo!_messenger_install.exe

2003-03-07 19:36 32 a--sh--- c:\windows\{070F309E-8F72-4679-88C4-1F223729826F}.dat

2003-03-07 19:39 32 a--sh--- c:\windows\{1A2D535E-7669-4EFD-87E8-A02C7CAAE1BD}.dat

2003-03-07 19:36 32 a--sh--- c:\windows\{51D64F9A-FA37-4394-A98E-20568BBE6D67}.dat

2003-03-07 19:38 32 a--sh--- c:\windows\{74CEF4F9-E504-4620-AFB4-1140679791A3}.dat

2003-03-07 19:33 32 a--sh--- c:\windows\{7B4CD8BC-62AF-4CD0-BDA9-5686C5B737E2}.dat

2003-03-07 19:36 32 a--sh--- c:\windows\{E33A4DA5-184C-40A1-AC86-BD60E10DE650}.dat

2003-03-07 19:37 32 a--sh--- c:\windows\{E7772A0D-15AC-4380-BEB0-226FC1B73059}.dat

2004-08-03 23:56 1,028,096 ---sh--- c:\windows\system32\mfc42.dll

2004-08-03 23:56 54,784 a--sh--- c:\windows\system32\msvcirt.dll

2004-08-03 23:56 413,696 a--sh--- c:\windows\system32\msvcp60.dll

2004-08-03 23:56 343,040 a--sh--- c:\windows\system32\msvcrt.dll

2007-12-04 10:38 550,912 a--sh--- c:\windows\system32\oleaut32.dll

2004-08-03 23:56 83,456 a--sh--- c:\windows\system32\olepro32.dll

2004-08-03 23:56 11,776 ---sh--- c:\windows\system32\regsvr32.exe

2003-03-07 19:37 32 a--sh--- c:\windows\system32\{0D3A7416-8BAB-4168-BEC6-5077ABDE624E}.dat

2003-03-07 19:36 32 a--sh--- c:\windows\system32\{1E5F5B4C-CD95-4896-8698-EC96082C55D2}.dat

2003-03-07 19:36 32 a--sh--- c:\windows\system32\{289AC2E8-826D-4DB4-80A3-0DE3E67B5171}.dat

2003-03-07 19:38 32 a--sh--- c:\windows\system32\{5F8A89AA-C0A3-4BC8-B25C-439C25D228FB}.dat

2003-03-07 19:39 32 a--sh--- c:\windows\system32\{7740985C-4FAD-4BBD-90E3-B56DABC4498D}.dat

2003-03-07 19:33 32 a--sh--- c:\windows\system32\{D781CBA0-3619-4015-A833-35BDEC787E8E}.dat

2003-03-07 19:36 32 a--sh--- c:\windows\system32\{E1284A43-4873-4637-A9DB-91F226580E3F}.dat

2008-10-12 20:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101220081013\index.dat

2008-10-17 19:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101720081018\index.dat

============= FINISH: 20:11:51.78 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 3/1/2003 5:24:09 PM

System Uptime: 2/26/2009 8:01:52 PM (0 hours ago)

Motherboard: TriGem Computer, Inc. | | Imperial

Processor: Intel® Celeron® CPU 2.00GHz | WMT478/NWD | 1993/mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 37 GiB total, 7.492 GiB free.

D: is CDROM ()

E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: PlayLinc Adapter

Device ID: ROOT\NET\0001

Manufacturer: Super Computer Inc.

Name: PlayLinc Adapter

PNP Device ID: ROOT\NET\0001

Service: hamachi_oem

==== System Restore Points ===================

RP15: 1/3/2009 10:12:56 PM - Restore Operation

RP16: 1/3/2009 10:12:57 PM - Software Distribution Service 3.0

RP17: 1/3/2009 10:12:57 PM - System Checkpoint

RP18: 1/3/2009 10:12:58 PM - Software Distribution Service 3.0

RP19: 1/3/2009 10:12:58 PM - Software Distribution Service 3.0

RP20: 1/3/2009 10:12:58 PM - Last known good configuration

RP21: 1/3/2009 10:12:59 PM - Last known good configuration

RP22: 1/3/2009 10:12:59 PM - System Checkpoint

RP23: 1/3/2009 10:12:59 PM - Shockwave Player

RP24: 1/3/2009 10:13:38 PM - Last known good configuration

RP25: 1/12/2009 7:54:05 AM - System Checkpoint

RP26: 1/17/2009 12:36:22 AM - System Checkpoint

RP27: 1/18/2009 12:38:28 AM - System Checkpoint

RP28: 1/21/2009 9:11:52 AM - System Checkpoint

RP29: 1/25/2009 11:40:36 AM - System Checkpoint

RP30: 2/6/2009 8:04:05 PM - Installed Java 6 Update 11

RP31: 2/9/2009 11:02:48 AM - System Checkpoint

RP32: 2/10/2009 12:00:05 PM - System Checkpoint

RP33: 2/11/2009 12:33:15 PM - System Checkpoint

RP34: 2/12/2009 12:57:45 PM - System Checkpoint

==== Installed Programs ======================

3D Groove Playback Engine

3D Home Interiors

Abacast Client

ABBYY FineReader 5.0 Sprint Plus

ACDSee

Ad-aware 6 Personal

Adobe Acrobat 5.0

Adobe Download Manager 2.0 (Remove Only)

Adobe Flash Player ActiveX

Adobe Photoshop Elements 2.0

Adobe Reader 7.0.9

Adobe Shockwave Player 11

America Online

AOL Coach Version 1.0(Build:20020823.1)

AOL Instant Messenger (SM)

Apple Software Update

ArcSoft Camera Suite

Avance AC'97 Audio

AviSplit Classic Version 1.43

Bicycle Casino

BigFix

Camera Window

Canon Camera Window for ZoomBrowser EX

Canon PhotoRecord

Canon RAW Image Task for ZoomBrowser EX

Canon RemoteCapture Task for ZoomBrowser EX

Canon Utilities PhotoStitch 3.1

Canon Utilities ZoomBrowser EX

CompuServe

Conexant SoftK56 Modem(M)

Creative Removable Disk Manager

Creative System Information

Creative ZEN V Series

Cryptainer LE

Disney's Toontown Online

Easy CD Creator 5 Platinum

FLV Player

Google Toolbar for Internet Explorer

Harry Potter II - DEMO 2

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB914440)

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB926239)

Hotfix for Windows XP (KB952287)

Hoyle Board Games 3

Hoyle Casino 2004

Hoyle Solitaire

HP Photo Imaging Software

HP Photo Printing Software

ICQ

Intel® 82845G Graphics Driver Software

InterActual Player

iPIX MovieViewer

J2SE Runtime Environment 5.0 Update 12

Java 2 Runtime Environment Standard Edition v1.3.1_02

Java 6 Update 11

Java 6 Update 5

Java 6 Update 7

Kate's Video Joiner

Lexmark X6100 Series

LiveReg (Symantec Corporation)

LiveUpdate 3.0 (Symantec Corporation)

Malwarebytes' Anti-Malware

Malwarebytes' RogueRemover

MediaJoin

Memorex exPressit Label Design Studio

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Money 2002

Microsoft Money 2002 System Pack

Microsoft National Language Support Downlevel APIs

Microsoft Office 97, Professional Edition

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Microsoft Works 6.0

MiniGolf

Mozilla Firefox (2.0.0.16)

MSXML 4.0 SP2 (KB936181)

Neopets

Nikon Message Center

Nikon Transfer

NOMAD Jukebox 3

NOMAD Jukebox 3 Driver

Norton CleanSweep

Norton Speed Disk 7.0 for Windows NT

Norton SystemWorks 2003

Norton Utilities 2003 for Windows

Norton WMI Update

NoteCard

OpenOffice.org Installer 1.0

PhotoStitch

PICVideo Codecs

PlayLinc

PowerDVD

Print to Fax

QuickPar 0.9

RAW Image Task

RemoteCapture Task 1.0.1

Schoolpop Shopping Buddy

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893066)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901190)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB905915)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB918899)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920214)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921503)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922760)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925454)

Security Update for Windows XP (KB925486)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929123)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933729)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Security Update for Windows XP (KB936021)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB938829)

Security Update for Windows XP (KB941202)

Security Update for Windows XP (KB941568)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB941644)

Security Update for Windows XP (KB941693)

Security Update for Windows XP (KB943055)

Security Update for Windows XP (KB943460)

Security Update for Windows XP (KB943485)

Security Update for Windows XP (KB944653)

Security Update for Windows XP (KB945553)

Security Update for Windows XP (KB946026)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB948590)

Security Update for Windows XP (KB950749)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB958644)

Shockwave

Spybot - Search & Destroy 1.3

Spyware Terminator

Symantec Network Drivers Update

Tweak UI

Update for Windows XP (KB894391)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB904942)

Update for Windows XP (KB908531)

Update for Windows XP (KB910437)

Update for Windows XP (KB911280)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB927891)

Update for Windows XP (KB929338)

Update for Windows XP (KB930916)

Update for Windows XP (KB931836)

Update for Windows XP (KB932823-v3)

Update for Windows XP (KB933360)

Update for Windows XP (KB936357)

Update for Windows XP (KB938828)

Update for Windows XP (KB942763)

Update for Windows XP (KB951072-v2)

Verizon Online Help and Support

VideoLAN VLC media player 0.8.2

Virtools 3D Life Player

Visioneer 3300 Scanner Driver

WebFldrs XP

Winamp (remove only)

Windows Backup Utility

Windows Genuine Advantage v1.3.0254.0

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Media Format 11 runtime

Windows Media Player 10 Hotfix - KB895316

Windows Media Player 11

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB887742

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781

Windows XP Service Pack 2

WinRAR archiver

Yahoo! extras

Yahoo! Install Manager

Yahoo! Internet Mail

Yahoo! Messenger

Yahoo! Messenger Explorer Bar

Yahoo! Toolbar

ZENcast Organizer

ZoneAlarm

==== Event Viewer Messages From Past Week ========

2/20/2009 7:21:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep

2/20/2009 7:21:29 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the file specified.

2/20/2009 7:21:29 PM, error: Service Control Manager [7000] - The Norton Program Scheduler service failed to start due to the following error: The system cannot find the path specified.

2/20/2009 7:21:29 PM, error: Service Control Manager [7000] - The NAV Auto-Protect service failed to start due to the following error: The system cannot find the path specified.

2/20/2009 7:55:36 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

2/21/2009 10:02:27 AM, error: PSched [14103] - QoS [Adapter {70268313-4049-47E4-86F9-AAF4D04472F4}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.

2/21/2009 10:36:21 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

2/21/2009 10:36:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

2/21/2009 10:36:35 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

2/21/2009 10:37:01 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.

2/21/2009 10:37:01 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

2/21/2009 10:37:01 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.

2/21/2009 10:37:01 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

2/21/2009 10:37:01 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Beep Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss sp_rsdrv2 SYMTDI Tcpip

2/21/2009 5:43:01 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1e02000, parameter2 00000002, parameter3 00000000, parameter4 b1273cf6.

2/21/2009 10:52:17 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

2/22/2009 1:27:07 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1db4000, parameter2 00000002, parameter3 00000000, parameter4 b125acf6.

2/22/2009 2:23:03 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1dfe000, parameter2 00000002, parameter3 00000000, parameter4 b12a0cf6.

2/24/2009 7:06:29 AM, error: System Error [1003] - Error code 100000d1, parameter1 e1d8e000, parameter2 00000002, parameter3 00000000, parameter4 b1ef8cf6.

2/25/2009 7:39:31 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1d91000, parameter2 00000002, parameter3 00000000, parameter4 b1f16cf6.

2/26/2009 8:09:22 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NProtectService service.

==== End Of File ===========================

Combofix will not run

Link to post
Share on other sites

  • Root Admin

STEP 01

These prorgrams are old and have exploited code and need to be removed.

Adobe Reader 7.0.9

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

J2SE Runtime Environment 5.0 Update 12

Java 2 Runtime Environment Standard Edition v1.3.1_02

Java

Link to post
Share on other sites

I have followed the instructions. Step 01 through 04 are complete, logs below. However, could not run step 05, since MBAM still does not run. Tried the ranmdom name version, and tried redownloading and installing, and still won't run.

JavaRa 1.13 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Fri Feb 27 19:06:57 2009

------------------------------------Finished reporting.

Logfile of The Avenger Version 2.0,

Edited by AdvancedSetup
Removed un-needed quoting
Link to post
Share on other sites

UPDATE:

- after several tries renaming it, finally got combofix to run, and installed the recovery console, and ran it. It created the log and looked like it deleted a bunch of stuff, but after it finished went into what looked like an infinite loop on reboot, where it got partway through the startup and then began again.

- Selected safe mode, and it behaved the same, got stuck in the safe mode dialog box over and over.

- went back to regular mode and the only way to break through on startup was run combofix again. So unfortunately, the log pasted below I believe is from the second pass of combofix and does not contain what it found the first time.

- note: when combofix ran the first time, it notified of possible root kits and had me write several files manually. Let me know if you need those transcribed to here.

ComboFix 09-02-28.01 - jh 2009-02-28 20:16:58.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.958 [GMT -8:00]

Running from: C:\Documents and Settings\jh\Desktop\bababooi.exe

.

((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))

.

2009-02-28 20:19 . 2009-02-28 20:19 <DIR> d-------- C:\WINDOWS\LastGood

2009-02-28 10:43 . 2009-02-28 10:43 5,164 --a------ C:\WINDOWS\system32\uacinit.dll

2009-02-23 22:01 . 2009-02-28 08:42 <DIR> d-------- C:\Program Files\m1

2009-02-06 20:04 . 2009-02-06 20:04 410,984 --a------ C:\WINDOWS\system32\deploytk.dll

2009-02-01 10:15 . 2006-07-19 16:06 897 --------- C:\WINDOWS\system32\liveupdt.tri

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-01 03:32 --------- d-----w C:\Program Files\Common

2009-02-28 04:15 36,352 ----a-w C:\WINDOWS\Internet Logs\xDB227.tmp

2009-02-28 04:15 1,410,048 ----a-w C:\WINDOWS\Internet Logs\xDB226.tmp

2009-02-28 04:10 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware

2009-02-28 03:06 --------- d-----w C:\Program Files\Symantec

2009-02-28 03:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2009-02-28 03:02 --------- d-----w C:\Program Files\Norton SystemWorks

2009-02-28 02:57 --------- d--h--w C:\Program Files\InstallShield Installation Information

2009-02-28 02:52 --------- d-----w C:\Program Files\InterActual

2009-02-28 02:48 --------- d-----w C:\Program Files\BigFix

2009-02-28 02:46 --------- d-----w C:\Program Files\Common Files\Adaptec Shared

2009-02-28 02:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2009-02-28 02:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-28 02:39 --------- d-----w C:\Program Files\Common Files\Adobe

2009-02-27 04:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2009-02-27 04:01 16,896 ----a-w C:\WINDOWS\Internet Logs\xDB225.tmp

2009-02-27 04:01 1,397,248 ----a-w C:\WINDOWS\Internet Logs\xDB224.tmp

2009-02-26 04:34 20,992 ----a-w C:\WINDOWS\Internet Logs\xDB223.tmp

2009-02-26 04:34 1,369,600 ----a-w C:\WINDOWS\Internet Logs\xDB222.tmp

2009-02-25 23:24 18,944 ----a-w C:\WINDOWS\Internet Logs\xDB221.tmp

2009-02-25 23:24 1,371,648 ----a-w C:\WINDOWS\Internet Logs\xDB220.tmp

2009-02-24 14:51 1,372,672 ----a-w C:\WINDOWS\Internet Logs\xDB21E.tmp

2009-02-24 14:38 22,016 ----a-w C:\WINDOWS\Internet Logs\xDB21F.tmp

2009-02-24 04:41 14,848 ----a-w C:\WINDOWS\Internet Logs\xDB21D.tmp

2009-02-23 23:04 1,370,112 ----a-w C:\WINDOWS\Internet Logs\xDB21C.tmp

2009-02-22 22:36 18,944 ----a-w C:\WINDOWS\Internet Logs\xDB21B.tmp

2009-02-22 22:36 1,369,600 ----a-w C:\WINDOWS\Internet Logs\xDB21A.tmp

2009-02-22 22:13 12,800 ----a-w C:\WINDOWS\Internet Logs\xDB219.tmp

2009-02-22 21:27 1,369,600 ----a-w C:\WINDOWS\Internet Logs\xDB218.tmp

2009-02-22 19:39 20,992 ----a-w C:\WINDOWS\Internet Logs\xDB217.tmp

2009-02-22 07:07 1,369,600 ----a-w C:\WINDOWS\Internet Logs\xDB216.tmp

2009-02-22 06:54 15,872 ----a-w C:\WINDOWS\Internet Logs\xDB215.tmp

2009-02-22 06:31 1,370,112 ----a-w C:\WINDOWS\Internet Logs\xDB214.tmp

2009-02-22 00:40 19,456 ----a-w C:\WINDOWS\Internet Logs\xDB213.tmp

2009-02-22 00:40 1,369,600 ----a-w C:\WINDOWS\Internet Logs\xDB212.tmp

2009-02-21 20:16 27,648 ----a-w C:\WINDOWS\Internet Logs\xDB211.tmp

2009-02-21 20:06 1,371,648 ----a-w C:\WINDOWS\Internet Logs\xDB210.tmp

2009-02-14 16:12 19,456 ----a-w C:\WINDOWS\Internet Logs\xDB20F.tmp

2009-02-14 07:36 1,371,648 ----a-w C:\WINDOWS\Internet Logs\xDB20E.tmp

2009-02-14 07:30 --------- d-----w C:\Program Files\Viewpoint

2009-02-14 07:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint

2009-02-14 05:59 29,184 ----a-w C:\WINDOWS\Internet Logs\xDB20D.tmp

2009-02-14 05:59 1,368,576 ----a-w C:\WINDOWS\Internet Logs\xDB20C.tmp

2009-02-13 05:00 --------- d-----w C:\Program Files\MediaJoin

2009-02-13 04:27 17,408 ----a-w C:\WINDOWS\Internet Logs\xDB20B.tmp

2009-02-13 04:27 1,336,832 ----a-w C:\WINDOWS\Internet Logs\xDB20A.tmp

2009-02-13 02:55 28,672 ----a-w C:\WINDOWS\Internet Logs\xDB209.tmp

2009-02-13 02:55 1,382,912 ----a-w C:\WINDOWS\Internet Logs\xDB208.tmp

2009-02-11 18:19 38,496 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2009-02-11 18:19 15,504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys

2009-02-09 04:20 28,672 ----a-w C:\WINDOWS\Internet Logs\xDB207.tmp

2009-02-09 04:11 1,330,176 ----a-w C:\WINDOWS\Internet Logs\xDB206.tmp

2009-02-08 01:38 12,800 ----a-w C:\WINDOWS\Internet Logs\xDB205.tmp

2009-02-07 22:58 1,319,424 ----a-w C:\WINDOWS\Internet Logs\xDB204.tmp

2009-02-07 04:16 40,448 ----a-w C:\WINDOWS\Internet Logs\xDB203.tmp

2009-02-07 04:16 1,355,264 ----a-w C:\WINDOWS\Internet Logs\xDB202.tmp

2009-02-01 21:54 60,416 ----a-w C:\WINDOWS\Internet Logs\xDB201.tmp

2009-02-01 21:54 1,289,216 ----a-w C:\WINDOWS\Internet Logs\xDB200.tmp

2009-01-24 06:10 1,251,328 ----a-w C:\WINDOWS\Internet Logs\xDB1FE.tmp

2009-01-24 04:08 44,032 ----a-w C:\WINDOWS\Internet Logs\xDB1FF.tmp

2009-01-18 17:36 12,800 ----a-w C:\WINDOWS\Internet Logs\xDB1FD.tmp

2009-01-18 16:32 1,244,672 ----a-w C:\WINDOWS\Internet Logs\xDB1FC.tmp

2009-01-18 16:29 28,672 ----a-w C:\WINDOWS\Internet Logs\xDB1FB.tmp

2009-01-17 19:07 --------- d-----w C:\Documents and Settings\jh\Application Data\Creative

2009-01-13 01:03 19,456 ----a-w C:\WINDOWS\Internet Logs\xDB1FA.tmp

2009-01-12 05:34 1,177,088 ----a-w C:\WINDOWS\Internet Logs\xDB1F9.tmp

2009-01-12 05:09 18,944 ----a-w C:\WINDOWS\Internet Logs\xDB1F8.tmp

2009-01-12 04:00 1,181,696 ----a-w C:\WINDOWS\Internet Logs\xDB1F7.tmp

2009-01-11 22:02 28,160 ----a-w C:\WINDOWS\Internet Logs\xDB1F6.tmp

2009-01-11 21:35 1,250,304 ----a-w C:\WINDOWS\Internet Logs\xDB1F5.tmp

2009-01-09 06:15 --------- d-----w C:\Program Files\ICQ

2009-01-04 06:15 1,195,520 ----a-w C:\WINDOWS\Internet Logs\xDB1F3.tmp

2009-01-04 06:13 27,136 ----a-w C:\WINDOWS\Internet Logs\xDB1F4.tmp

2009-01-02 01:36 47,104 ----a-w C:\WINDOWS\Internet Logs\xDB1F2.tmp

2009-01-02 01:36 1,192,448 ----a-w C:\WINDOWS\Internet Logs\xDB1F1.tmp

2008-12-27 21:04 28,160 ----a-w C:\WINDOWS\Internet Logs\xDB1F0.tmp

2008-12-27 21:04 1,178,624 ----a-w C:\WINDOWS\Internet Logs\xDB1EF.tmp

2008-12-24 04:11 1,179,648 ----a-w C:\WINDOWS\Internet Logs\xDB1ED.tmp

2008-12-24 03:39 28,672 ----a-w C:\WINDOWS\Internet Logs\xDB1EE.tmp

2008-12-21 07:49 18,432 ----a-w C:\WINDOWS\Internet Logs\xDB1EC.tmp

2008-12-21 07:44 1,177,088 ----a-w C:\WINDOWS\Internet Logs\xDB1EB.tmp

2008-12-21 07:36 30,720 ----a-w C:\WINDOWS\Internet Logs\xDB1EA.tmp

2008-12-21 05:53 1,177,600 ----a-w C:\WINDOWS\Internet Logs\xDB1E9.tmp

2008-12-16 05:51 28,672 ----a-w C:\WINDOWS\Internet Logs\xDB1E8.tmp

2008-12-16 05:39 1,171,456 ----a-w C:\WINDOWS\Internet Logs\xDB1E7.tmp

2008-12-15 05:29 15,360 ----a-w C:\WINDOWS\Internet Logs\xDB1E6.tmp

2008-12-15 04:45 1,160,704 ----a-w C:\WINDOWS\Internet Logs\xDB1E5.tmp

2008-12-14 16:49 22,016 ----a-w C:\WINDOWS\Internet Logs\xDB1E4.tmp

2008-12-14 16:09 1,163,264 ----a-w C:\WINDOWS\Internet Logs\xDB1E3.tmp

2008-12-13 18:34 12,800 ----a-w C:\WINDOWS\Internet Logs\xDB1E2.tmp

2008-12-13 18:23 37,376 ----a-w C:\WINDOWS\Internet Logs\xDB1E1.tmp

2008-12-13 18:22 1,154,560 ----a-w C:\WINDOWS\Internet Logs\xDB1E0.tmp

2008-12-06 21:46 38,912 ----a-w C:\WINDOWS\Internet Logs\xDB1DF.tmp

2008-10-23 03:16 2,351,120 ----a-w C:\Program Files\mbam-setup.exe

2008-10-22 03:51 1,662,875 ----a-w C:\Program Files\SmitfraudFix.exe

2008-10-22 03:39 690,568 ----a-w C:\Program Files\rr-free-setup.exe

2003-07-31 04:50 226,464 ----a-w C:\Program Files\Common Files\yahoo!_messenger_install.exe

2008-08-04 22:32 67,696 ----a-w C:\Program Files\mozilla firefox\components\jar50.dll

2008-08-04 22:32 54,376 ----a-w C:\Program Files\mozilla firefox\components\jsd3250.dll

2008-08-04 22:32 34,952 ----a-w C:\Program Files\mozilla firefox\components\myspell.dll

2008-08-04 22:32 46,720 ----a-w C:\Program Files\mozilla firefox\components\spellchk.dll

2008-08-04 22:32 172,144 ----a-w C:\Program Files\mozilla firefox\components\xpinstal.dll

2004-08-04 07:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll

2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll

2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll

2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll

2007-12-04 18:38 550,912 --sha-w C:\WINDOWS\system32\oleaut32.dll

2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll

2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe

2008-10-13 04:44 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101220081013\index.dat

2008-10-18 03:21 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101720081018\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]

"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 12:00 28739]

"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [bU]

"NOMAD Detector"="C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE" [2002-03-05 03:15 18432]

"Yahoo! Pager"="c:\program files\yahoo!\messenger\yahoomessenger.exe" [2006-11-30 21:49 4662776]

"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 17:08 692224]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [bU]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-09-09 00:05 114688]

"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-09 17:06 45056]

"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 02:00 191488]

"CTStartup"="C:\program files\creative\splash screen\CTEaxSpl.EXE" [2001-12-20 01:00 28672]

"NOMAD Detector"="C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE" [2002-03-05 03:15 18432]

"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-22 22:01 57344]

"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 15:52 936960]

"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-03 23:56 380416 C:\WINDOWS\system32\irprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 19:10:42 479232]

ZoneAlarm.lnk - C:\Program Files\zone_alarm\ZoneAlarm\zonealarm.exe [2003-03-06 20:56:01 623936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]

[bU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i263_32.drv

"VIDC.I263"= i263_32.drv

"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

"VIDC.MJPG"= pvmjpg21.dll

"VIDC.PVW2"= pvwv220.dll

"VIDC.PIMJ"= pvljpg20.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphclf1j0elbj]

C:\WINDOWS\system32\lphclf1j0elbj.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcgf1j0elbj]

C:\Program Files\rhcgf1j0elbj\rhcgf1j0elbj.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\wjview.exe"=

"C:\\Program Files\\SchoolpopShoppingBuddy\\SchoolpopShoppingBuddy.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\WINDOWS\\system32\\LEXPPS.EXE"=

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 LxrSII1d;Secure II Driver;C:\WINDOWS\system32\drivers\LxrSII1d.sys [2007-02-04 11:31:07 70016]

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [2003-04-26 10:25:41 22400]

R2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\drivers\ssoftnt4.sys [2004-05-21 01:30:02 114944]

S2 NAV Auto-Protect;NAV Auto-Protect;C:\PROGRA~1\Navnt\navapsvc.exe --> C:\PROGRA~1\Navnt\navapsvc.exe [?]

S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" --> C:\Program Files\Viewpoint\Common\ViewpointService.exe [?]

S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\drivers\gan_adapter.sys [2006-10-19 10:11:40 10664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93633a68-02f7-11de-bebb-00402b2f1327}]

\Shell\AutoRun\command - F:\__STICKYDRIVE\StickyDrive.exe

\Shell\StickyDrive\Command - F:\__STICKYDRIVE\StickyDrive.exe

.

Contents of the 'Scheduled Tasks' folder

2009-02-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-03-01 C:\WINDOWS\Tasks\cecerhqt.job

- C:\WINDOWS\system32\rqRHaWMg.dll []

2009-03-01 C:\WINDOWS\Tasks\Symantec NetDetect.job

- C:\Program Files\Symantec\LiveUpdate\NDetect.exe []

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = hxxp://www.google.com

mWindow Title = Microsoft Internet Explorer provided by Comcast

IE: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

IE: Schoolpop - file://C:\Program Files\SchoolpopShoppingBuddy\System\Temp\schoolpop_script0.htm

IE: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

DPF: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab

FF - ProfilePath - C:\Documents and Settings\jh\Application Data\Mozilla\Firefox\Profiles\t42pdmo5.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: C:\Program Files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll

FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----

FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.19.

.

------- File Associations -------

.

inffile=C:\WINDOWS\NOTEPAD.EXE %1

inifile=C:\WINDOWS\NOTEPAD.EXE %1

txtfile=C:\WINDOWS\NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-28 20:21:53

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????????E?@?Disc Detector?A????? ?A???????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?P ????B???@?????P?????@?? ????????A~??????????@???????????????????B?????\ ???????????????????P??????r?B

CTStartup = C:\program files\creative\splash screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????:????A~??A~????????\???\???????????U?A~??A~\???\???????( a??????C@?\???\??????s????\??????s\????:??A??s?:???C@?x???`|?w\?????@

scanning hidden files ...

C:\WINDOWS\$NtUninstallKB956802$

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2312)

C:\Program Files\Common Files\Motive\McciContextHook_5-0-0_DSR.dll

.

Completion time: 2009-02-28 20:25:25

ComboFix-quarantined-files.txt 2009-03-01 04:24:07

ComboFix2.txt 2009-03-01 03:53:16

Pre-Run: 13,617,111,040 bytes free

Post-Run: 13,587,648,512 bytes free

248 --- E O F --- 2008-11-03 23:26:49

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
C:\Program Files\mbam-setup.exe
C:\Program Files\SmitfraudFix.exe
C:\WINDOWS\Internet Logs\xDB1DF.tmp
C:\WINDOWS\Internet Logs\xDB1E0.tmp
C:\WINDOWS\Internet Logs\xDB1E1.tmp
C:\WINDOWS\Internet Logs\xDB1E2.tmp
C:\WINDOWS\Internet Logs\xDB1E3.tmp
C:\WINDOWS\Internet Logs\xDB1E4.tmp
C:\WINDOWS\Internet Logs\xDB1E5.tmp
C:\WINDOWS\Internet Logs\xDB1E6.tmp
C:\WINDOWS\Internet Logs\xDB1E7.tmp
C:\WINDOWS\Internet Logs\xDB1E8.tmp
C:\WINDOWS\Internet Logs\xDB1E9.tmp
C:\WINDOWS\Internet Logs\xDB1EA.tmp
C:\WINDOWS\Internet Logs\xDB1EB.tmp
C:\WINDOWS\Internet Logs\xDB1EC.tmp
C:\WINDOWS\Internet Logs\xDB1ED.tmp
C:\WINDOWS\Internet Logs\xDB1EE.tmp
C:\WINDOWS\Internet Logs\xDB1EF.tmp
C:\WINDOWS\Internet Logs\xDB1F0.tmp
C:\WINDOWS\Internet Logs\xDB1F1.tmp
C:\WINDOWS\Internet Logs\xDB1F2.tmp
C:\WINDOWS\Internet Logs\xDB1F3.tmp
C:\WINDOWS\Internet Logs\xDB1F4.tmp
C:\WINDOWS\Internet Logs\xDB1F5.tmp
C:\WINDOWS\Internet Logs\xDB1F6.tmp
C:\WINDOWS\Internet Logs\xDB1F7.tmp
C:\WINDOWS\Internet Logs\xDB1F8.tmp
C:\WINDOWS\Internet Logs\xDB1F9.tmp
C:\WINDOWS\Internet Logs\xDB1FA.tmp
C:\WINDOWS\Internet Logs\xDB1FB.tmp
C:\WINDOWS\Internet Logs\xDB1FC.tmp
C:\WINDOWS\Internet Logs\xDB1FD.tmp
C:\WINDOWS\Internet Logs\xDB1FE.tmp
C:\WINDOWS\Internet Logs\xDB1FF.tmp
C:\WINDOWS\Internet Logs\xDB200.tmp
C:\WINDOWS\Internet Logs\xDB201.tmp
C:\WINDOWS\Internet Logs\xDB202.tmp
C:\WINDOWS\Internet Logs\xDB203.tmp
C:\WINDOWS\Internet Logs\xDB204.tmp
C:\WINDOWS\Internet Logs\xDB206.tmp
C:\WINDOWS\Internet Logs\xDB208.tmp
C:\WINDOWS\Internet Logs\xDB20A.tmp
C:\WINDOWS\Internet Logs\xDB20C.tmp
C:\WINDOWS\Internet Logs\xDB20E.tmp
C:\WINDOWS\Internet Logs\xDB210.tmp
C:\WINDOWS\Internet Logs\xDB212.tmp
C:\WINDOWS\Internet Logs\xDB214.tmp
C:\WINDOWS\Internet Logs\xDB216.tmp
C:\WINDOWS\Internet Logs\xDB218.tmp
C:\WINDOWS\Internet Logs\xDB21A.tmp
C:\WINDOWS\Internet Logs\xDB21C.tmp
C:\WINDOWS\Internet Logs\xDB21E.tmp
C:\WINDOWS\Internet Logs\xDB220.tmp
C:\WINDOWS\Internet Logs\xDB222.tmp
C:\WINDOWS\Internet Logs\xDB224.tmp
C:\WINDOWS\Internet Logs\xDB226.tmp
C\WINDOWS\Internet Logs\xDB205.tmp
C\WINDOWS\Internet Logs\xDB207.tmp
C\WINDOWS\Internet Logs\xDB209.tmp
C\WINDOWS\Internet Logs\xDB20B.tmp
C\WINDOWS\Internet Logs\xDB20D.tmp
C\WINDOWS\Internet Logs\xDB20F.tmp
C\WINDOWS\Internet Logs\xDB211.tmp
C\WINDOWS\Internet Logs\xDB213.tmp
C\WINDOWS\Internet Logs\xDB215.tmp
C\WINDOWS\Internet Logs\xDB217.tmp
C\WINDOWS\Internet Logs\xDB219.tmp
C\WINDOWS\Internet Logs\xDB21B.tmp
C\WINDOWS\Internet Logs\xDB21D.tmp
C\WINDOWS\Internet Logs\xDB21F.tmp
C\WINDOWS\Internet Logs\xDB221.tmp
C\WINDOWS\Internet Logs\xDB223.tmp
C\WINDOWS\Internet Logs\xDB225.tmp
C\WINDOWS\Internet Logs\xDB227.tmp
C:\WINDOWS\system32\lphclf1j0elbj.exe
C:\Program Files\rhcgf1j0elbj\rhcgf1j0elbj.exe
C:\WINDOWS\Tasks\cecerhqt.job
C:\WINDOWS\system32\rqRHaWMg.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphclf1j0elbj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcgf1j0elbj]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93633a68-02f7-11de-bebb-00402b2f1327}]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 03

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

completed steps 1, 2, and 3. Several symptoms appear better as well: mbam now runs under its own name and updates, and sites where login used to timeout (like youtube) now login ok.

pasted in mbam log (clean) and hijack log, but attached combofix log (long file)

Please advise next steps.

Malwarebytes' Anti-Malware 1.34

Database version: 1813

Windows 5.1.2600 Service Pack 3

2/28/2009 10:42:38 PM

mbam-log-2009-02-28 (22-42-38).txt

Scan type: Quick Scan

Objects scanned: 71381

Time elapsed: 2 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:52:48 PM, on 2/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\System32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINDOWS\system32\LxrSII1s.exe

C:\WINDOWS\system32\ssoftsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Creative\ShareDLL\CtNotify.exe

C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE

C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe

C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Creative\Sharedll\Mediadet.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\program files\yahoo!\messenger\ymsgr_tray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\jh\Desktop\Fixits\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [CTStartup] C:\program files\creative\splash screen\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [NOMAD Detector] C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE

O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"

O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE"

O4 - HKCU\..\Run: [Yahoo! Pager] "c:\program files\yahoo!\messenger\yahoomessenger.exe" -quiet

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\zone_alarm\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Schoolpop - file://C:\Program Files\SchoolpopShoppingBuddy\System\Temp\schoolpop_script0.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.ritzpix.com/net/Uploader/ImageUploader3.cab

O16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader41.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe

O23 - Service: NAV Alert - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)

O23 - Service: NAV Auto-Protect - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)

O23 - Service: Norton Program Scheduler - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)

O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe

O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--

End of file - 8316 bytes

combofx.txt

combofx.txt

Link to post
Share on other sites

  • Root Admin

STEP 01

If needed:Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

STEP 02

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

STEP 03

Please run an Online Anti-Virus scan with either the Java or ActiveX version of Kaspersky

Java Version

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

ActiveX version

Run Kaspersky Online AV Scanner

Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Link to post
Share on other sites

Followed the steps, computer appears to be running fine with no abnormal symptoms (logins ok, google ok, any AV or anti-malware programs run under their own names with no issues). One other observation, had a bunch of XP updates to install and havent seen any in a while prior to that, so don't know if those had been suppressed for a while.

Pasted in the online kaspersky and fresh HJT logs below.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Sunday, March 1, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Sunday, March 01, 2009 20:01:33

Records in database: 1860158

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

Scan statistics:

Files scanned: 70333

Threat name: 8

Infected objects: 16

Suspicious objects: 0

Duration of the scan: 02:56:00

File name / Threat name / Threats count

C:\Qoobox\Quarantine\C\Program Files\Common Files\{24BA0~1\Update.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.y 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\AcroIEHelpe5.dll.vir Infected: Trojan.Win32.BHO.mrk 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_UACeaqmoena_.sys.zip Infected: Rootkit.Win32.TDSS.gwh 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\kernel32.dll.vir Infected: Trojan.Win32.Patched.fm 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\nwklr.ini.vir Infected: Trojan.Win32.Patched.fm 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\nwpp.ini.vir Infected: Trojan.Win32.Patched.fo 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\nwwlnt.ini.vir Infected: Trojan.Win32.Patched.fn 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\powrprof.dll.vir Infected: Trojan.Win32.Patched.fo 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\ppdnp.ini.vir Infected: Trojan.Win32.Patched.fo 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACcvoqdwmi.dll.vir Infected: Packed.Win32.Tdss.c 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrkatqity.dll.vir Infected: Packed.Win32.Tdss.c 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrmtcwrsy.dll.vir Infected: Packed.Win32.Tdss.f 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxyodoyru.dll.vir Infected: Packed.Win32.Tdss.c 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\windmlp.ini.vir Infected: Trojan.Win32.Patched.fn 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\wininet.dll.vir Infected: Trojan.Win32.Patched.fn 1

C:\WINDOWS\system32\kerdnp.ini Infected: Trojan.Win32.Patched.fm 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:08:12 PM, on 3/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\System32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINDOWS\system32\LxrSII1s.exe

C:\WINDOWS\system32\ssoftsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Creative\ShareDLL\CtNotify.exe

C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE

C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Creative\Sharedll\Mediadet.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\rundll32.exe

C:\Documents and Settings\jh\Desktop\Fixits\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [CTStartup] C:\program files\creative\splash screen\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [NOMAD Detector] C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE

O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"

O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE"

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\zone_alarm\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Schoolpop - file://C:\Program Files\SchoolpopShoppingBuddy\System\Temp\schoolpop_script0.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.ritzpix.com/net/Uploader/ImageUploader3.cab

O16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader41.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe

O23 - Service: NAV Alert - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)

O23 - Service: NAV Auto-Protect - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)

O23 - Service: Norton Program Scheduler - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)

O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe

O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--

End of file - 9348 bytes

Link to post
Share on other sites

  • Root Admin

Yes they were probably suppressed by the Malware. Make sure you get all the Windows Critical Updates.

Please delete this file: C:\WINDOWS\system32\kerdnp.ini

Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP 1

Uninstall ComboFix.exe

  • Click
    START
    then
    RUN
  • Now type
    Combofix /u
    (if you renamed Combofix.exe use that name instead)
    in the runbox and click OK. Note the
    space
    between the
    X
    and the
    /U
    , it needs to be there.

  • CF_Cleanup.png


  • When shown the disclaimer, Select "2"

Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe

STEP 2

Uninstall GMER

Click on
START - RUN
and type in or copy/paste
%windir%\gmer_uninstall.cmd
to remove GMER.

STEP 3

Uninstall other tools

Please
Download
OTMoveIt3
by Old Timer
and save it to your
Desktop
.
  • Double-click
    OTMoveIt3.exe
    to run it.
  • While connected to the Internet, Click on the green
    CleanUp!
    button and it will populate a list of items to clean from your system that we used or may have used.

  • It should ask if you want to clean up, select Yes and allow the system to clean up these items.

    NOW
    please reboot your computer to finish the cleanup process

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.