Jump to content

Trojan.FakeMS and PUM.Hijack.TaskManager


Recommended Posts

On 6/1 I was hit with Trojan.FakeMS, Trojan.Dropper and PUM.Hijack.TaskManager. I panicked when the screens popped up and the disk busy light on the PC started blinking like crazy and performed a hard shut-down.

I then restarted in (normal mode) and found that all desktop icons gone, and most all programs missing, task manager disabled, and the disk busy light was still going crazy. I then rebooted into Safe Mode and ran a search and found the Malwarebytes files and ran a Malwarebytes scan. It found 3 items (log attached later in this topic thread) which are now quarantined.

I tried to run a System Restore to an earlier date. I can get into System Restore and actually run it through re-boot, but get the message.. "Your system cannot be restored to 5/28/2011, do you want to try another restore point". I get the same message at all other restore points. I re-ran Malwarebytes and it did not detect any infections.

I had a 4 year old Symantec corp edition on the computer (that a buddy a work installed) with current virus definitions, but it didn't detect anything and has been acting strangely the last several weeks. I have since downloaded AVG free version (in Safe Mode) but can't update.

I used CCleaner>Tools>Startup to disable the Symantec from loading at startup. During that, I found a startup entry "ixhkhnvgmidvkh.exe" that was set to automatically run at startup. I noticed that it matched the nonsense characters of the Trojan.FakeMS file that Malwarebytes detected and disabled and deleted it (using CCleaner). Task Manager is disabled in normal mode, so I don't know if CCleaner was able to stop it from running at startup or not. I wish I had discovered this forum earlier.

Below are the Malwarebytes log file from the initial scan that found 3 items (all subsequent scans have been clean), the DDS log and attached.txt. I ran GMER, but I didn't get a [save] button at the end, only [Done]. Everything was run in Safe Mode. Let me know if that is a problem.

I apologize for being so wordy. I am way over my head and wish I had discoved this forum earlier.

Lastly, on 5/18 I was hit with XP Anti-Spyware 2011. I ran Malwarebytes at that time, quarantined and deleted the entries and ran a System Restore to 2 days earlier. Everything seemed to be working fine, and Malwarebytes didn't detect any viruses until the infection on 6/1. I thought you should know, in case I didn't clean the 5/18 infection correctly.

LOGS:

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6732

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

6/1/2011 9:33:25 AM

mbam-log-2011-06-01 (09-33-25).txt

Scan type: Quick scan

Objects scanned: 225317

Time elapsed: 14 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

DDS Log:

.

DDS (Ver_2011-06-02.03) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by Administrator at 16:32:47 on 2011-06-02

.

============== Running Processes ===============

.

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrator\Desktop\dds.com

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k LocalService

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage

mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage

uInternet Connection Wizard,ShellNext = hxxp://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=4294906905

mSearchAssistant = hxxp://start.facemoods.com/?a=stonicus&s={searchTerms}&f=4

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [AVG search provider] "c:\program files\avg\avg10\SearchProvider.exe" /AFTERINST

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [RunNarrator] Narrator.exe

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\steffi.rush\start menu\programs\imvu\Run IMVU.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://cordcamera.lifepics.com/net/Uploader/LPUploader45.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab

DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://colidg01.alliancedata.com/CACHE/stc/1/binaries/stcweb.cab

DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} - hxxps://www.webiqonline.com/WebIQ/bin/WebIQ.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v45/bejeweled/bejeweled.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257785970921

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257799643562

DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/luxr/default/mjolauncher.cab

DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab

DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://meijer.lifepics.com/net/Uploader/ImageUploader3.cab

DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} - hxxp://cordcamera.lifepics.com/net/Uploader/LPUploader45.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} - hxxp://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab

DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://cordcamera.lifepics.com/net/Uploader/LPUploader57.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab

DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://zone.msn.com/bingame/dash/default/DinerDash.1.0.0.94.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://sympatico.zone.msn.com/bingame/popcaploader_v10.cab

TCP: DhcpNameServer = 10.0.0.1

TCP: Interfaces\{137B43EC-5D63-4EB5-AB8B-A2508AE088F0} : DhcpNameServer = 10.0.0.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxsrvc.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

LSA: Notification Packages = scecli scecli scecli

.

============= SERVICES / DRIVERS ===============

.

R? AVGIDSAgent;AVGIDSAgent

R? AVGIDSDriver;AVGIDSDriver

R? AVGIDSFilter;AVGIDSFilter

R? AVGIDSShim;AVGIDSShim

R? Avgldx86;AVG AVI Loader Driver

R? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield

R? avgwd;AVG WatchDog

R? ccEvtMgr;Symantec Event Manager

R? ccPwdSvc;Symantec Password Validation

R? ccSetMgr;Symantec Settings Manager

R? CSVirtA;Cisco Systems SSL VPN Adapter

R? EraserUtilDrv11110;EraserUtilDrv11110

R? gupdate;Google Update Service (gupdate)

R? gupdatem;Google Update Service (gupdatem)

R? Lbd;Lbd

R? Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service

R? NAVENG;NAVENG

R? NAVEX15;NAVEX15

R? osppsvc;Office Software Protection Platform

R? SavRoam;SavRoam

R? SAVRT;SAVRT

R? SAVRTPEL;SAVRTPEL

R? Symantec AntiVirus;Symantec AntiVirus

R? WinDefend;Windows Defender

S? AVGIDSEH;AVGIDSEH

S? Avgrkx86;AVG Anti-Rootkit Driver

S? Avgtdix;AVG TDI Driver

.

=============== Created Last 30 ================

.

2011-06-02 18:25:07 -------- dc-h--w- c:\documents and settings\all users\application data\Common Files

2011-06-02 16:44:34 -------- dc-h--w- C:\$AVG

2011-06-02 16:32:16 -------- dc----w- c:\documents and settings\administrator\application data\AVG10

2011-06-02 16:27:48 -------- dc----w- c:\windows\system32\drivers\AVG

2011-06-02 16:27:48 -------- dc----w- c:\documents and settings\all users\application data\AVG10

2011-06-02 16:26:50 -------- dc----w- c:\program files\AVG

2011-06-02 16:17:58 -------- dc----w- c:\documents and settings\all users\application data\MFAData

2011-05-31 11:51:56 -------- dc----w- c:\program files\common files\xing shared

2011-05-27 13:09:45 6962000 -c--a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{c8e0b385-ad1c-426f-8f21-7bb06d7525d1}\mpengine.dll

2011-05-23 15:24:00 -------- dc----w- c:\windows\system32\wbem\repository\FS

2011-05-23 15:24:00 -------- dc----w- c:\windows\system32\wbem\Repository

2011-05-19 23:31:39 -------- dc----w- c:\documents and settings\all users\application data\ZoomBrowser

2011-05-19 23:30:21 -------- dc----w- c:\program files\Canon

2011-05-17 19:55:44 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-04-15 01:28:42 134480 -c--a-w- c:\windows\system32\drivers\AVGIDSDriver.sys

2011-04-05 04:59:56 297168 -c--a-w- c:\windows\system32\drivers\avgtdix.sys

2011-03-16 20:03:20 32592 -c--a-w- c:\windows\system32\drivers\avgrkx86.sys

2011-03-07 05:33:50 692736 -c--a-w- c:\windows\system32\inetcomm.dll

2006-01-21 15:09:16 1951432 -c--a-w- c:\program files\ppviewer.exe

.

============= FINISH: 16:33:01.37 ===============

Attach.txt Log:

(attached as 'attach.zip)

GMER log:

none created by GMER program

Thank you in advance for any assistance you can provide.

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi Chris, thanks for your help. I am downloading files and communicating to you through a separate clean computer, moving files around with a flash drive.

While I was awaiting a response to my initial post (I didn't realize how long 48 hours could feel), I tried logging on to various XP user log-ins in normal boot-up mode. I was able to access the infected log-in, but everything ran extremely slow, and MBAM quick scan got hung up. I then tried my daughter's log-in and found she had some (but not all) of her desktop icons and access to TaskManager. Her progams were hidden though. I ran a MBAM quick scan on her account and it found 20 items (log copied below). I then moved over to the Owner log-in and found the same condition (some icons, working Task Manager, hidden programs). A MBAM quick scan of that user log-in found 5 more items (log copied second). An earlier MBAM quick scan in SAFE MODE did not detect anything. Confusing.

In order to run ComboFix, I had to uninstall my old Symantec, the new free AVG Anti-Virus 2011, and Windows Defender. I was either unable to access them for disabling or ComboFix got hung up on them. However, after their removal (and subsequent Normal reboot into the Owner log-in) ComboFix ran as described. The ComboFix log and a new DDS log are copied below the two MBAM logs.

LOGS:

First MBAM log - Normal Boot Mode, User: Katie

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6808

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/8/2011 9:34:16 AM

mbam-log-2011-06-08 (09-33-34).txt

Scan type: Quick scan

Objects scanned: 132422

Time elapsed: 37 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 15

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Value: {00A6FAF6-072E-44CF-8957-5838F569A31D} -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Value: {07B18EA9-A523-4961-B6BB-170DE4475CCA} -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Value: {07B18EA9-A523-4961-B6BB-170DE4475CCA} -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D} (Adware.MyWebSearch) -> Value: {00A6FAF6-072E-44cf-8957-5838F569A31D} -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Value: (default) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Second MBAM log - Normal Boot Mode, User: Owner

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6808

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/8/2011 10:57:59 AM

mbam-log-2011-06-08 (10-57-59).txt

Scan type: Quick scan

Objects scanned: 218425

Time elapsed: 1 hour(s), 6 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Value: {00A6FAF6-072E-44CF-8957-5838F569A31D} -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D} (Adware.MyWebSearch) -> Value: {00A6FAF6-072E-44cf-8957-5838F569A31D} -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix log:

ComboFix 11-06-07.03 - Owner 06/08/2011 13:08:25.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.273 [GMT -4:00]

Running from: f:\mb forum downloads\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Katie\WINDOWS

c:\documents and settings\Katie\WINDOWS\hpothb07.dat

c:\documents and settings\Owner\WINDOWS

c:\documents and settings\Steffi.RUSH\Application Data\facemoods.com

c:\documents and settings\Steffi.RUSH\WINDOWS

c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\music\mainmenumusic.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\areabomb.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\beetlezap.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bonusrow.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bonustimer.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bucketfilled.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\clearpyramid.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1a.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1b.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1c.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2a.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2b.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2c.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\colorchain.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\dialogbox.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\drumbeat.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\fillrow.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\gateopen.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\helptip.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\powerup.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\rotateboardleft.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\timerup.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\warning.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\warning2.ogg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\artifacts-bb.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\bar.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\chamber0.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\chamber1.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\circledoor.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\full_screen_dialog.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\global-hs-bb_large.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\global-hs-bb_small.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\help-bb_large.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\help-bb_small.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\hexfield.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\hidden-artifact_icon.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\large_dialog.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\local-hs-bb.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\mainmenu.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\small_dialog.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\textfield.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\trifield.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover4.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock4.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetletatoo.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\dirt.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\scarabpost.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\scarabpostovr.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\tritop.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\checkdown.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\checkup.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_down.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_over.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_up.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderknob.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderknobover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderrail.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\anwar\look\pl0001.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\bast\look\bl0001.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\kristine\look\kl0001.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\crackedstopper.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\cursor.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\doorlights.txt

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\fonts\jackarmstrong.mvec

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\fonts\lithos.mvec

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\greybomb.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\helptips\arrowkeys.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\helptips\helptip.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\levels\levels.dat

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\disk.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\equilateraltriangle.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\flattri.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\pyramid.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\quad.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\rotatingpyramid.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\scarabpanel.mesh

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\p1icon.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\page1-0.xml

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\page1-1.xml

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\panel1-0-1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\panel1-1-1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scorecloud.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\setup.xml

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\areashockwave.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_4.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_starter.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_tail.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\flash.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\rubble.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\splash\playfirst_logo.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue0\snake_dirty.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\arm01_dirty.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\mask01_1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\statue01_dirty.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\stopper.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\timer.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\timerglow.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\timericon.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\tm.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\areabomb.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\areabombrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\blue.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\bluerollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\boardfill.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\bricktip.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared4.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared5.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared6.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye1.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye2.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye3.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye4.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\green.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\greenrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-blue.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-bluerollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-green.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-greenrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-red.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-redrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-yellow.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-yellowrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\red.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\redrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\wild.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\wildrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\yellow.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\yellowrollover.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image0.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image1.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image2.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image3.jpg

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\bluebucket.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\buckettriangle.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\chainlink.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\chaintip.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\genericbucket.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\greenbucket.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\redbucket.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallblue.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallgreen.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallred.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallyellow.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\urnglow.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\urnplatform.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\yellowbucket.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\warning.png

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\error.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\game.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\gameover.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscore.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscoreinfo.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscoresubmit.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\instructions.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\leveldesign.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\levelover.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainarcade.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainconfirm.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\maincontinue.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\maingames.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainpuzzle.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\maphelptip.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\options.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\pause.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\quitconfirm.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\start.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\storyplayer.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\style.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\upsell.lua

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\strings.xml

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\TriJinx.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-05-08 to 2011-06-08 )))))))))))))))))))))))))))))))

.

.

2011-06-08 13:51 . 2011-06-08 13:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2011-06-08 12:53 . 2011-06-08 12:53 -------- dc----w- c:\documents and settings\Katie\Application Data\Malwarebytes

2011-06-08 12:43 . 2011-06-08 12:43 -------- dc----w- c:\documents and settings\Katie\Application Data\AVG10

2011-06-04 16:00 . 2011-06-04 16:00 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10

2011-06-02 18:25 . 2011-06-02 18:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\Common Files

2011-06-02 16:44 . 2011-06-02 16:44 -------- dc----w- C:\$AVG

2011-06-02 16:32 . 2011-06-02 16:32 -------- dc----w- c:\documents and settings\Administrator\Application Data\AVG10

2011-06-02 16:27 . 2011-06-08 16:51 -------- dc----w- c:\documents and settings\All Users\Application Data\AVG10

2011-06-02 16:27 . 2011-06-08 16:48 -------- dc----w- c:\windows\system32\drivers\AVG

2011-06-02 16:26 . 2011-06-02 16:26 -------- dc----w- c:\program files\AVG

2011-06-02 16:17 . 2011-06-08 16:50 -------- dc----w- c:\documents and settings\All Users\Application Data\MFAData

2011-05-31 11:51 . 2011-05-31 11:51 -------- dc----w- c:\program files\Common Files\xing shared

2011-05-23 15:24 . 2011-05-23 15:24 -------- dc----w- c:\windows\system32\wbem\Repository

2011-05-20 00:11 . 2011-05-20 00:11 -------- dc----w- c:\documents and settings\Steffi.RUSH\Application Data\ZoomBrowser EX

2011-05-19 23:31 . 2011-05-19 23:31 -------- dc----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

2011-05-19 23:30 . 2011-05-19 23:34 -------- dc----w- c:\program files\Canon

2011-05-17 19:55 . 2011-05-17 19:55 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-29 13:11 . 2011-03-02 19:47 39984 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11 . 2011-03-02 19:47 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys

2006-01-21 15:09 . 2006-01-21 15:09 1951432 -c--a-w- c:\program files\ppviewer.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Button Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Button Manager.lnk

backup=c:\windows\pss\HP Button Manager.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Magic-i.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Magic-i.lnk

backup=c:\windows\pss\Magic-i.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]

2009-10-10 18:32 203264 -c--a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]

2010-03-13 19:54 91520 -c--a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-01-25 20:08 421160 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 -c--a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2010-12-03 21:46 14944136 -c--a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-07-25 09:23 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2011-05-31 11:50 273544 -c--a-w- c:\program files\Real\realplayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

2003-08-19 05:01 110592 -c--a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\StubInstaller.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [12/21/2007 6:46 PM 22136]

S3 EraserUtilDrv11110;EraserUtilDrv11110;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11110.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11110.sys [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

2011-04-07 c:\windows\Tasks\FRU Task 2002-12-03 04:38ewlett-Packard2002-12-03 04:38p psc 1200 series84887B468ABA3F57D76752217D5938688025EB21139065858.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-03 01:38]

.

2011-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 15:37]

.

2011-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 15:37]

.

2011-06-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1844237615-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

2011-06-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1844237615-839522115-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

2011-06-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1844237615-839522115-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

2011-06-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1844237615-839522115-1009.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

2011-05-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1844237615-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

2011-05-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1844237615-839522115-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

2011-06-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1844237615-839522115-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

2011-05-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1844237615-839522115-1009.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Steffi.RUSH\Start Menu\Programs\IMVU\Run IMVU.lnk

DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://cordcamera.lifepics.com/net/Uploader/LPUploader45.cab

DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://colidg01.alliancedata.com/CACHE/stc/1/binaries/stcweb.cab

DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://cordcamera.lifepics.com/net/Uploader/LPUploader57.cab

.

- - - - ORPHANS REMOVED - - - -

.

Notify-NavLogon - (no file)

MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe

MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-08 13:26

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2011-06-08 13:33:16

ComboFix-quarantined-files.txt 2011-06-08 17:32

.

Pre-Run: 14,923,792,384 bytes free

Post-Run: 16,222,396,416 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 43261B29CB745631820B986AD6DF699D

New DDS Log:

.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Owner at 13:42:11 on 2011-06-08

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.211 [GMT -4:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [RunNarrator] Narrator.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\steffi.rush\start menu\programs\imvu\Run IMVU.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://cordcamera.lifepics.com/net/Uploader/LPUploader45.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab

DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://colidg01.alliancedata.com/CACHE/stc/1/binaries/stcweb.cab

DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} - hxxps://www.webiqonline.com/WebIQ/bin/WebIQ.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v45/bejeweled/bejeweled.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257785970921

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257799643562

DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/luxr/default/mjolauncher.cab

DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab

DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://meijer.lifepics.com/net/Uploader/ImageUploader3.cab

DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} - hxxp://cordcamera.lifepics.com/net/Uploader/LPUploader45.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} - hxxp://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab

DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://cordcamera.lifepics.com/net/Uploader/LPUploader57.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab

DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://zone.msn.com/bingame/dash/default/DinerDash.1.0.0.94.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://sympatico.zone.msn.com/bingame/popcaploader_v10.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

.

============= SERVICES / DRIVERS ===============

.

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-27 136176]

S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2007-12-21 22136]

S3 EraserUtilDrv11110;EraserUtilDrv11110;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11110.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11110.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-27 136176]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

.

=============== Created Last 30 ================

.

2011-06-08 17:05:57 -------- dcsha-r- C:\cmdcons

2011-06-08 17:00:07 98816 -c--a-w- c:\windows\sed.exe

2011-06-08 17:00:07 518144 -c--a-w- c:\windows\SWREG.exe

2011-06-08 17:00:07 256512 -c--a-w- c:\windows\PEV.exe

2011-06-08 17:00:07 208896 -c--a-w- c:\windows\MBR.exe

2011-06-08 13:51:07 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes

2011-06-04 16:00:14 -------- d-----w- c:\documents and settings\owner\application data\AVG10

2011-06-02 18:25:07 -------- dc-h--w- c:\documents and settings\all users\application data\Common Files

2011-06-02 16:44:34 -------- dc----w- C:\$AVG

2011-06-02 16:27:48 -------- dc----w- c:\windows\system32\drivers\AVG

2011-06-02 16:27:48 -------- dc----w- c:\documents and settings\all users\application data\AVG10

2011-06-02 16:26:50 -------- dc----w- c:\program files\AVG

2011-06-02 16:17:58 -------- dc----w- c:\documents and settings\all users\application data\MFAData

2011-05-31 11:51:56 -------- dc----w- c:\program files\common files\xing shared

2011-05-23 15:24:00 -------- dc----w- c:\windows\system32\wbem\repository\FS

2011-05-23 15:24:00 -------- dc----w- c:\windows\system32\wbem\Repository

2011-05-19 23:31:39 -------- dc----w- c:\documents and settings\all users\application data\ZoomBrowser

2011-05-19 23:30:21 -------- dc----w- c:\program files\Canon

2011-05-17 19:55:44 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-05-29 13:11:30 39984 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11:20 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys

2006-01-21 15:09:16 1951432 -c--a-w- c:\program files\ppviewer.exe

.

============= FINISH: 13:43:06.51 ===============

Thanks again for your help. You're a life saver.

BTW - I will be out of town from 6/10 - 6/19 so I may not be able to respond to your reply to this posting until after I get back.

Phillip Rush

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Screen317,

Yes, I'm still with you. I tried to relate in my previous reply that I would be out of town last week and unable to work on the infected computer. I am back now and followed your instructions for the ESET Online Scanner and Security Check. Log text files are pasted below.

As far as how the computer seems to be doing now... My desktop icons and most programs are still missing & I still can't access task manager. However, the 'disk busy' light on the front of the computer no longer blinks wilding when I'm not performing a specific task.

ESET - LOG.TXT:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6526

# api_version=3.0.2

# EOSSerial=32e952b32628b54294f22bdcaa5d2bc1

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-06-20 09:41:52

# local_time=2011-06-20 05:41:52 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777191 100 0 652188 652188 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=1668

# found=0

# cleaned=0

# scan_time=320

ESET quarantine log txt file of 1 detected threat:

C:\Documents and Settings\Phil\Local Settings\Temp\jar_cache1443991490783637930.tmp probably a variant of Java/Agent.CO trojan deleted - quarantined

SECURITY CHECK - CHECKUP.TXT LOG:

Results of screen317's Security Check version 0.99.14

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 15

Java 6 Update 2

Java 6 Update 3

Java 6 Update 5

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Thanks for sticking with me. Let me know the next step.

Phil

Link to post
Share on other sites

Screen317,

I also updated & ran a new Malwarebytes quick scan from the infected XP user account. Previously it locked up halfway through, but this time it ran smoothly. MBAM found 3 items. The new MBAM log is copied below.

After the 3 new items were quarantined by MBAM, Task Manager access was restored and desktop icons for newly installed or accessed programs appeared. Older desktop icons are still missing.

MBAM log (6/20/2011):

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6905

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/20/2011 6:22:36 PM

mbam-log-2011-06-20 (18-22-36).txt

Scan type: Quick scan

Objects scanned: 209446

Time elapsed: 12 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

Please download Unhide.exe by Grinler and save it to your Desktop.

Run it, then restart your computer.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Java™ 6 Update 15

Java™ 6 Update 2

Java™ 6 Update 3

Java™ 6 Update 5

Java™ 6 Update 7

Adobe Flash Player

Restart your computer.

Get the latest version of Java, Adobe Reader, and Adobe Flash Player.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

Wow. Everything is back and the computer seems to be running normally. MBAB quick scan did not detect any threats. Neither did an AVG complete scan.

Let me know when to re-enable CD Emulation Drivers. Also, there is now a Windows Recovery Console boot option, does that stay permanently?

Lastly, let me know if there is a cause or organization you support where I could send a small donation as my way of saying THANKS for all your help.

Phillip Rush

Link to post
Share on other sites

  • Staff

Hi Phillip,

Go ahead and re-enable the emulation drives. The Recovery Console is there for the future if you are infected. It is a good fail-safe for when things can't run in Windows.

Do send all aid to the relief effort in Japan. It's not as spoken about recently, but they're still struggling.

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

I have read that it is inadviseable to have 2 anti-virus programs running at the same time. Will Spyware Blaster "play nice" with the AVG 2011 Free Version that I am currently running? Also, same question if I upgrade to the full version of Malwarebytes?

Thanks,

Phillip Rush

Link to post
Share on other sites

  • 1 month later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.