|
|
|
Malware
|
|
|
ayostos
Newbie
|
3. December 2008 @ 20:54 |
Link to this message
|
Received an email from facebook and now have some virus on my computer. Downloaded HijackThis v2.0.2 and really dont understand what to do next. Here is the log: Can anyone help me. Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:35 PM, on 12/3/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\WebMediaViewer\hpmon.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\tsnpstd3.exe
C:\Windows\vsnpstd3.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Users\Amy Jarvis\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\McAfee\MSC\mcshell.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [FixCamera] C:\Windows\FixCamera.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\Windows\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\Windows\vsnpstd3.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Users\Amy Jarvis\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe
O4 - HKLM\..\Policies\Explorer\Run: [VMware hptray] C:\Program Files\WebMediaViewer\hpmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://70.90.47.90:86/activex/AMC.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (file missing)
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
--
End of file - 9666 bytes
|
|
Advertisement
|
 |
|
|
Senior Member
|
3. December 2008 @ 22:36 |
Link to this message
|
Hi ayostos
What symptons does your computuer have?
Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required.
Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop.
Configuring Malwarebytes
? Click on the tab Settings.
? Make sure only these boxes are checked:
Terminate Internet Explorer
Automatically save and display logfile after removal
Always scan memory objects
Always scan registry objects
Always scan filesystem
Always scan extra and heuristics objects
Updating Malwarebytes
? Click on the tab Update.
? Press the button Check for Updates
? Wait for Malwarebytes to be fully updated.
Scanning Time
? Click on the tab Scanner.
? Check Perform full scan and click on Scan
? Wait for the scan to complete, and then click on Show Results.
? Make sure all items are checked, then click on Remove Selected.
**If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately.
Post A Log
? A text box will pop up after the removal process is over. Post the contents of the text here.
? If no text box pops up, launch Malwarebytes, and click on the tab Logs.
? The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open.
? Post the log here.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
ayostos
Newbie
|
4. December 2008 @ 14:48 |
Link to this message
|
The security warning keeps popping up saying trojan has my personal information. Also this security page that looks like some sort of windows manager (the symbol is the same block coloring but different shape) pops up saying security manager and there is an error on my hard drive and the cd drive at the bottom there is a box saying security warning listing nation: city: ip address: and Isp:. I ran the malwarebytes scan and it couldn't remove some files it told me to restart I did that below is the log that pops up after the scan, I'm not sure where to go from here? Thanks for the help you've provided and any additional help.
Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 6.0.6001 Service Pack 1
12/4/2008 12:30:12 PM
mbam-log-2008-12-04 (12-30-12).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 222277
Time elapsed: 3 hour(s), 55 minute(s), 25 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 25
Memory Processes Infected:
C:\Program Files\WebMediaViewer\hpmon.exe (Trojan.Zlob) -> Unloaded process successfully.
Memory Modules Infected:
C:\Windows\System32\55FF85742B4AF666\55FF85742B4AF666.x86 (Rootkit.Zlob) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\webmedia.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Alert Manager (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer add-on (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Toolbar (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vmware hptray (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\quicktime task (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\WebMediaViewer (Trojan.Zlob) -> Quarantined and deleted successfully.
Files Infected:
C:\Windows\System32\55FF85742B4AF666\55FF85742B4AF666.x86 (Rootkit.Zlob) -> Delete on reboot.
C:\Users\Amy Jarvis\AppData\Local\Temp\qpgiqmsi2.exe (Zlob.Agent) -> Quarantined and deleted successfully.
C:\Users\Amy Jarvis\AppData\Local\Temp\qpgiqmsi3.exe (Rootkit.Zlob) -> Quarantined and deleted successfully.
C:\Windows\System32\55FF85742B4AF666\55FF85742B4AF666 (Rootkit.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\browseu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\hpmom.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\hpmon.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\hpmun.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\myc.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\qttask.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\qttaskm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\qttasku.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\WebMediaViewer\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Amy Jarvis\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Amy Jarvis\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Amy Jarvis\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Amy Jarvis\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Amy Jarvis\Favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Online Antispyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.
|
Senior Member
|
6. December 2008 @ 02:33 |
Link to this message
|
Hey ayostos
Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
? Run Combo-Fix.exe and follow the prompts.
? Accept the End-User License Agreement.
(If the Recovery Console has been installed on your computer, ComboFix will skip the next three steps.)
? Allow the Recovery Console to be installed.
? When you see the window below, click on Yes.
? When the Recovery Console has been installed, click on Yes to start the scan.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
? Wait for the scan to be fully completed.
? If it requires a reboot, please do so.
? After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the ComoboFix window, as it may cause it to stall.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
ayostos
Newbie
|
7. December 2008 @ 14:20 |
Link to this message
|
thanks for the help. It is greatly appreciated. Hopefully this does it. Please let me know. Thanks. AJ
ComboFix 08-12-06.06 - Amy Jarvis 2008-12-07 11:55:46.1 - NTFSx86
Microsoft® Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.280 [GMT -7:00]
Running from: c:\users\Amy Jarvis\Desktop\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\AutoRun.inf
c:\windows\system32\hpowiax4.dll
c:\windows\system32\x64
.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.
2008-12-07 11:53 . 2008-12-07 11:54 <DIR> d-------- C:\32788R22FWJFW
2008-12-04 08:26 . 2008-12-04 08:26 <DIR> d-------- c:\users\Amy Jarvis\AppData\Roaming\Malwarebytes
2008-12-04 08:26 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-04 08:25 . 2008-12-04 08:25 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-04 08:25 . 2008-12-04 08:25 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-04 08:25 . 2008-12-04 08:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 08:25 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-03 19:39 . 2008-12-03 19:39 <DIR> d-------- c:\program files\Lavasoft
2008-12-03 19:38 . 2008-12-03 19:46 <DIR> d-------- c:\users\All Users\Lavasoft
2008-12-03 19:38 . 2008-12-03 19:46 <DIR> d-------- c:\programdata\Lavasoft
2008-12-03 19:36 . 2008-12-03 19:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 18:35 . 2008-12-03 18:35 <DIR> d-------- c:\program files\Trend Micro
2008-12-03 09:13 . 2008-12-04 12:34 <DIR> d--hs---- c:\windows\System32\55FF85742B4AF666
2008-12-02 09:40 . 2008-12-02 09:40 <DIR> d-------- c:\program files\Axis Communications
2008-12-01 06:32 . 2008-12-01 06:32 <DIR> d-------- c:\program files\MSECache
2008-11-29 08:07 . 2008-10-16 14:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-29 08:07 . 2008-10-16 13:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-29 08:07 . 2008-10-16 14:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-29 08:07 . 2008-10-16 14:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-29 08:06 . 2008-10-16 14:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-29 08:06 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-29 08:06 . 2008-10-16 13:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-29 08:06 . 2008-10-16 14:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-29 08:06 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-27 18:17 . 2007-03-10 14:43 270,336 --a------ c:\windows\tsnpstd3.exe
2008-11-27 18:17 . 2006-07-03 10:31 94,208 --a------ c:\windows\amcap.exe
2008-11-27 18:16 . 2008-11-27 18:17 <DIR> d-------- c:\program files\Common Files\snpstd3
2008-11-27 18:16 . 2007-02-09 14:13 172,032 --a------ c:\windows\System32\rsnpstd3.dll
2008-11-27 18:16 . 2005-11-23 13:55 53,248 --a------ c:\windows\csnpstd3.dll
2008-11-26 07:29 . 2008-11-26 07:29 <DIR> d-------- c:\users\Amy Jarvis\AppData\Roaming\Yahoo!
2008-11-26 07:28 . 2008-11-26 07:35 <DIR> d-------- c:\users\All Users\Yahoo!
2008-11-26 07:28 . 2008-11-26 07:35 <DIR> d-------- c:\programdata\Yahoo!
2008-11-26 07:28 . 2008-12-04 08:11 <DIR> d-------- c:\program files\Yahoo!
2008-11-26 01:39 . 2008-10-20 22:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-26 01:39 . 2008-08-27 20:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-26 01:39 . 2008-08-27 20:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-26 01:39 . 2008-08-27 20:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-26 01:39 . 2008-10-21 20:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-24 10:33 . 2008-11-24 10:33 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-11-15 12:38 . 2007-09-13 14:45 4,947,968 --a------ c:\windows\System32\stacgui.cpl
2008-11-15 12:38 . 2007-04-10 17:02 1,601,536 --a------ c:\windows\System32\stlang.dll
2008-11-15 12:38 . 2007-09-20 14:31 647,168 --a------ c:\windows\System32\aestecap.dll
2008-11-15 12:38 . 2007-09-20 14:31 131,072 --a------ c:\windows\System32\aestacap.dll
2008-11-15 12:38 . 2007-09-13 14:45 102,400 --a------ c:\windows\System32\stacsv.exe
2008-11-15 12:38 . 2007-09-20 14:31 73,728 --a------ c:\windows\System32\AEstSrv.exe
2008-11-15 12:38 . 2007-09-20 14:31 53,248 --a------ c:\windows\System32\aestaren.dll
2008-11-15 12:35 . 2007-09-13 14:46 330,240 --a------ c:\windows\System32\drivers\stwrt.sys
2008-11-15 12:34 . 2008-11-15 12:34 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-11-15 12:34 . 2007-09-13 14:45 595,456 --a------ c:\windows\System32\stapo.dll
2008-11-15 12:34 . 2007-03-05 13:05 492,544 --a------ c:\windows\System32\ctapo32.dll
2008-11-15 12:34 . 2007-09-13 14:45 328,704 --a------ c:\windows\System32\stcplx.dll
2008-11-15 12:34 . 2007-09-13 14:44 299,520 --a------ c:\windows\System32\stapi32.dll
2008-11-15 12:34 . 2007-09-13 14:45 146,944 --a------ c:\windows\System32\st325614.dll
2008-11-15 12:34 . 2007-03-05 13:05 45,568 --a------ c:\windows\System32\ctppld.dll
2008-11-11 15:29 . 2008-08-26 18:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-11 15:28 . 2008-09-09 20:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-11 15:28 . 2008-09-04 22:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-11 07:54 . 2008-11-11 07:54 1,593 --a------ c:\windows\VPNInstall.MIF
2008-11-11 07:52 . 2008-03-29 17:36 125,328 --a------ c:\windows\System32\drivers\dne2000.sys
2008-11-11 07:52 . 2008-03-29 17:36 106,768 --a------ c:\windows\System32\dneinobj.dll
2008-11-11 07:50 . 2008-11-11 07:50 <DIR> d-------- c:\program files\Common Files\Deterministic Networks
2008-11-11 07:50 . 2008-11-11 07:50 <DIR> d-------- c:\program files\Cisco Systems
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 19:34 --------- d-----w c:\program files\McAfee
2008-11-28 01:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-24 17:33 --------- d-----w c:\program files\Microsoft Works
2008-11-02 15:59 --------- d-----w c:\programdata\HP
2008-11-02 15:57 --------- d-----w c:\programdata\WEBREG
2008-11-02 15:55 --------- d-----w c:\users\Amy Jarvis\AppData\Roaming\HPAppData
2008-11-02 15:55 --------- d-----w c:\programdata\HPSSUPPLY
2008-11-02 15:55 --------- d-----w c:\program files\HP
2008-11-02 15:52 --------- d-----w c:\programdata\HP Product Assistant
2008-11-02 15:52 --------- d-----w c:\program files\Common Files\HP
2008-11-02 15:51 --------- d-----w c:\program files\Hewlett-Packard
2008-11-02 15:51 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-11-02 15:49 --------- d-----w c:\programdata\Hewlett-Packard
2008-11-02 15:33 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-10-26 21:14 --------- d-----w c:\programdata\NOS
2008-10-26 21:14 --------- d-----w c:\program files\NOS
2008-10-26 21:02 --------- d-----w c:\programdata\SiteAdvisor
2008-10-26 21:02 --------- d-----w c:\programdata\McAfee
2008-10-26 20:41 --------- d-----w c:\users\Amy Jarvis\AppData\Roaming\McAfee
2008-10-26 15:18 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-26 15:17 --------- d-----w c:\program files\Microsoft.NET
2008-10-26 15:03 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-26 15:02 --------- d-----w c:\program files\Common Files\Adobe
2008-10-26 02:45 174 --sha-w c:\program files\desktop.ini
2008-10-26 02:33 --------- d-----w c:\program files\Windows Sidebar
2008-10-26 02:33 --------- d-----w c:\program files\Windows Calendar
2008-10-26 02:32 --------- d-----w c:\program files\Windows Photo Gallery
2008-10-26 02:32 --------- d-----w c:\program files\Windows Mail
2008-10-26 02:32 --------- d-----w c:\program files\Windows Journal
2008-10-26 02:32 --------- d-----w c:\program files\Windows Defender
2008-10-26 02:32 --------- d-----w c:\program files\Windows Collaboration
2008-10-25 21:56 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-10-25 21:56 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-10-11 16:49 --------- d-----w c:\program files\SigmaTel
2008-10-11 16:36 --------- d-----w c:\program files\Dell
2008-10-11 16:04 --------- d-----w c:\program files\Intel
2008-10-11 15:51 --------- d-----w c:\program files\Broadcom
2008-10-11 15:46 --------- d-----w c:\programdata\Citrix
2008-10-11 15:45 61,224 ----a-w c:\users\Amy Jarvis\GoToAssistDownloadHelper.exe
2008-10-11 15:45 --------- d-----w c:\program files\Citrix
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-30 23:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-25 10:03 269,312 ----a-w c:\windows\System32\es.dll
2008-09-23 05:54 61,440 ----a-w c:\windows\System32\winipsec.dll
2008-09-23 05:54 361,984 ----a-w c:\windows\System32\IPSECSVC.DLL
2008-09-23 05:54 28,672 ----a-w c:\windows\System32\FwRemoteSvr.dll
2008-09-23 05:54 272,896 ----a-w c:\windows\System32\polstore.dll
2008-09-23 05:51 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-09-23 05:51 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-09-23 05:51 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-09-23 05:51 28,160 ----a-w c:\windows\System32\Apphlpdm.dll
2008-09-23 05:51 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2008-09-23 05:51 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-09-23 05:51 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-09-23 05:51 1,695,744 ----a-w c:\windows\System32\gameux.dll
2008-09-23 05:40 2,048 ----a-w c:\windows\System32\tzres.dll
2008-09-23 05:34 303,616 ----a-w c:\windows\System32\wmpeffects.dll
2008-09-23 05:21 9,847,296 ----a-w c:\windows\System32\NlsData000a.dll
2008-09-23 05:18 181,760 ----a-w c:\windows\System32\fsquirt.exe
2008-09-23 05:16 988,216 ----a-w c:\windows\System32\winload.exe
2008-09-23 05:16 927,288 ----a-w c:\windows\System32\winresume.exe
2008-09-23 05:16 615,992 ----a-w c:\windows\System32\ci.dll
2008-09-23 05:16 6,656 ----a-w c:\windows\System32\kbd106n.dll
2008-09-23 05:16 46,592 ----a-w c:\windows\System32\setbcdlocale.dll
2008-09-23 05:16 40,960 ----a-w c:\windows\System32\srclient.dll
2008-09-23 05:16 378,368 ----a-w c:\windows\System32\srcore.dll
2008-09-23 05:16 318,464 ----a-w c:\windows\System32\rstrui.exe
2008-09-23 05:16 19,000 ----a-w c:\windows\System32\kd1394.dll
2008-09-23 05:16 14,848 ----a-w c:\windows\System32\srdelayed.exe
2008-09-23 05:13 295,936 ----a-w c:\windows\System32\gdi32.dll
2008-09-23 05:10 14,848 ----a-w c:\windows\System32\wshrm.dll
2008-09-23 05:07 84,480 ----a-w c:\windows\System32\INETRES.dll
2008-09-23 05:07 738,304 ----a-w c:\windows\System32\inetcomm.dll
2008-09-23 05:07 1,314,816 ----a-w c:\windows\System32\quartz.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-09-30 171448]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"Google Update"="c:\users\Amy Jarvis\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-27 133104]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 c:\windows\System32\oobefldr.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2008-11-11 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E5495DBB-AD3D-4CD1-9D8B-7489846B7769}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{3E168AAF-2331-4D42-A610-34444C3A3CCD}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{AFECB509-49EF-4643-9399-814037B9C070}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{B046A0F0-4584-47A1-BA68-4E42A55FDD1A}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{8CAD2C21-4932-4761-9A3E-63A65C429FE8}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{531FF2CC-EEBA-4B0D-9EB6-96FE8A23EC35}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E98D1339-3610-4394-9F00-51C1710590BA}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2008-11-15 73728]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-26 203280]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-26 179712]
S3 GoToAssist;GoToAssist;"c:\program files\Citrix\GoToAssist\514\g2aservice.exe" Start=service [2008-10-11 16680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afe9ed4a-8b4d-11dd-894b-980e8620a72b}]
\shell\AutoRun\command - f:\wd_windows_tools\setup.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-12-05 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Amy Jarvis\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-27 18:36]
2008-09-23 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-09-23 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-FixCamera - c:\windows\FixCamera.exe
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://70.90.47.90:86/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 12:01:05
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-07 12:05:14
ComboFix-quarantined-files.txt 2008-12-07 19:05:10
Pre-Run: 81,412,227,072 bytes free
Post-Run: 82,826,866,688 bytes free
253 --- E O F --- 2008-12-02 10:05:09
|
Senior Member
|
7. December 2008 @ 22:09 |
Link to this message
|
|
Hey ayostos
You look clean. Any more problems?
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
Advertisement
|
|
|
|
ayostos
Newbie
|
8. December 2008 @ 18:57 |
Link to this message
|
|
I haven't had any problems so far. Thanks for all the help I truly appreciate it.
Thanks again-
Amy
|
|
