Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"system Integrity" Spyware Ad Pop-ups


  • This topic is locked This topic is locked
18 replies to this topic

#1 BLEUGENE

BLEUGENE

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 12 April 2008 - 06:51 PM

I am new, and confused because my son has left for college. I subscribed because I need help. thank you in advance.

I have the pop ups like BLUENOSE posted, that say SYSTEM INTEGRITY AT RISK and pop up that thee are Tojans etc. I ran SMITFRAUD and the DSS. The note pad documents follow in that order. Again, thank you.





SmitFraudFix v2.312

Scan done at 18:50:52.70, Sat 04/12/2008
Run from C:\Users\elizabeth\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\ProgramData\fqzpoacr\kzexenul.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe
C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\elizabeth


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\elizabeth\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\users\ELIZAB~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller
DNS Server Search Order: 66.207.234.14
DNS Server Search Order: 66.207.224.2

HKLM\SYSTEM\CCS\Services\Tcpip\..\{65CB202F-C53A-47EC-A58C-BF660DF2134C}: DhcpNameServer=66.207.234.14 66.207.224.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{65CB202F-C53A-47EC-A58C-BF660DF2134C}: DhcpNameServer=66.207.234.14 66.207.224.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{65CB202F-C53A-47EC-A58C-BF660DF2134C}: DhcpNameServer=66.207.234.14 66.207.224.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.207.234.14 66.207.224.2
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.207.234.14 66.207.224.2
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.207.234.14 66.207.224.2


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End





Deckard's System Scanner v20071014.68
Run by elizabeth on 2008-04-12 19:30:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
27: 2008-04-12 04:00:09 UTC - RP249 - Scheduled Checkpoint
26: 2008-04-11 05:56:38 UTC - RP248 - Windows Update
25: 2008-04-10 22:17:53 UTC - RP247 - Installed Java™ 6 Update 5
24: 2008-04-10 07:00:26 UTC - RP246 - Windows Update
23: 2008-04-10 04:00:10 UTC - RP245 - Scheduled Checkpoint


-- First Restore Point --
1: 2008-03-29 06:55:15 UTC - RP220 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 894 MiB (1024 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-12 19:33:57
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\ProgramData\fqzpoacr\kzexenul.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe
C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\cmd.exe
C:\Windows\notepad.exe
C:\Users\elizabeth\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.207.224.1:80
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [fqzpoacr] C:\ProgramData\fqzpoacr\kzexenul.exe
O4 - HKCU\..\Run: [ABC11FirstAlert] C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: WRAL DESKTOP WEATHER.lnk = C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe


--
End of file - 7283 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Compact Flash
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.00#20021111153705700&0#
Manufacturer: Generic-
Name: Compact Flash
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.00#20021111153705700&0#
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-04-12 19:30:00 422 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{D7A0114A-B158-4E11-9F9B-DD66B4321477}.job
2008-04-11 20:00:00 496 --a------ C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - elizabeth.job


-- Files created between 2008-03-12 and 2008-04-12 -----------------------------

2008-04-12 18:50:57 2616 --a------ C:\Windows\system32\tmp.reg
2008-04-12 18:50:12 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-04-12 18:50:12 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-12 18:50:12 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-12 18:50:12 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-12 18:50:12 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-12 18:50:12 51200 --a------ C:\Windows\system32\dumphive.exe
2008-04-12 18:50:11 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-12 16:24:45 0 d-------- C:\Program Files\ABC11FirstAlert
2008-04-12 16:18:43 61440 --a------ C:\Windows\wnUninstall.exe
2008-04-12 16:18:43 0 d-------- C:\Program Files\Common Files\WRAL DESKTOP WEATHER
2008-04-06 18:08:00 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-04-06 18:05:27 0 d-------- C:\Program Files\Common Files\Java
2008-04-05 01:41:03 0 d-------- C:\Users\elizabeth\Desktopvirii
2008-04-05 01:41:03 4096 --a------ C:\Users\elizabeth\DesktopFWebdEditor.exe
2008-04-05 01:41:03 4096 --a------ C:\Users\elizabeth\Desktopfwebd.exe
2008-04-05 01:41:03 4096 --a------ C:\Users\elizabeth\Desktopfilemanagerclient.exe
2008-04-05 01:40:50 0 d-------- C:\Users\All Users\mbunoxan
2008-04-05 01:40:50 0 d-------- C:\Users\All Users\fqzpoacr
2008-03-29 14:15:33 0 d-------- C:\Windows\system32\Adobe
2008-03-22 03:03:48 0 d-------- C:\58b44bd1e2cfb1148c


-- Find3M Report ---------------------------------------------------------------

2008-04-12 16:18:43 0 d-------- C:\Program Files\Common Files
2008-04-10 18:22:34 0 d-------- C:\Program Files\Java
2008-04-10 18:11:45 0 d-------- C:\Users\elizabeth\AppData\Roaming\OpenOffice.org2
2008-04-10 03:11:21 0 d-------- C:\Program Files\Windows Mail
2008-03-29 22:49:06 0 d-------- C:\Program Files\earthlink totalaccess
2008-03-29 16:05:12 0 d-------- C:\Users\elizabeth\AppData\Roaming\Adobe
2008-03-27 18:56:07 0 d-------- C:\Program Files\HP Games
2008-03-26 23:37:55 0 d-------- C:\Program Files\Google
2008-03-26 22:52:00 0 d-------- C:\Program Files\QuickTime
2008-03-26 22:50:20 0 d-------- C:\Users\elizabeth\AppData\Roaming\Google
2008-03-26 22:50:17 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-21 16:28:12 0 d-------- C:\Users\elizabeth\AppData\Roaming\MSNInstaller
2008-03-21 16:17:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-27 03:02:37 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-24 22:12:36 1120 --a------ C:\Users\elizabeth\AppData\Roaming\wklnhst.dat
2008-02-17 20:43:04 0 d-------- C:\Users\elizabeth\AppData\Roaming\Leadertech


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [04/16/2007 06:42 PM]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [09/28/2006 09:42 AM]
"RtHDVCpl"="RtHDVCpl.exe" [12/08/2006 05:51 PM C:\Windows\RtHDVCpl.exe]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/17/2005 03:11 AM]
"@"="" []
"MSConfig"="C:\Windows\system32\msconfig.exe" [11/02/2006 05:45 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 09:54 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [07/06/2007 09:15 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [07/06/2007 09:15 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [07/06/2007 09:15 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [02/16/2005 09:15 PM]
"fqzpoacr"="C:\ProgramData\fqzpoacr\kzexenul.exe" [04/05/2008 01:40 AM]
"ABC11FirstAlert"="C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe" [11/14/2006 10:13 PM]

C:\Users\elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 3:41:28 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
WRAL DESKTOP WEATHER.lnk - C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe [4/12/2008 4:18:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"=2 (0x2)
"DontDisplayLogonHoursWarnings"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\earthlink totalaccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1176653846\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b8dc95e-a00a-11db-9f6a-806e6f6e6963}]
AutoRun\command- E:\Setup.exe
setup\command- E:\setup.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-04-12 19:35:37 ------------






Deckard's System Scanner v20071014.68
Run by elizabeth on 2008-04-12 19:30:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
27: 2008-04-12 04:00:09 UTC - RP249 - Scheduled Checkpoint
26: 2008-04-11 05:56:38 UTC - RP248 - Windows Update
25: 2008-04-10 22:17:53 UTC - RP247 - Installed Java™ 6 Update 5
24: 2008-04-10 07:00:26 UTC - RP246 - Windows Update
23: 2008-04-10 04:00:10 UTC - RP245 - Scheduled Checkpoint


-- First Restore Point --
1: 2008-03-29 06:55:15 UTC - RP220 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 894 MiB (1024 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-12 19:33:57
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\ProgramData\fqzpoacr\kzexenul.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe
C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\cmd.exe
C:\Windows\notepad.exe
C:\Users\elizabeth\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.207.224.1:80
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [fqzpoacr] C:\ProgramData\fqzpoacr\kzexenul.exe
O4 - HKCU\..\Run: [ABC11FirstAlert] C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: WRAL DESKTOP WEATHER.lnk = C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe


--
End of file - 7283 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Compact Flash
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.00#20021111153705700&0#
Manufacturer: Generic-
Name: Compact Flash
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.00#20021111153705700&0#
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-04-12 19:30:00 422 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{D7A0114A-B158-4E11-9F9B-DD66B4321477}.job
2008-04-11 20:00:00 496 --a------ C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - elizabeth.job


-- Files created between 2008-03-12 and 2008-04-12 -----------------------------

2008-04-12 18:50:57 2616 --a------ C:\Windows\system32\tmp.reg
2008-04-12 18:50:12 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-04-12 18:50:12 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-12 18:50:12 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-12 18:50:12 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-12 18:50:12 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-12 18:50:12 51200 --a------ C:\Windows\system32\dumphive.exe
2008-04-12 18:50:11 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-12 16:24:45 0 d-------- C:\Program Files\ABC11FirstAlert
2008-04-12 16:18:43 61440 --a------ C:\Windows\wnUninstall.exe
2008-04-12 16:18:43 0 d-------- C:\Program Files\Common Files\WRAL DESKTOP WEATHER
2008-04-06 18:08:00 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-04-06 18:05:27 0 d-------- C:\Program Files\Common Files\Java
2008-04-05 01:41:03 0 d-------- C:\Users\elizabeth\Desktopvirii
2008-04-05 01:41:03 4096 --a------ C:\Users\elizabeth\DesktopFWebdEditor.exe
2008-04-05 01:41:03 4096 --a------ C:\Users\elizabeth\Desktopfwebd.exe
2008-04-05 01:41:03 4096 --a------ C:\Users\elizabeth\Desktopfilemanagerclient.exe
2008-04-05 01:40:50 0 d-------- C:\Users\All Users\mbunoxan
2008-04-05 01:40:50 0 d-------- C:\Users\All Users\fqzpoacr
2008-03-29 14:15:33 0 d-------- C:\Windows\system32\Adobe
2008-03-22 03:03:48 0 d-------- C:\58b44bd1e2cfb1148c


-- Find3M Report ---------------------------------------------------------------

2008-04-12 16:18:43 0 d-------- C:\Program Files\Common Files
2008-04-10 18:22:34 0 d-------- C:\Program Files\Java
2008-04-10 18:11:45 0 d-------- C:\Users\elizabeth\AppData\Roaming\OpenOffice.org2
2008-04-10 03:11:21 0 d-------- C:\Program Files\Windows Mail
2008-03-29 22:49:06 0 d-------- C:\Program Files\earthlink totalaccess
2008-03-29 16:05:12 0 d-------- C:\Users\elizabeth\AppData\Roaming\Adobe
2008-03-27 18:56:07 0 d-------- C:\Program Files\HP Games
2008-03-26 23:37:55 0 d-------- C:\Program Files\Google
2008-03-26 22:52:00 0 d-------- C:\Program Files\QuickTime
2008-03-26 22:50:20 0 d-------- C:\Users\elizabeth\AppData\Roaming\Google
2008-03-26 22:50:17 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-21 16:28:12 0 d-------- C:\Users\elizabeth\AppData\Roaming\MSNInstaller
2008-03-21 16:17:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-27 03:02:37 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-24 22:12:36 1120 --a------ C:\Users\elizabeth\AppData\Roaming\wklnhst.dat
2008-02-17 20:43:04 0 d-------- C:\Users\elizabeth\AppData\Roaming\Leadertech


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [04/16/2007 06:42 PM]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [09/28/2006 09:42 AM]
"RtHDVCpl"="RtHDVCpl.exe" [12/08/2006 05:51 PM C:\Windows\RtHDVCpl.exe]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/17/2005 03:11 AM]
"@"="" []
"MSConfig"="C:\Windows\system32\msconfig.exe" [11/02/2006 05:45 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 09:54 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [07/06/2007 09:15 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [07/06/2007 09:15 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [07/06/2007 09:15 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [02/16/2005 09:15 PM]
"fqzpoacr"="C:\ProgramData\fqzpoacr\kzexenul.exe" [04/05/2008 01:40 AM]
"ABC11FirstAlert"="C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe" [11/14/2006 10:13 PM]

C:\Users\elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 3:41:28 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
WRAL DESKTOP WEATHER.lnk - C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe [4/12/2008 4:18:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"=2 (0x2)
"DontDisplayLogonHoursWarnings"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\earthlink totalaccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1176653846\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b8dc95e-a00a-11db-9f6a-806e6f6e6963}]
AutoRun\command- E:\Setup.exe
setup\command- E:\setup.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-04-12 19:35:37 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:01 PM

Posted 12 April 2008 - 08:41 PM

Hello BLEUGENE,

Welcome to Bleeping Computer :thumbsup:

Please delete SmitfraudFix. :blink:

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 BLEUGENE

BLEUGENE
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 12 April 2008 - 11:11 PM

ComboFix 08-04-12.5 - elizabeth 2008-04-12 23:33:04.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.261 [GMT -4:00]
Running from: C:\Users\elizabeth\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\elizabeth\Desktopblackbird.jpg
C:\Users\elizabeth\DesktopEditorFKWP1.5.exe
C:\Users\elizabeth\DesktopEditorFKWP2.0.exe
C:\Users\elizabeth\Desktopfilemanagerclient.exe
C:\Users\elizabeth\Desktopfkwp1.5.exe
C:\Users\elizabeth\Desktopfkwp2.0.exe
C:\Users\elizabeth\Desktopfwebd.exe
C:\Users\elizabeth\DesktopFWebdEditor.exe
C:\Users\elizabeth\DesktopTrojan.Win32.BlackBird.exe
C:\Users\elizabeth\Desktopvirii

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ccEvtMgr


((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 21:34 86,528 ----a-w C:\Windows\System32\VACFix.exe
2008-04-12 20:26 --------- d-----w C:\Program Files\ABC11FirstAlert
2008-04-12 20:20 --------- d-----w C:\Program Files\Common Files\WRAL DESKTOP WEATHER
2008-04-12 20:18 61,440 ----a-w C:\Windows\wnUninstall.exe
2008-04-12 17:49 82,432 ----a-w C:\Windows\System32\IEDFix.exe
2008-04-10 22:22 --------- d-----w C:\Program Files\Java
2008-04-10 22:11 --------- d-----w C:\Users\elizabeth\AppData\Roaming\OpenOffice.org2
2008-04-10 07:11 --------- d-----w C:\Program Files\Windows Mail
2008-04-06 22:08 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-06 22:05 --------- d-----w C:\Program Files\Common Files\Java
2008-04-05 05:40 --------- d-----w C:\PROGRA~2\mbunoxan
2008-04-05 05:40 --------- d-----w C:\PROGRA~2\fqzpoacr
2008-03-30 02:49 --------- d-----w C:\Program Files\earthlink totalaccess
2008-03-29 20:02 --------- d-----w C:\PROGRA~2\Symantec
2008-03-27 22:56 --------- d-----w C:\Program Files\HP Games
2008-03-27 22:41 --------- d-----w C:\PROGRA~2\WildTangent
2008-03-27 03:37 --------- d-----w C:\Program Files\Google
2008-03-27 02:52 --------- d-----w C:\Program Files\QuickTime
2008-03-27 02:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 07:02 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-03-22 07:02 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-03-21 20:28 --------- d-----w C:\Users\elizabeth\AppData\Roaming\MSNInstaller
2008-03-21 20:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-07 01:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-27 08:01 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-02-27 07:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-25 02:12 1,120 ----a-w C:\Users\elizabeth\AppData\Roaming\wklnhst.dat
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-18 00:43 --------- d-----w C:\Users\elizabeth\AppData\Roaming\Leadertech
2008-02-15 08:10 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-15 08:10 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-15 08:06 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-15 08:06 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-15 08:06 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-15 08:06 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-02-15 08:06 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-15 08:06 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-15 08:06 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-15 08:06 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-15 08:05 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-15 08:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-15 08:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-15 08:05 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-15 08:05 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-15 08:05 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-15 08:05 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-15 08:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-15 08:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-15 08:05 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-15 08:05 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-01-27 07:20 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2007-09-20 07:18 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 21:15 221184]
"fqzpoacr"="C:\ProgramData\fqzpoacr\kzexenul.exe" [2008-04-05 01:40 94208]
"ABC11FirstAlert"="C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe" [2006-11-14 22:13 253952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-16 18:42 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 09:42 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-08 17:51 4227072 C:\Windows\RtHDVCpl.exe]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 03:11 49152]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 05:45 222208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 21:54 116072]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 21:15 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 21:15 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 21:15 81920]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Users\elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
WRAL DESKTOP WEATHER.lnk - C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe [2008-04-12 16:18:43 3731968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
C:\Program Files\earthlink totalaccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1176653846\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9721B0EC-B857-4CCB-95F4-87E2148199EF}"= C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{0B208427-AC56-4A1C-98E5-D523827AEC2B}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{80431B57-F86E-4C45-89BE-CBD932C34698}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6C5E5C9F-D414-4C37-8F62-87426374E445}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{005DE927-7EEF-40A6-8695-094A821735F5}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{77264ACE-CEF6-4EB4-8905-06A27E90D306}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1B757D18-5C6F-4F89-BB87-8FC947427FAF}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7313F568-2BD6-410A-8191-FC2053A81B84}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{84F0B863-AE18-4602-9279-61EEE76B0ECF}"= UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{267F6161-5002-4BE3-AA77-62DBAF97A262}"= TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{DE1292C9-226D-4281-8066-2543AFD0C3C8}"= UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{FC44282E-0022-49F9-9146-F250C2256C09}"= TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{1DE2B7CA-C25B-4863-B132-ECB78CB67461}"= UDP:C:\Program Files\AOL 9.0\waol.exe:AOL
"{D4846585-65AB-4E82-9D71-88222380C7B5}"= TCP:C:\Program Files\AOL 9.0\waol.exe:AOL
"{F2C6E9A8-F9A8-4ABC-8296-0E2F9B5BA37A}"= UDP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{09916214-E5E4-473A-AA17-3B63879279CA}"= TCP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{553BC12F-22A8-468B-B588-2AD7629896E9}"= UDP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{5661FF94-8E5C-4DBD-9B68-055CC321B269}"= TCP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{1B8916D9-CA22-4902-9A2F-1DB41D236995}"= UDP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{3A1BD772-D4D1-4BAC-820F-5A3FC7AA6A2E}"= TCP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{C88D1779-B070-4A4B-A09B-2C6B7C88CDC7}"= UDP:28900:direct2drive
"{C7319984-F542-4F26-9D8F-004637AEACA1}"= UDP:C:\Program Files\Download Manager\DLM.exe:Download Manager
"{56ED0574-D974-4812-A0CD-417ECD4B86F2}"= TCP:C:\Program Files\Download Manager\DLM.exe:Download Manager
"{B72CEF38-46BE-4A13-A83C-182F6F64BB2F}"= TCP:29800:direct2drive
"{1396DEDF-C28A-4618-8215-0DC737C84195}"= TCP:28900:direct2drive
"TCP Query User{EC123D67-388F-4E40-A98A-DFE0BB617EC9}C:\\program files\\hp games\\wheel of fortune\\wheel of fortune.exe"= UDP:C:\program files\hp games\wheel of fortune\wheel of fortune.exe:Wheel of Fortune
"UDP Query User{40B05263-4798-4D20-8E6C-AE99761B8C02}C:\\program files\\hp games\\wheel of fortune\\wheel of fortune.exe"= TCP:C:\program files\hp games\wheel of fortune\wheel of fortune.exe:Wheel of Fortune
"{744B29AA-30AF-42EA-B033-CA7589B06498}"= UDP:E:\setup.exe:setup
"{9BEFD93E-38DE-489A-A720-B778AF6FA2E2}"= TCP:E:\setup.exe:setup
"{B28520BE-0D12-4FF5-B11E-15F57AAC5CC0}"= UDP:C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe:Acrobat Reader 4.0
"{B726A459-4356-44BF-A35F-982B4F3826F8}"= TCP:C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe:Acrobat Reader 4.0
"{74BE57DD-7371-454D-B145-E91F9932A2B5}"= Disabled:UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{AAC817F4-D0D8-4B5F-9B28-1783D5218777}"= Disabled:TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{73C2D7DA-B904-4ADC-BAC4-D9677F3A4450}"= Disabled:UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{0623772C-5776-46B2-852D-452299360294}"= Disabled:TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{80BE8311-2CAA-4A25-ADD5-4D94B8C00FBE}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{22A0C734-A15B-4FF6-8C5B-73A67A87DD3A}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{D67F56FF-86EA-4D46-8EA8-3D7FA9AA98F8}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4DD173A6-344C-4218-860B-FE8E1EBCAA9E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080407.002\IDSvix86.sys [2008-02-13 12:18]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-28 16:44]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 20:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b8dc95e-a00a-11db-9f6a-806e6f6e6963}]
\shell\AutoRun\command - E:\Setup.exe
\shell\setup\command - E:\setup.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 00:00:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - elizabeth.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-04-13 03:35:00 C:\Windows\Tasks\User_Feed_Synchronization-{D7A0114A-B158-4E11-9F9B-DD66B4321477}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 00:01:54
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2008-04-13 0:03:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 04:03:48
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
.
2008-04-11 05:57:13 --- E O F ---

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:01 PM

Posted 12 April 2008 - 11:32 PM

Hello,

Thanks for that. :thumbsup: Could I please see a new HijackThis log? :blink: How is it running now?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 BLEUGENE

BLEUGENE
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 13 April 2008 - 12:12 AM

I thought I had lost NOrton but I think it was just the taskbar icon I lost. Kinda slower than it was and that spware.biz showed up twice thus far. Thank you for the support.


ComboFix 08-04-12.5 - elizabeth 2008-04-12 23:33:04.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.261 [GMT -4:00]
Running from: C:\Users\elizabeth\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\elizabeth\Desktopblackbird.jpg
C:\Users\elizabeth\DesktopEditorFKWP1.5.exe
C:\Users\elizabeth\DesktopEditorFKWP2.0.exe
C:\Users\elizabeth\Desktopfilemanagerclient.exe
C:\Users\elizabeth\Desktopfkwp1.5.exe
C:\Users\elizabeth\Desktopfkwp2.0.exe
C:\Users\elizabeth\Desktopfwebd.exe
C:\Users\elizabeth\DesktopFWebdEditor.exe
C:\Users\elizabeth\DesktopTrojan.Win32.BlackBird.exe
C:\Users\elizabeth\Desktopvirii

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ccEvtMgr


((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 21:34 86,528 ----a-w C:\Windows\System32\VACFix.exe
2008-04-12 20:26 --------- d-----w C:\Program Files\ABC11FirstAlert
2008-04-12 20:20 --------- d-----w C:\Program Files\Common Files\WRAL DESKTOP WEATHER
2008-04-12 20:18 61,440 ----a-w C:\Windows\wnUninstall.exe
2008-04-12 17:49 82,432 ----a-w C:\Windows\System32\IEDFix.exe
2008-04-10 22:22 --------- d-----w C:\Program Files\Java
2008-04-10 22:11 --------- d-----w C:\Users\elizabeth\AppData\Roaming\OpenOffice.org2
2008-04-10 07:11 --------- d-----w C:\Program Files\Windows Mail
2008-04-06 22:08 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-06 22:05 --------- d-----w C:\Program Files\Common Files\Java
2008-04-05 05:40 --------- d-----w C:\PROGRA~2\mbunoxan
2008-04-05 05:40 --------- d-----w C:\PROGRA~2\fqzpoacr
2008-03-30 02:49 --------- d-----w C:\Program Files\earthlink totalaccess
2008-03-29 20:02 --------- d-----w C:\PROGRA~2\Symantec
2008-03-27 22:56 --------- d-----w C:\Program Files\HP Games
2008-03-27 22:41 --------- d-----w C:\PROGRA~2\WildTangent
2008-03-27 03:37 --------- d-----w C:\Program Files\Google
2008-03-27 02:52 --------- d-----w C:\Program Files\QuickTime
2008-03-27 02:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 07:02 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-03-22 07:02 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-03-21 20:28 --------- d-----w C:\Users\elizabeth\AppData\Roaming\MSNInstaller
2008-03-21 20:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-07 01:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-27 08:01 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-02-27 07:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-25 02:12 1,120 ----a-w C:\Users\elizabeth\AppData\Roaming\wklnhst.dat
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-18 00:43 --------- d-----w C:\Users\elizabeth\AppData\Roaming\Leadertech
2008-02-15 08:10 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-15 08:10 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-15 08:06 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-15 08:06 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-15 08:06 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-15 08:06 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-02-15 08:06 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-15 08:06 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-15 08:06 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-15 08:06 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-15 08:05 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-15 08:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-15 08:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-15 08:05 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-15 08:05 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-15 08:05 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-15 08:05 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-15 08:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-15 08:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-15 08:05 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-15 08:05 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-01-27 07:20 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2007-09-20 07:18 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 21:15 221184]
"fqzpoacr"="C:\ProgramData\fqzpoacr\kzexenul.exe" [2008-04-05 01:40 94208]
"ABC11FirstAlert"="C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe" [2006-11-14 22:13 253952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-16 18:42 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 09:42 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-08 17:51 4227072 C:\Windows\RtHDVCpl.exe]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 03:11 49152]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 05:45 222208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 21:54 116072]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 21:15 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 21:15 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 21:15 81920]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Users\elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
WRAL DESKTOP WEATHER.lnk - C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe [2008-04-12 16:18:43 3731968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
C:\Program Files\earthlink totalaccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1176653846\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9721B0EC-B857-4CCB-95F4-87E2148199EF}"= C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{0B208427-AC56-4A1C-98E5-D523827AEC2B}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{80431B57-F86E-4C45-89BE-CBD932C34698}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6C5E5C9F-D414-4C37-8F62-87426374E445}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{005DE927-7EEF-40A6-8695-094A821735F5}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{77264ACE-CEF6-4EB4-8905-06A27E90D306}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1B757D18-5C6F-4F89-BB87-8FC947427FAF}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7313F568-2BD6-410A-8191-FC2053A81B84}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{84F0B863-AE18-4602-9279-61EEE76B0ECF}"= UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{267F6161-5002-4BE3-AA77-62DBAF97A262}"= TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{DE1292C9-226D-4281-8066-2543AFD0C3C8}"= UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{FC44282E-0022-49F9-9146-F250C2256C09}"= TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{1DE2B7CA-C25B-4863-B132-ECB78CB67461}"= UDP:C:\Program Files\AOL 9.0\waol.exe:AOL
"{D4846585-65AB-4E82-9D71-88222380C7B5}"= TCP:C:\Program Files\AOL 9.0\waol.exe:AOL
"{F2C6E9A8-F9A8-4ABC-8296-0E2F9B5BA37A}"= UDP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{09916214-E5E4-473A-AA17-3B63879279CA}"= TCP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{553BC12F-22A8-468B-B588-2AD7629896E9}"= UDP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{5661FF94-8E5C-4DBD-9B68-055CC321B269}"= TCP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{1B8916D9-CA22-4902-9A2F-1DB41D236995}"= UDP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{3A1BD772-D4D1-4BAC-820F-5A3FC7AA6A2E}"= TCP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{C88D1779-B070-4A4B-A09B-2C6B7C88CDC7}"= UDP:28900:direct2drive
"{C7319984-F542-4F26-9D8F-004637AEACA1}"= UDP:C:\Program Files\Download Manager\DLM.exe:Download Manager
"{56ED0574-D974-4812-A0CD-417ECD4B86F2}"= TCP:C:\Program Files\Download Manager\DLM.exe:Download Manager
"{B72CEF38-46BE-4A13-A83C-182F6F64BB2F}"= TCP:29800:direct2drive
"{1396DEDF-C28A-4618-8215-0DC737C84195}"= TCP:28900:direct2drive
"TCP Query User{EC123D67-388F-4E40-A98A-DFE0BB617EC9}C:\\program files\\hp games\\wheel of fortune\\wheel of fortune.exe"= UDP:C:\program files\hp games\wheel of fortune\wheel of fortune.exe:Wheel of Fortune
"UDP Query User{40B05263-4798-4D20-8E6C-AE99761B8C02}C:\\program files\\hp games\\wheel of fortune\\wheel of fortune.exe"= TCP:C:\program files\hp games\wheel of fortune\wheel of fortune.exe:Wheel of Fortune
"{744B29AA-30AF-42EA-B033-CA7589B06498}"= UDP:E:\setup.exe:setup
"{9BEFD93E-38DE-489A-A720-B778AF6FA2E2}"= TCP:E:\setup.exe:setup
"{B28520BE-0D12-4FF5-B11E-15F57AAC5CC0}"= UDP:C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe:Acrobat Reader 4.0
"{B726A459-4356-44BF-A35F-982B4F3826F8}"= TCP:C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe:Acrobat Reader 4.0
"{74BE57DD-7371-454D-B145-E91F9932A2B5}"= Disabled:UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{AAC817F4-D0D8-4B5F-9B28-1783D5218777}"= Disabled:TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{73C2D7DA-B904-4ADC-BAC4-D9677F3A4450}"= Disabled:UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{0623772C-5776-46B2-852D-452299360294}"= Disabled:TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{80BE8311-2CAA-4A25-ADD5-4D94B8C00FBE}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{22A0C734-A15B-4FF6-8C5B-73A67A87DD3A}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{D67F56FF-86EA-4D46-8EA8-3D7FA9AA98F8}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4DD173A6-344C-4218-860B-FE8E1EBCAA9E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080407.002\IDSvix86.sys [2008-02-13 12:18]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-28 16:44]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 20:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b8dc95e-a00a-11db-9f6a-806e6f6e6963}]
\shell\AutoRun\command - E:\Setup.exe
\shell\setup\command - E:\setup.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 00:00:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - elizabeth.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-04-13 03:35:00 C:\Windows\Tasks\User_Feed_Synchronization-{D7A0114A-B158-4E11-9F9B-DD66B4321477}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 00:01:54
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2008-04-13 0:03:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 04:03:48
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
.
2008-04-11 05:57:13 --- E O F ---

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:01 PM

Posted 13 April 2008 - 12:15 AM

Hello,

You're welcome, but you posted the ComboFix log and I need to see a new HijackThis log, please. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 BLEUGENE

BLEUGENE
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 13 April 2008 - 12:22 AM

ComboFix 08-04-12.5 - elizabeth 2008-04-12 23:33:04.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.261 [GMT -4:00]
Running from: C:\Users\elizabeth\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\elizabeth\Desktopblackbird.jpg
C:\Users\elizabeth\DesktopEditorFKWP1.5.exe
C:\Users\elizabeth\DesktopEditorFKWP2.0.exe
C:\Users\elizabeth\Desktopfilemanagerclient.exe
C:\Users\elizabeth\Desktopfkwp1.5.exe
C:\Users\elizabeth\Desktopfkwp2.0.exe
C:\Users\elizabeth\Desktopfwebd.exe
C:\Users\elizabeth\DesktopFWebdEditor.exe
C:\Users\elizabeth\DesktopTrojan.Win32.BlackBird.exe
C:\Users\elizabeth\Desktopvirii

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ccEvtMgr


((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 21:34 86,528 ----a-w C:\Windows\System32\VACFix.exe
2008-04-12 20:26 --------- d-----w C:\Program Files\ABC11FirstAlert
2008-04-12 20:20 --------- d-----w C:\Program Files\Common Files\WRAL DESKTOP WEATHER
2008-04-12 20:18 61,440 ----a-w C:\Windows\wnUninstall.exe
2008-04-12 17:49 82,432 ----a-w C:\Windows\System32\IEDFix.exe
2008-04-10 22:22 --------- d-----w C:\Program Files\Java
2008-04-10 22:11 --------- d-----w C:\Users\elizabeth\AppData\Roaming\OpenOffice.org2
2008-04-10 07:11 --------- d-----w C:\Program Files\Windows Mail
2008-04-06 22:08 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-06 22:05 --------- d-----w C:\Program Files\Common Files\Java
2008-04-05 05:40 --------- d-----w C:\PROGRA~2\mbunoxan
2008-04-05 05:40 --------- d-----w C:\PROGRA~2\fqzpoacr
2008-03-30 02:49 --------- d-----w C:\Program Files\earthlink totalaccess
2008-03-29 20:02 --------- d-----w C:\PROGRA~2\Symantec
2008-03-27 22:56 --------- d-----w C:\Program Files\HP Games
2008-03-27 22:41 --------- d-----w C:\PROGRA~2\WildTangent
2008-03-27 03:37 --------- d-----w C:\Program Files\Google
2008-03-27 02:52 --------- d-----w C:\Program Files\QuickTime
2008-03-27 02:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 07:02 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-03-22 07:02 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-03-21 20:28 --------- d-----w C:\Users\elizabeth\AppData\Roaming\MSNInstaller
2008-03-21 20:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-07 01:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-27 08:01 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-02-27 07:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-25 02:12 1,120 ----a-w C:\Users\elizabeth\AppData\Roaming\wklnhst.dat
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-18 00:43 --------- d-----w C:\Users\elizabeth\AppData\Roaming\Leadertech
2008-02-15 08:10 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-15 08:10 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-15 08:06 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-15 08:06 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-15 08:06 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-15 08:06 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-02-15 08:06 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-15 08:06 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-15 08:06 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-15 08:06 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-15 08:05 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-15 08:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-15 08:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-15 08:05 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-15 08:05 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-15 08:05 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-15 08:05 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-15 08:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-15 08:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-15 08:05 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-15 08:05 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-01-27 07:20 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2007-09-20 07:18 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 21:15 221184]
"fqzpoacr"="C:\ProgramData\fqzpoacr\kzexenul.exe" [2008-04-05 01:40 94208]
"ABC11FirstAlert"="C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe" [2006-11-14 22:13 253952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-16 18:42 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 09:42 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-08 17:51 4227072 C:\Windows\RtHDVCpl.exe]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 03:11 49152]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 05:45 222208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 21:54 116072]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 21:15 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 21:15 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 21:15 81920]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Users\elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
WRAL DESKTOP WEATHER.lnk - C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe [2008-04-12 16:18:43 3731968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
C:\Program Files\earthlink totalaccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1176653846\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9721B0EC-B857-4CCB-95F4-87E2148199EF}"= C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{0B208427-AC56-4A1C-98E5-D523827AEC2B}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{80431B57-F86E-4C45-89BE-CBD932C34698}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6C5E5C9F-D414-4C37-8F62-87426374E445}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{005DE927-7EEF-40A6-8695-094A821735F5}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{77264ACE-CEF6-4EB4-8905-06A27E90D306}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1B757D18-5C6F-4F89-BB87-8FC947427FAF}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7313F568-2BD6-410A-8191-FC2053A81B84}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{84F0B863-AE18-4602-9279-61EEE76B0ECF}"= UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{267F6161-5002-4BE3-AA77-62DBAF97A262}"= TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{DE1292C9-226D-4281-8066-2543AFD0C3C8}"= UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{FC44282E-0022-49F9-9146-F250C2256C09}"= TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{1DE2B7CA-C25B-4863-B132-ECB78CB67461}"= UDP:C:\Program Files\AOL 9.0\waol.exe:AOL
"{D4846585-65AB-4E82-9D71-88222380C7B5}"= TCP:C:\Program Files\AOL 9.0\waol.exe:AOL
"{F2C6E9A8-F9A8-4ABC-8296-0E2F9B5BA37A}"= UDP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{09916214-E5E4-473A-AA17-3B63879279CA}"= TCP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{553BC12F-22A8-468B-B588-2AD7629896E9}"= UDP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{5661FF94-8E5C-4DBD-9B68-055CC321B269}"= TCP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{1B8916D9-CA22-4902-9A2F-1DB41D236995}"= UDP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{3A1BD772-D4D1-4BAC-820F-5A3FC7AA6A2E}"= TCP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{C88D1779-B070-4A4B-A09B-2C6B7C88CDC7}"= UDP:28900:direct2drive
"{C7319984-F542-4F26-9D8F-004637AEACA1}"= UDP:C:\Program Files\Download Manager\DLM.exe:Download Manager
"{56ED0574-D974-4812-A0CD-417ECD4B86F2}"= TCP:C:\Program Files\Download Manager\DLM.exe:Download Manager
"{B72CEF38-46BE-4A13-A83C-182F6F64BB2F}"= TCP:29800:direct2drive
"{1396DEDF-C28A-4618-8215-0DC737C84195}"= TCP:28900:direct2drive
"TCP Query User{EC123D67-388F-4E40-A98A-DFE0BB617EC9}C:\\program files\\hp games\\wheel of fortune\\wheel of fortune.exe"= UDP:C:\program files\hp games\wheel of fortune\wheel of fortune.exe:Wheel of Fortune
"UDP Query User{40B05263-4798-4D20-8E6C-AE99761B8C02}C:\\program files\\hp games\\wheel of fortune\\wheel of fortune.exe"= TCP:C:\program files\hp games\wheel of fortune\wheel of fortune.exe:Wheel of Fortune
"{744B29AA-30AF-42EA-B033-CA7589B06498}"= UDP:E:\setup.exe:setup
"{9BEFD93E-38DE-489A-A720-B778AF6FA2E2}"= TCP:E:\setup.exe:setup
"{B28520BE-0D12-4FF5-B11E-15F57AAC5CC0}"= UDP:C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe:Acrobat Reader 4.0
"{B726A459-4356-44BF-A35F-982B4F3826F8}"= TCP:C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe:Acrobat Reader 4.0
"{74BE57DD-7371-454D-B145-E91F9932A2B5}"= Disabled:UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{AAC817F4-D0D8-4B5F-9B28-1783D5218777}"= Disabled:TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{73C2D7DA-B904-4ADC-BAC4-D9677F3A4450}"= Disabled:UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{0623772C-5776-46B2-852D-452299360294}"= Disabled:TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{80BE8311-2CAA-4A25-ADD5-4D94B8C00FBE}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{22A0C734-A15B-4FF6-8C5B-73A67A87DD3A}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{D67F56FF-86EA-4D46-8EA8-3D7FA9AA98F8}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4DD173A6-344C-4218-860B-FE8E1EBCAA9E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080407.002\IDSvix86.sys [2008-02-13 12:18]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-28 16:44]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 20:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b8dc95e-a00a-11db-9f6a-806e6f6e6963}]
\shell\AutoRun\command - E:\Setup.exe
\shell\setup\command - E:\setup.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 00:00:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - elizabeth.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-04-13 03:35:00 C:\Windows\Tasks\User_Feed_Synchronization-{D7A0114A-B158-4E11-9F9B-DD66B4321477}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 00:01:54
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2008-04-13 0:03:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 04:03:48
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
.
2008-04-11 05:57:13 --- E O F ---

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:01 PM

Posted 13 April 2008 - 01:18 AM

Erm....I really need to see a HijackThis log. :thumbsup: It starts out with this :

logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-12 19:33:57
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 BLEUGENE

BLEUGENE
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 13 April 2008 - 10:03 AM

Deckard's System Scanner v20071014.68
Run by elizabeth on 2008-04-13 10:55:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 894 MiB (1024 MiB recommended).


-- HijackThis (run as elizabeth.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00, on 2008-04-13
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\ProgramData\fqzpoacr\kzexenul.exe
C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe
C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe
C:\Users\elizabeth\Desktop\dss.exe
C:\Program Files\Norton 360\ScanStub.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\elizabeth.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.207.224.1:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TP CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [fqzpoacr] C:\ProgramData\fqzpoacr\kzexenul.exe
O4 - HKCU\..\Run: [ABC11FirstAlert] C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: WRAL DESKTOP WEATHER.lnk = C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7244 bytes

-- Files created between 2008-03-13 and 2008-04-13 -----------------------------

2008-04-13 11:00:38 0 d-------- C:\Program Files\Trend Micro
2008-04-13 01:05:52 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-12 23:31:20 68096 --a------ C:\Windows\zip.exe
2008-04-12 23:31:20 49152 --a------ C:\Windows\VFind.exe
2008-04-12 23:31:20 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-12 23:31:20 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-12 23:31:20 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-12 23:31:20 98816 --a------ C:\Windows\sed.exe
2008-04-12 23:31:20 80412 --a------ C:\Windows\grep.exe
2008-04-12 23:31:20 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-12 18:50:57 2616 --a------ C:\Windows\system32\tmp.reg
2008-04-12 18:50:12 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-04-12 18:50:12 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-12 18:50:12 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-12 18:50:12 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-12 18:50:12 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-12 18:50:12 51200 --a------ C:\Windows\system32\dumphive.exe
2008-04-12 18:50:11 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-12 16:24:45 0 d-------- C:\Program Files\ABC11FirstAlert
2008-04-12 16:18:43 61440 --a------ C:\Windows\wnUninstall.exe
2008-04-12 16:18:43 0 d-------- C:\Program Files\Common Files\WRAL DESKTOP WEATHER
2008-04-06 18:08:00 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-04-06 18:05:27 0 d-------- C:\Program Files\Common Files\Java
2008-04-05 01:40:50 0 d-------- C:\Users\All Users\mbunoxan
2008-04-05 01:40:50 0 d-------- C:\Users\All Users\fqzpoacr
2008-03-29 14:15:33 0 d-------- C:\Windows\system32\Adobe
2008-03-22 03:03:48 0 d-------- C:\58b44bd1e2cfb1148c


-- Find3M Report ---------------------------------------------------------------

2008-04-13 10:54:56 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-13 10:54:55 0 d-------- C:\Program Files\Norton 360
2008-04-13 10:52:49 0 d-------- C:\Program Files\Symantec
2008-04-13 10:49:40 0 d-------- C:\Program Files\Common Files
2008-04-13 10:47:47 0 d-------- C:\Users\elizabeth\AppData\Roaming\OpenOffice.org2
2008-04-13 00:47:40 0 d-------- C:\Program Files\Google
2008-04-13 00:47:39 0 --a------ C:\Users\elizabeth\AppData\Roaming\.googlewebacchosts
2008-04-10 18:22:34 0 d-------- C:\Program Files\Java
2008-04-10 03:11:21 0 d-------- C:\Program Files\Windows Mail
2008-03-29 22:49:06 0 d-------- C:\Program Files\earthlink totalaccess
2008-03-29 16:05:12 0 d-------- C:\Users\elizabeth\AppData\Roaming\Adobe
2008-03-27 18:56:07 0 d-------- C:\Program Files\HP Games
2008-03-26 22:52:00 0 d-------- C:\Program Files\QuickTime
2008-03-26 22:50:20 0 d-------- C:\Users\elizabeth\AppData\Roaming\Google
2008-03-26 22:50:17 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-21 16:28:12 0 d-------- C:\Users\elizabeth\AppData\Roaming\MSNInstaller
2008-03-21 16:17:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-24 22:12:36 1120 --a------ C:\Users\elizabeth\AppData\Roaming\wklnhst.dat
2008-02-17 20:43:04 0 d-------- C:\Users\elizabeth\AppData\Roaming\Leadertech


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-16 18:42]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 09:42]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-08 17:51 C:\Windows\RtHDVCpl.exe]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 03:11]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 05:45]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 21:15]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 21:15]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 21:15]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 21:54]
"TP CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" [2007-08-23 23:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 21:15]
"fqzpoacr"="C:\ProgramData\fqzpoacr\kzexenul.exe" [2008-04-05 01:40]
"ABC11FirstAlert"="C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe" [2006-11-14 22:13]

C:\Users\elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
WRAL DESKTOP WEATHER.lnk - C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe [2008-04-12 16:18:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"=2 (0x2)
"DontDisplayLogonHoursWarnings"=1 (0x1)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\earthlink totalaccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1176653846\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b8dc95e-a00a-11db-9f6a-806e6f6e6963}]
AutoRun\command- E:\CDStart.Exe
Install\Command- E:\Stub.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - NAVENG
*Newly Created Service* - NAVEX15
*Newly Created Service* - SPBBCDRV
*Newly Created Service* - SRTSP
*Newly Created Service* - SRTSPX

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-04-13 11:01:33 ------------

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:01 PM

Posted 13 April 2008 - 11:33 AM

YAY!! Thank you! :thumbsup:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\PROGRA~2\mbunoxan
C:\PROGRA~2\fqzpoacr
C:\58b44bd1e2cfb1148c


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. How is it running today? :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 BLEUGENE

BLEUGENE
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 13 April 2008 - 04:41 PM

ComboFix 08-04-12.5 - elizabeth 2008-04-13 16:43:02.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.258 [GMT -4:00]
Running from: C:\Users\elizabeth\Desktop\ComboFix.exe
Command switches used :: C:\Users\elizabeth\Desktop\CFScript.txt

FILE ::
C:\58b44bd1e2cfb1148c
C:\PROGRA~2\fqzpoacr
C:\PROGRA~2\mbunoxan
.
TimedOut: Windir.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ccEvtMgr


((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 20:18 --------- d-----w C:\Users\elizabeth\AppData\Roaming\OpenOffice.org2
2008-04-13 19:04 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-04-13 19:04 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-04-13 19:04 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-04-13 19:04 --------- d-----w C:\Program Files\Symantec
2008-04-13 19:03 --------- d-----w C:\Program Files\Norton 360
2008-04-13 19:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-13 15:08 --------- d-----w C:\PROGRA~2\Symantec
2008-04-13 15:00 --------- d-----w C:\Program Files\Trend Micro
2008-04-13 04:47 --------- d-----w C:\Program Files\Google
2008-04-12 21:34 86,528 ----a-w C:\Windows\System32\VACFix.exe
2008-04-12 20:26 --------- d-----w C:\Program Files\ABC11FirstAlert
2008-04-12 20:20 --------- d-----w C:\Program Files\Common Files\WRAL DESKTOP WEATHER
2008-04-12 20:18 61,440 ----a-w C:\Windows\wnUninstall.exe
2008-04-12 17:49 82,432 ----a-w C:\Windows\System32\IEDFix.exe
2008-04-10 22:22 --------- d-----w C:\Program Files\Java
2008-04-10 07:11 --------- d-----w C:\Program Files\Windows Mail
2008-04-06 22:08 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-06 22:05 --------- d-----w C:\Program Files\Common Files\Java
2008-04-05 05:40 --------- d-----w C:\PROGRA~2\mbunoxan
2008-04-05 05:40 --------- d-----w C:\PROGRA~2\fqzpoacr
2008-03-30 02:49 --------- d-----w C:\Program Files\earthlink totalaccess
2008-03-27 22:56 --------- d-----w C:\Program Files\HP Games
2008-03-27 22:41 --------- d-----w C:\PROGRA~2\WildTangent
2008-03-27 02:52 --------- d-----w C:\Program Files\QuickTime
2008-03-27 02:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 07:02 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-03-22 07:02 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-03-21 20:28 --------- d-----w C:\Users\elizabeth\AppData\Roaming\MSNInstaller
2008-03-21 20:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-27 08:01 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-02-25 02:12 1,120 ----a-w C:\Users\elizabeth\AppData\Roaming\wklnhst.dat
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-18 00:43 --------- d-----w C:\Users\elizabeth\AppData\Roaming\Leadertech
2008-02-15 08:10 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-15 08:10 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-15 08:06 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-15 08:06 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-15 08:06 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-15 08:06 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-02-15 08:06 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-15 08:06 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-15 08:06 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-15 08:06 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-15 08:05 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-15 08:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-15 08:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-15 08:05 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-15 08:05 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-15 08:05 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-15 08:05 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-15 08:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-15 08:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-15 08:05 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-15 08:05 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-01-27 07:20 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2007-09-20 07:18 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-04-13_ 0.03.30.47 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-13 04:01:22 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-13 21:24:13 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-03-24 23:33:02 1,527,056 ----a-w C:\Windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
- 2008-03-29 02:35:48 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-13 21:22:25 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-29 02:35:48 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-13 21:22:25 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-12 18:35:17 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-04-13 20:39:46 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-03-29 02:35:48 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-13 21:22:25 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-13 04:01:43 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-04-13 21:24:43 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-04-12 18:38:52 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-04-13 20:42:38 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-04-13 20:42:38 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat.LOG1
- 2008-04-13 04:01:43 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-04-13 21:24:43 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-04-13 21:24:43 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-04-13 02:29:49 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-13 20:19:59 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-13 02:29:49 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-13 20:19:59 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-13 02:29:49 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-13 20:19:59 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-09-19 19:44:04 15,664 ----a-w C:\Windows\System32\drivers\GEARAspiWDM.sys
+ 2006-09-19 18:44:04 15,664 ----a-w C:\Windows\System32\drivers\GEARAspiWDM.sys
- 2007-12-01 04:57:12 279,088 ----a-w C:\Windows\System32\drivers\srtsp.sys
+ 2007-12-01 03:57:12 279,088 ----a-w C:\Windows\System32\drivers\srtsp.sys
- 2007-12-01 04:57:12 317,616 ----a-w C:\Windows\System32\drivers\srtspl.sys
+ 2007-12-01 03:57:12 317,616 ----a-w C:\Windows\System32\drivers\srtspl.sys
- 2007-12-01 04:57:12 43,696 ----a-w C:\Windows\System32\drivers\srtspx.sys
+ 2007-12-01 03:57:12 43,696 ----a-w C:\Windows\System32\drivers\srtspx.sys
- 2006-10-04 00:47:52 109,360 ----a-w C:\Windows\System32\GEARAspi.dll
+ 2006-10-03 23:47:52 109,360 ----a-w C:\Windows\System32\GEARAspi.dll
+ 2008-03-25 02:32:44 218,496 ----a-r C:\Windows\System32\Macromed\Flash\FlashUtil9f.exe
- 2008-03-29 20:05:10 74,649 ----a-w C:\Windows\System32\Macromed\Flash\uninstall_activeX.exe
+ 2008-04-13 04:40:52 74,649 ----a-w C:\Windows\System32\Macromed\Flash\uninstall_activeX.exe
- 2008-04-10 22:14:24 96,038 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-13 20:23:54 96,038 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-10 22:14:24 583,114 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-13 20:23:54 583,114 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-10 22:12:00 9,364 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4236263783-1056418703-3295983315-1000_UserData.bin
+ 2008-04-13 20:20:36 9,730 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4236263783-1056418703-3295983315-1000_UserData.bin
- 2008-04-10 22:12:00 62,582 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-13 20:20:36 63,054 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-03-29 20:16:58 47,452 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-13 16:03:11 49,018 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-04-01 23:19:31 105,236 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-04-13 18:00:37 182,632 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 21:15 221184]
"fqzpoacr"="C:\ProgramData\fqzpoacr\kzexenul.exe" [2008-04-05 01:40 94208]
"ABC11FirstAlert"="C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe" [2006-11-14 22:13 253952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-16 18:42 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 09:42 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-08 17:51 4227072 C:\Windows\RtHDVCpl.exe]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 03:11 49152]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 05:45 222208]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 21:15 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 21:15 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 21:15 81920]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48 479232]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 21:54 116072]

C:\Users\elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
WRAL DESKTOP WEATHER.lnk - C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe [2008-04-12 16:18:43 3731968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
C:\Program Files\earthlink totalaccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1176653846\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9721B0EC-B857-4CCB-95F4-87E2148199EF}"= C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{0B208427-AC56-4A1C-98E5-D523827AEC2B}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{80431B57-F86E-4C45-89BE-CBD932C34698}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6C5E5C9F-D414-4C37-8F62-87426374E445}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{005DE927-7EEF-40A6-8695-094A821735F5}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{77264ACE-CEF6-4EB4-8905-06A27E90D306}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1B757D18-5C6F-4F89-BB87-8FC947427FAF}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7313F568-2BD6-410A-8191-FC2053A81B84}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{84F0B863-AE18-4602-9279-61EEE76B0ECF}"= UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{267F6161-5002-4BE3-AA77-62DBAF97A262}"= TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{DE1292C9-226D-4281-8066-2543AFD0C3C8}"= UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{FC44282E-0022-49F9-9146-F250C2256C09}"= TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{1DE2B7CA-C25B-4863-B132-ECB78CB67461}"= UDP:C:\Program Files\AOL 9.0\waol.exe:AOL
"{D4846585-65AB-4E82-9D71-88222380C7B5}"= TCP:C:\Program Files\AOL 9.0\waol.exe:AOL
"{F2C6E9A8-F9A8-4ABC-8296-0E2F9B5BA37A}"= UDP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{09916214-E5E4-473A-AA17-3B63879279CA}"= TCP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{553BC12F-22A8-468B-B588-2AD7629896E9}"= UDP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{5661FF94-8E5C-4DBD-9B68-055CC321B269}"= TCP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{1B8916D9-CA22-4902-9A2F-1DB41D236995}"= UDP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{3A1BD772-D4D1-4BAC-820F-5A3FC7AA6A2E}"= TCP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{C88D1779-B070-4A4B-A09B-2C6B7C88CDC7}"= UDP:28900:direct2drive
"{C7319984-F542-4F26-9D8F-004637AEACA1}"= UDP:C:\Program Files\Download Manager\DLM.exe:Download Manager
"{56ED0574-D974-4812-A0CD-417ECD4B86F2}"= TCP:C:\Program Files\Download Manager\DLM.exe:Download Manager
"{B72CEF38-46BE-4A13-A83C-182F6F64BB2F}"= TCP:29800:direct2drive
"{1396DEDF-C28A-4618-8215-0DC737C84195}"= TCP:28900:direct2drive
"TCP Query User{EC123D67-388F-4E40-A98A-DFE0BB617EC9}C:\\program files\\hp games\\wheel of fortune\\wheel of fortune.exe"= UDP:C:\program files\hp games\wheel of fortune\wheel of fortune.exe:Wheel of Fortune
"UDP Query User{40B05263-4798-4D20-8E6C-AE99761B8C02}C:\\program files\\hp games\\wheel of fortune\\wheel of fortune.exe"= TCP:C:\program files\hp games\wheel of fortune\wheel of fortune.exe:Wheel of Fortune
"{744B29AA-30AF-42EA-B033-CA7589B06498}"= UDP:E:\setup.exe:setup
"{9BEFD93E-38DE-489A-A720-B778AF6FA2E2}"= TCP:E:\setup.exe:setup
"{B28520BE-0D12-4FF5-B11E-15F57AAC5CC0}"= UDP:C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe:Acrobat Reader 4.0
"{B726A459-4356-44BF-A35F-982B4F3826F8}"= TCP:C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe:Acrobat Reader 4.0
"{74BE57DD-7371-454D-B145-E91F9932A2B5}"= Disabled:UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{AAC817F4-D0D8-4B5F-9B28-1783D5218777}"= Disabled:TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{73C2D7DA-B904-4ADC-BAC4-D9677F3A4450}"= Disabled:UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{0623772C-5776-46B2-852D-452299360294}"= Disabled:TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{80BE8311-2CAA-4A25-ADD5-4D94B8C00FBE}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{22A0C734-A15B-4FF6-8C5B-73A67A87DD3A}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{D67F56FF-86EA-4D46-8EA8-3D7FA9AA98F8}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4DD173A6-344C-4218-860B-FE8E1EBCAA9E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b8dc95e-a00a-11db-9f6a-806e6f6e6963}]
\shell\AutoRun\command - E:\CDStart.Exe
\shell\Install\Command - E:\Stub.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 00:00:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - elizabeth.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-04-13 17:53:11 C:\Windows\Tasks\User_Feed_Synchronization-{1731C02D-DC7A-474C-85CB-791C728216E2}.job"
- C:\Windows\system32\msfeedssync.exe
"2008-04-13 21:25:00 C:\Windows\Tasks\User_Feed_Synchronization-{D7A0114A-B158-4E11-9F9B-DD66B4321477}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 17:25:05
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-13 17:27:09
ComboFix-quarantined-files.txt 2008-04-13 21:26:58
ComboFix2.txt 2008-04-13 04:03:58
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
.
2008-04-11 05:57:13 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00, on 2008-04-13
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\ProgramData\fqzpoacr\kzexenul.exe
C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe
C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe
C:\Users\elizabeth\Desktop\dss.exe
C:\Program Files\Norton 360\ScanStub.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\elizabeth.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.207.224.1:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TP CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [fqzpoacr] C:\ProgramData\fqzpoacr\kzexenul.exe
O4 - HKCU\..\Run: [ABC11FirstAlert] C:\Program Files\ABC11FirstAlert\ABC11FirstAlert.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: WRAL DESKTOP WEATHER.lnk = C:\Program Files\Common Files\WRAL DESKTOP WEATHER\TrueWeather.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7244 bytes


It's running spotty. I keep getting the adware even with Norton Fraud Protection so I reported it to them and they said they could fix it for $100. I said it shouldn't be there anyway since Norton has been on my machine since Day one. They said it was from downloading freeware. I told them to have a nice day. If I pay them another $100 to fix what they didn't catch, then I'll just have to do it everytime they don't catch something. I'd like a paid subscription to this site and I applaud you dear Teacup61 for what y'all are doing for those oppressed by the corporate wooha's. I did see their sponsorship at the top of the page and find it quite ironic since they'll not get anymore of my business.

Ranting there a bit but I'm still a bit huffy.

Thank you for your continued efforts on my behalf.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:01 PM

Posted 13 April 2008 - 04:55 PM

Hello,

Nevermind Norton. :thumbsup: As you've learned, they're overrated in my humble opinion. You're most welcome for the help. :wacko:

When you say it's running spotty.....do you mean you're still getting the popups? Or do you mean something else?

BTW, you rant all you like. :blink: This stuff is very frustrating.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 BLEUGENE

BLEUGENE
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 13 April 2008 - 05:28 PM

Spotty like, first Norton was gone from the taskbar even though it was showing up in the progams list and Symantec was listed in processes BUT if I double clicked the icon or even tried to run it from the folder then nothing. I re-installed that which got me to thinking HEY...you know where that led.

Anyway, I have rebooted multiple times since last night and today it seems that there's about 5 minutes of hesitation, like when all the start up programs are loading up and everything, except it's longer than usual. I did read about extraneous startup programs in an article on this site but have not investigated further.

Another ad just popped up and I'm past livid. I'm more "Fine, pop all you like, I'm about to go Elvis" (but I love my monitor) There is the little caution sign in the notificaion area as well but I'm not going to touch it.

Norton wanted me to reboot for updates which had me all "conspiracy theory" and paranoid, but I rebooted for you and it doesn't seem as slow this time so maybe they didn't dose me up for refusing to pay for their add'l services.

This is my home computer. I'm an engineer. I deleted MSWorks because it sucked and downloaded OpenOffice (and paid for it because I'm gullible). My daughter and I go the Webkinz site alot and I shop alot. Ebay, books, games, clothes, toys. I can't afford AUTOCAD at home for the amount of use I would get out of it and I would have to work at home if i did.

The justification for that blurb is that my computer is almost virginal, exactly one year since purchased, and it would not hurt my feelings to wipe it if that's what it would take. My accounts and emails are at Google and on the server at work. if I wanted to buy something, the merchants I have patronized would find my information. I would have to start Zoo Tycoon over.

With those parameters in place, I (another pop up) surrender my PC to you. Thank you.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:01 PM

Posted 13 April 2008 - 08:38 PM

Hello,

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 BLEUGENE

BLEUGENE
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 14 April 2008 - 09:47 PM

Malwarebytes' Anti-Malware 1.11
Database version: 629

Scan type: Quick Scan
Objects scanned: 30566
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\ProgramData\fqzpoacr\kzexenul.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqzpoacr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\fqzpoacr\kzexenul.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


thank you so much




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users