Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware_Protect-2009


  • This topic is locked This topic is locked
13 replies to this topic

#1 bassface44

bassface44

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 25 March 2009 - 05:17 PM

Ok,
I got this stupid thing and I have been all over trying this and that to get rid of it and every time I feel like I am close it rears its ugly head. I went and ran SPyBot and Malwarebytes and CCleaner..the list goes on.

I believe I posted the attachments as asked correctly. I still have a very slow startup with a couple of CMD windows that flash in the beginning and then an internet explorer window comes up asking if I want it to be the default browser. I have Hijack This and have run a report that I can also post if need be. I can see items on there that have Spyware_Protect_2009 in the title but I just want to make sure I get everything this time and do it in the correct order so its gone forever. All help is GREATLY appreciated.

Bill

Oh and Norton doesn't seem to work correctly either.

Attached Files


Edited by bassface44, 25 March 2009 - 05:34 PM.


BC AdBot (Login to Remove)

 


#2 bassface44

bassface44
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 27 March 2009 - 09:47 AM

Here is a current Hijackthis Log. I have been working myself to fix my problems and think I am almost there but my browser seems to still be hijacked. I uninstalled and reinstalled Norton so now that is working correctly. I just need a little help to see where I am at more for my own curiosities sake. i am reformatting the harddrive in the not too distant future. I just was wondering what I am missing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43, on 2009-03-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Argentum Backup\ab.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: (no name) - {DEF3A437-0AE4-4838-941B-E0D0B853255E} - c:\windows\system32\fqmiccx.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Business Objects\JRE\bin\jusched.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Tfedinures] rundll32.exe "C:\WINDOWS\Jsawuwibi.dll",e
O4 - HKLM\..\Run: [Tmumevigulusefub] rundll32.exe "C:\WINDOWS\isazovecebezu.dll",e
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Argentum Backup] "C:\Program Files\Argentum Backup\ab.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/P...000046.000000b5
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Scanner File Utility.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139669911609
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10799 bytes

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:16 PM

Posted 29 March 2009 - 07:20 PM

Hello bassface44,

Posted Image

Sorry about the delay.:thumbup2:

Your log still shows signs of infection.

In case you already have ComboFix, please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 bassface44

bassface44
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 30 March 2009 - 10:01 AM

OK, my browser is def still hijacked. It is more annoying at this point than anything else. I reinstalled Combofix as instructed and ran it. I am posting the log and a new hijack this log. Thank you for all your help


ComboFix 09-03-29.04 - Peter 2009-03-30 10:46:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.493 [GMT -4:00]
Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-30 10:12 . 2009-03-30 10:12 <DIR> d-------- c:\windows\LastGood.Tmp
2009-03-30 10:03 . 2009-03-30 10:03 <DIR> d-------- c:\windows\system32\scripting
2009-03-30 10:03 . 2009-03-30 10:03 <DIR> d-------- c:\windows\system32\en
2009-03-30 10:03 . 2009-03-30 10:03 <DIR> d-------- c:\windows\system32\bits
2009-03-30 10:03 . 2009-03-30 10:03 <DIR> d-------- c:\windows\l2schemas
2009-03-30 09:55 . 2009-03-30 10:04 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-27 10:30 . 2009-03-30 09:25 <DIR> d-------- c:\program files\XoftSpySE
2009-03-27 10:01 . 2009-03-27 10:12 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-27 10:01 . 2009-03-27 10:12 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-27 09:45 . 2009-03-27 10:12 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-27 09:45 . 2009-03-27 10:12 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-27 09:44 . 2009-03-27 10:12 <DIR> d-------- c:\program files\Symantec
2009-03-27 09:30 . 2008-04-13 20:12 4,274,816 --------- c:\windows\system32\nv4_disp.dll
2009-03-27 09:29 . 2004-08-03 22:41 1,041,536 --------- c:\windows\system32\drivers\hsfdpsp2.sys
2009-03-27 09:28 . 2008-04-13 20:11 136,192 --------- c:\windows\system32\aaclient.dll
2009-03-26 12:54 . 2009-03-26 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-25 14:59 . 2009-03-25 15:39 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-25 14:59 . 2009-03-25 15:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-25 14:42 . 2009-03-25 14:42 <DIR> d-------- c:\program files\Trend Micro
2009-03-25 12:18 . 2009-03-26 10:56 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-25 12:06 . 2009-03-25 12:06 <DIR> d-------- c:\program files\AVG
2009-03-25 12:06 . 2009-03-26 11:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-25 10:34 . 2009-03-25 10:34 <DIR> d-------- c:\program files\CCleaner
2009-03-25 10:28 . 2009-03-25 10:28 <DIR> d-------- c:\documents and settings\Peter\Application Data\Uniblue
2009-03-25 09:03 . 2009-03-25 09:03 <DIR> d-------- c:\documents and settings\Peter\Application Data\lxttkvfz
2009-03-24 18:36 . 2009-03-27 17:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 18:36 . 2009-03-24 18:36 <DIR> d-------- c:\documents and settings\Peter\Application Data\Malwarebytes
2009-03-24 18:36 . 2009-03-24 18:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-24 18:36 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 18:36 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-24 18:16 . 2009-03-25 10:23 <DIR> d-------- c:\program files\Enigma Software Group
2009-03-24 18:04 . 2008-04-13 14:51 60,800 --a------ c:\windows\system32\drivers\arp1394.sys
2009-03-24 16:37 . 2009-03-24 16:37 <DIR> d-------- c:\program files\Alwil Software
2009-03-24 16:21 . 2009-03-24 16:21 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\lxttkvfz
2009-03-24 15:35 . 2009-03-25 09:31 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-24 15:13 . 2009-03-25 09:31 <DIR> d-------- c:\program files\Lavasoft
2009-03-24 15:13 . 2009-03-25 09:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-19 12:53 . 2009-03-19 12:53 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-03-16 17:54 . 2009-03-16 17:54 <DIR> d-------- c:\program files\twhirl
2009-03-16 17:54 . 2009-03-16 17:54 <DIR> d-------- c:\documents and settings\Peter\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
2009-03-16 17:51 . 2009-03-16 17:51 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-16 15:27 . 2009-03-26 12:39 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-16 15:27 . 2009-03-16 15:27 1,409 --a------ c:\windows\QTFont.for
2009-03-16 09:56 . 2009-03-16 09:56 <DIR> d-------- c:\documents and settings\Peter\Application Data\Flock
2009-03-16 09:51 . 2009-03-27 09:58 <DIR> d-------- c:\program files\Flock
2009-03-10 14:54 . 2009-03-10 15:16 <DIR> d-------- C:\STEPL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 14:43 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-27 16:38 --------- d-----w c:\program files\Norton AntiVirus
2009-03-27 14:10 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-26 16:05 105,984 ----a-w c:\windows\system32\onnsiqs.dll
2009-03-25 14:22 --------- d-----w c:\program files\Common Files\AOL
2009-03-25 14:22 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-16 12:22 --------- d-----w c:\program files\Google
2009-03-04 20:33 --------- d-----w c:\documents and settings\Peter\Application Data\Move Networks
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2008-12-05 06:54 144,896 ----a-w c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEF3A437-0AE4-4838-941B-E0D0B853255E}]
2009-03-26 12:05 105984 --a------ c:\windows\system32\fqmiccx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Argentum Backup"="c:\program files\Argentum Backup\ab.exe" [2005-01-05 741376]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-25 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\IEXPLORE.EXE" [2008-04-13 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SunJavaUpdateSched"="c:\program files\Business Objects\JRE\bin\jusched.exe" [2004-02-23 32881]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2003-03-12 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2003-03-12 36864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-01 155648]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2006-09-05 26248]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-02-13 82026]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-01-10 450560]
Scanner File Utility.lnk - c:\program files\Kyocera Mita\FileUtility\NsCatCom.exe [2006-02-14 311296]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-07-17 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 02:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kyocera Mita\\FileUtility\\NsCatCom.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 pzsybqda;pzsybqda;c:\windows\system32\drivers\pzsybqda.sys [2004-08-04 23424]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-31 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-27 101936]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gqeazroy

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{563d43c0-a22b-11da-96ab-001422eb3014}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa7d24c2-b3cf-11da-96da-001422eb3014}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-27 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Peter.job
- c:\progra~1\NORTON~1\Navw32.exe [2006-09-07 02:38]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe


.
------- Supplementary Scan -------
.
uStart Page = www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\86fhikh7.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\86fhikh7.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071302000002.dll
FF - plugin: c:\program files\Business Objects\JRE\bin\NPJava11.dll
FF - plugin: c:\program files\Business Objects\JRE\bin\NPJava12.dll
FF - plugin: c:\program files\Business Objects\JRE\bin\NPJava13.dll
FF - plugin: c:\program files\Business Objects\JRE\bin\NPJava14.dll
FF - plugin: c:\program files\Business Objects\JRE\bin\NPJava32.dll
FF - plugin: c:\program files\Business Objects\JRE\bin\NPJPI142_04.dll
FF - plugin: c:\program files\Business Objects\JRE\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 10:50:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SNDSrvc]
"ImagePath"="-"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-1202660629-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1036)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2412)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2009-03-30 10:53:25
ComboFix-quarantined-files.txt 2009-03-30 14:53:19

Pre-Run: 39,094,464,512 bytes free
Post-Run: 39,124,606,976 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
197 --- E O F --- 2009-03-30 14:24:50



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:14 AM, on 3/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Argentum Backup\ab.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: (no name) - {DEF3A437-0AE4-4838-941B-E0D0B853255E} - c:\windows\system32\fqmiccx.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Business Objects\JRE\bin\jusched.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Argentum Backup] "C:\Program Files\Argentum Backup\ab.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/P...000046.000000b5
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Scanner File Utility.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139669911609
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10438 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:16 PM

Posted 30 March 2009 - 05:31 PM

Hello,

You're welcome. :thumbup2:

Do you have a router?

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Thanks,
tea

Edited by teacup61, 30 March 2009 - 05:31 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:16 PM

Posted 08 April 2009 - 08:34 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:16 PM

Posted 24 April 2009 - 02:47 PM

Thread reopened at request of topic starter. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 bassface44

bassface44
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 27 April 2009 - 08:20 AM

GooredFix v1.92 by jpshortstuff
Log created at 09:19 on 27/04/2009 running Option #1 (Peter)
Firefox version 3.0.9 (en-US)

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{C16EC6A4-7D7C-4EB5-8E15-894F091AF7CE}"="C:\Documents and Settings\Peter\Local Settings\Application Data\{C16EC6A4-7D7C-4EB5-8E15-894F091AF7CE}"

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{C16EC6A4-7D7C-4EB5-8E15-894F091AF7CE}"="C:\Documents and Settings\Peter\Local Settings\Application Data\{C16EC6A4-7D7C-4EB5-8E15-894F091AF7CE}"
there is the log you requested. Pleas advise. Thanks s omuch!

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:16 PM

Posted 29 April 2009 - 11:49 AM

Hello,

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

How is it running please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 bassface44

bassface44
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 29 April 2009 - 12:15 PM

GooredFix v1.92 by jpshortstuff
Log created at 12:58 on 29/04/2009 running Option #2 (Peter)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{C16EC6A4-7D7C-4EB5-8E15-894F091AF7CE}"="C:\Documents and Settings\Peter\Local Settings\Application Data\{C16EC6A4-7D7C-4EB5-8E15-894F091AF7CE}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Peter\Local Settings\Application Data\{C16EC6A4-7D7C-4EB5-8E15-894F091AF7CE}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"


Here is the log you requested. My computer had been running ok to begin with. Every once in a while I would have my browser hijacked to some goofy site when I was using google searches. I was also having problems seeing pics in Outlook and opening webpages from outlook. I will see if that has changed. Thanks for all your help.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:16 PM

Posted 29 April 2009 - 12:26 PM

You're welcome. :) The hijacking should be gone now, and you can delete GooredFix. :thumbup2:

Surf around some and let me know.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 bassface44

bassface44
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 29 April 2009 - 12:28 PM

Thanks so much. I will let you know if anything pops up

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:16 PM

Posted 29 April 2009 - 12:48 PM

Hi,

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. It's outdated now and won't do you any good.

Is MBAM coming up clean?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:16 PM

Posted 08 May 2009 - 01:35 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users