Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please I contracted a virus


  • This topic is locked This topic is locked
16 replies to this topic

#1 Tsylord

Tsylord

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 28 May 2009 - 06:51 PM

Hello, I'm new and I come to you in search of help. My parents computer got hit hard from a POS virus and I'm trying to get rid of it. It is always attempting to acess a website to download a crap virus program called Antivirus-XP Pro 2009. It has fully disabled the task manger and has slowed the system to a crawl. It has also changed and locked the desktop background a black image that says my computer is infected. Here is my Highjack this log. I've also entirely segregated the computer from the network and internet. Please help.
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:38:35 PM, on 28/05/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Samsung\FrameManager\sam_service.exeC:\Program Files\Samsung\FrameManager\sam_controller.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Raxco\PerfectDisk\PDAgent.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Rogers Online Protection\Rogers Online Protection\rps.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exeC:\Program Files\Razer\Lycosa\razerhid.exeC:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgentComHandler.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\Raxco\PerfectDisk\PDEngine.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Razer\Lycosa\razertra.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\userinit.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\frmwrk32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\ntdll64.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\explorer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.google.ca/"]http://www.google.ca/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Rogers Online Protection\Rogers Online Protection\pkR.dllO2 - BHO: Google Audio Helper - {4641CCD1-78CA-465D-B37A-B4B8265E6B4D} - %SystemRoot%\system32\apphelph4.dll (file missing)O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOTO4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"O4 - HKLM\..\Run: [RogersServicepointAgent.exe] "C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" /AUTORUNO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\docume~1\mom&da~1\locals~1\temp\ntdll64.dllO10 - Unknown file in Winsock LSP: c:\docume~1\mom&da~1\locals~1\temp\ntdll64.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url="http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab"]http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab[/url]O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - (no file)O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dllO23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FrameManager Service - Samsung India Software Center - C:\Program Files\Samsung\FrameManager\sam_service.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: KodakDigitalDisplayService - Orb Networks, Inc. - C:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exeO23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exeO23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Rogers Online Protection (Radialpoint Security Services) - Rogers - C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exeO23 - Service: Rogers Online Protection Firewall (RP_FWS) - Rogers - C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exeO23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe--End of file - 10180 bytes


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:07 AM

Posted 29 May 2009 - 11:49 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

also, Please back up your important data first while you can still access your Windows. Reason is because you are dealing with one of these Trojans/Bots that have the functionality to kill your OS.
Read this article for more info: When a Bot master goes mad - Kill the OS and here A Zeus botnet self-destructs


Have you ever considered to install an Antivirus?
Also, what steps have you done previously to try to get rid of this?

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Don't use the code tags to post the logs, because it makes it harder to read.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Tsylord

Tsylord
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 May 2009 - 02:32 PM

Ok, here is the Highjack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:02 PM, on 29/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Samsung\FrameManager\sam_service.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Samsung\FrameManager\sam_controller.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\Lycosa\razertra.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\init32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Rogers Online Protection\Rogers Online Protection\pkR.dll
O2 - BHO: Google Audio Helper - {64F90A30-338F-4E10-89D1-7EFC5D344C88} - %SystemRoot%\system32\apphelph4.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"
O4 - HKLM\..\Run: [RogersServicepointAgent.exe] "C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2242219307-168016849-3438900298-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Guest Users')
O4 - S-1-5-21-2242219307-168016849-3438900298-1007 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Guest Users')
O4 - S-1-5-21-2242219307-168016849-3438900298-1007 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Guest Users')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\docume~1\guestu~1\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\guestu~1\locals~1\temp\ntdll64.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - (no file)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FrameManager Service - Samsung India Software Center - C:\Program Files\Samsung\FrameManager\sam_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KodakDigitalDisplayService - Orb Networks, Inc. - C:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rogers Online Protection (Radialpoint Security Services) - Rogers - C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe
O23 - Service: Rogers Online Protection Firewall (RP_FWS) - Rogers - C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8361 bytes

And Now The Malware Bytes:
Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

28/05/2009 8:30:10 PM
mbam-log-2009-05-28 (20-30-10).txt

Scan type: Quick Scan
Objects scanned: 115160
Time elapsed: 5 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv111243518908.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv251243518908.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv271243518908.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv291243518908.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv311243518908.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv331243518908.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv351243518908.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv411243518908.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv491243518908.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv691243518908.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv761243518908.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv821243518908.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Mom & Dad\Local Settings\Temp\mousehook.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Mom & Dad\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\apphelp.bat (Trojan.SpamBot) -> Quarantined and deleted successfully.

I've removed all files it found.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:07 AM

Posted 29 May 2009 - 02:52 PM

Hi,

Is it possible that your Hijackthislog is from before you scanned and rebooted with malwarebytes? This because some things don't make sense.

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Tsylord

Tsylord
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 May 2009 - 03:24 PM

Here is the latest HT log on my computer after a restart, my computer is also connected to the internet.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:45 PM, on 29/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Samsung\FrameManager\sam_service.exe
C:\Program Files\Samsung\FrameManager\sam_controller.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rogers Online Protection\Rogers Online Protection\rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgentComHandler.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Razer\Lycosa\razertra.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\init32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\init32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\init32.exe
C:\WINDOWS\System32\Wbem\grpconv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Rogers Online Protection\Rogers Online Protection\pkR.dll
O2 - BHO: Google Audio Helper - {64F90A30-338F-4E10-89D1-7EFC5D344C88} - %SystemRoot%\system32\apphelph4.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"
O4 - HKLM\..\Run: [RogersServicepointAgent.exe] "C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\docume~1\guestu~1\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\guestu~1\locals~1\temp\ntdll64.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - (no file)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FrameManager Service - Samsung India Software Center - C:\Program Files\Samsung\FrameManager\sam_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KodakDigitalDisplayService - Orb Networks, Inc. - C:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rogers Online Protection (Radialpoint Security Services) - Rogers - C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe
O23 - Service: Rogers Online Protection Firewall (RP_FWS) - Rogers - C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 10764 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:07 AM

Posted 29 May 2009 - 03:28 PM

Ok,

This smells real bad here... looks like your userinit is also infected here and most probably other system files. As a matter of fact, it wouldn't suprise me at all that Virut is also present. This means a format and reinstall unfortunately. Anyway, if that was my computer, I would have formatted and reinstalled anyway, because that's the only guarantee for a clean computer without damage.

Anyway, since you decided to deal with this manually, don't expect miracles and don't expect that all your issues will be resolved, because that would be impossible on such severly infected and damaged computers.

Please perform the steps with Combofix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Tsylord

Tsylord
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 May 2009 - 03:44 PM

Combofix has finished and some of my computer has been reclaimed. Here is the newest HT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:39 PM, on 29/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Samsung\FrameManager\sam_service.exe
C:\Program Files\Samsung\FrameManager\sam_controller.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Razer\Lycosa\razertra.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Rogers Online Protection\Rogers Online Protection\pkR.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"
O4 - HKLM\..\Run: [RogersServicepointAgent.exe] "C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\docume~1\guestu~1\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\guestu~1\locals~1\temp\ntdll64.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - (no file)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FrameManager Service - Samsung India Software Center - C:\Program Files\Samsung\FrameManager\sam_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KodakDigitalDisplayService - Orb Networks, Inc. - C:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rogers Online Protection (Radialpoint Security Services) - Rogers - C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe
O23 - Service: Rogers Online Protection Firewall (RP_FWS) - Rogers - C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7106 bytes

#8 Tsylord

Tsylord
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 May 2009 - 03:50 PM

Here is the combo fix log you asked for.
ComboFix 09-05-28.09 - Mom & Dad 29/05/2009 16:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2213 [GMT -4:00]
Running from: c:\docume~1\MOM&DA~1\LOCALS~1\Temp\Saf213.tmp\ComboFix.exe
AV: Rogers Online Protection Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Rogers Online Protection Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mom & Dad\Application Data\inst.exe
c:\documents and settings\Mom & Dad\Application Data\wiaserva.log
c:\windows\system32\ahtn.htm
c:\windows\system32\frmwrk32.exe
c:\windows\system32\ntdll64.exe
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\wbem\grpconv.exe
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\win32hlp.cnf

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-29 )))))))))))))))))))))))))))))))
.

2009-05-29 20:34 . 2008-04-14 00:12 50176 -c--a-w c:\windows\system32\dllcache\proquota.exe
2009-05-29 20:34 . 2008-04-14 00:12 50176 ----a-w c:\windows\system32\proquota.exe
2009-05-29 20:34 . 2008-04-14 00:12 39424 -c--a-w c:\windows\system32\dllcache\grpconv.exe
2009-05-29 20:34 . 2008-04-14 00:12 39424 ----a-w c:\windows\system32\grpconv.exe
2009-05-29 20:23 . 2009-05-29 20:26 62 ----a-w c:\windows\system32\apphelp.bat
2009-05-29 00:23 . 2009-05-29 00:23 -------- d-----w c:\documents and settings\Mom & Dad\Application Data\Malwarebytes
2009-05-29 00:23 . 2009-05-26 17:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 00:23 . 2009-05-29 00:23 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-29 00:23 . 2009-05-26 17:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-29 00:23 . 2009-05-29 00:23 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-28 23:37 . 2009-05-28 23:37 -------- d-----w c:\program files\Trend Micro
2009-05-28 02:01 . 2009-05-28 02:01 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-02 22:30 . 2009-05-02 22:30 -------- d-----w c:\documents and settings\Guest Users\Application Data\Cosmi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 20:37 . 2009-04-17 00:08 4899360 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-29 20:37 . 2009-04-17 00:08 235808 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-29 20:36 . 2008-12-24 17:09 720 ----a-w c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-05-29 20:35 . 2009-04-17 00:08 66620 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-29 20:35 . 2009-04-17 00:08 23084 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-13 10:55 . 2008-11-04 02:08 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-07 10:42 . 2008-11-04 02:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-02 22:29 . 2008-11-07 14:44 103616 ----a-w c:\documents and settings\Guest Users\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-27 00:16 . 2009-04-27 00:16 -------- d-----w c:\documents and settings\Mom & Dad\Application Data\Cosmi
2009-04-27 00:16 . 2008-11-04 01:57 103616 ----a-w c:\documents and settings\Mom & Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-26 21:50 . 2009-04-26 21:50 -------- d-----w c:\program files\NZCSM
2009-04-26 21:47 . 2009-04-26 21:47 -------- d-----w c:\program files\Cosmi
2009-04-22 19:07 . 2009-04-22 19:06 -------- d-----w c:\documents and settings\Guest Users\Application Data\Rogers Online Protection
2009-04-19 17:38 . 2009-04-19 17:37 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-19 17:38 . 2008-11-04 22:16 -------- d-----w c:\program files\iTunes
2009-04-19 17:37 . 2009-04-19 17:37 -------- d-----w c:\program files\iPod
2009-04-19 17:37 . 2008-11-04 22:15 -------- d-----w c:\program files\Common Files\Apple
2009-04-19 17:35 . 2009-04-19 17:35 -------- d-----w c:\program files\QuickTime
2009-04-19 17:30 . 2009-04-19 17:30 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-19 17:29 . 2008-12-01 22:50 -------- d-----w c:\program files\Safari
2009-04-17 01:00 . 2009-04-16 23:15 -------- d-----w c:\documents and settings\Mom & Dad\Application Data\Rogers Online Protection
2009-04-17 00:03 . 2009-04-17 00:03 -------- d-----w c:\program files\Raxco
2009-04-17 00:03 . 2009-04-17 00:03 -------- d-----w c:\documents and settings\All Users\Application Data\Raxco
2009-04-17 00:02 . 2009-04-16 23:34 -------- d-----w c:\program files\Rogers Online Protection
2009-04-17 00:02 . 2009-04-16 23:15 -------- d-----w c:\documents and settings\All Users\Application Data\Rogers Online Protection
2009-04-16 23:57 . 2008-11-05 00:41 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-16 23:54 . 2009-04-16 23:54 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-16 23:21 . 2009-01-31 22:42 57764 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-16 23:20 . 2008-11-04 22:16 -------- d-----w c:\documents and settings\Mom & Dad\Application Data\Apple Computer
2009-04-16 23:10 . 2008-11-05 00:37 -------- d-----w c:\program files\Yahoo!
2009-04-16 23:09 . 2008-11-05 00:41 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-12 20:20 . 2008-11-09 17:49 -------- d-----w c:\documents and settings\Guest Users\Application Data\Red Alert 3
2009-04-03 20:46 . 2009-04-03 20:46 -------- d-----w c:\documents and settings\All Users\Application Data\Razer
2009-04-03 20:46 . 2009-04-03 20:46 -------- d-----w c:\program files\DIFX
2009-04-03 20:45 . 2009-04-03 20:45 -------- d-----w c:\program files\Razer
2009-04-03 20:45 . 2009-04-03 20:45 -------- d-----w c:\documents and settings\Guest Users\Application Data\InstallShield
2009-04-01 01:38 . 2008-11-04 02:11 -------- d-----w c:\program files\MSBuild
2009-04-01 01:38 . 2009-04-01 01:38 -------- d-----w c:\program files\Reference Assemblies
2009-03-26 19:23 . 2009-04-19 17:32 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-26 19:23 . 2008-11-04 22:15 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-11-04 22:16 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 08:34 . 2008-11-04 01:23 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2008-11-04 01:22 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2008-11-04 01:20 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2008-11-04 01:23 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2008-11-04 01:20 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2008-11-04 01:21 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2008-11-04 01:21 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2008-11-04 01:22 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2008-11-04 01:22 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2008-11-04 01:22 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2008-11-04 01:22 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 18:31 . 2009-03-04 18:31 68608 ----a-w c:\documents and settings\Mom & Dad\Application Data\Rogers Online Protection\Rogers Servicepoint Agent\downloads\RpsWelcome.6334.zip.dir\en\tools\RpsInstallerFinder.exe
2009-03-04 18:31 . 2009-03-04 18:31 68608 ----a-w c:\documents and settings\Guest Users\Application Data\Rogers Online Protection\Rogers Servicepoint Agent\downloads\RpsWelcome.18467.zip.dir\en\tools\RpsInstallerFinder.exe
2009-03-02 14:47 . 2009-03-02 14:47 68608 ----a-w c:\documents and settings\Mom & Dad\Application Data\Rogers Online Protection\Rogers Servicepoint Agent\downloads\RpsFulfillment.18467.zip.dir\en\tools\RpsInstallerFinder.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2008-10-16 147456]
"RogersServicepointAgent.exe"="c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" [2009-02-27 3228912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

c:\documents and settings\Guest Users\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom & Dad^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Mom & Dad\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Digital Display\\KodakDigitalDisplaySoftware.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\OrbKodakLauncher\\DllStartupService.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 FrameManager Service;FrameManager Service;c:\program files\Samsung\FrameManager\sam_service.exe [26/12/2008 1:43 PM 188416]
R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [14/08/2008 2:10 PM 98304]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [03/04/2009 4:45 PM 16896]
R3 Radialpoint Security Services;Rogers Online Protection;c:\program files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe [27/02/2009 10:52 PM 97520]
R3 SODI;SODI;c:\windows\system32\drivers\sam_miniport.sys [26/12/2008 1:43 PM 11392]
S3 miniusb;FrameManager Display Adapter;c:\windows\system32\drivers\sam_miniusb.sys [26/12/2008 1:44 PM 9728]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-27 14:59]

2009-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-29 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2008-11-05 04:55]

2009-05-29 c:\windows\Tasks\User_Feed_Synchronization-{888A4570-A8F4-47C4-AE91-1BAE6889BB53}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2009-05-29 c:\windows\Tasks\User_Feed_Synchronization-{E334AE0B-252F-41AA-BFDF-3FD54EB85B79}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{64F90A30-338F-4E10-89D1-7EFC5D344C88} - c:\windows\system32\apphelph4.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\docume~1\GUESTU~1\LOCALS~1\Temp\ntdll64.dll
FF - ProfilePath - c:\documents and settings\Mom & Dad\Application Data\Mozilla\Firefox\Profiles\se33sz6l.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.finance.yahoo.com/
FF - plugin: c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\nprpspa.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 16:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3116)
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\msls31.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Samsung\FrameManager\sam_controller.exe
c:\program files\Rogers Online Protection\Rogers Online Protection\Fws.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Razer\Lycosa\razertra.exe
c:\windows\system32\dllhost.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-29 16:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-29 20:40

Pre-Run: 184,301,797,376 bytes free
Post-Run: 185,690,763,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
timeout=2
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /TUTag=34KGHI /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition (TuneUp Backup)" /fastdetect /TUTag=34KGHI-BAK

242 --- E O F --- 2009-05-13 10:55

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:07 AM

Posted 29 May 2009 - 03:57 PM

What a mess.

Can you please run Combofix once more and post the log please?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Tsylord

Tsylord
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 May 2009 - 04:08 PM

ComboFix 09-05-28.09 - Mom & Dad 29/05/2009 17:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2541 [GMT -4:00]
Running from: c:\documents and settings\Mom & Dad\Desktop\ComboFix.exe
AV: Rogers Online Protection Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Rogers Online Protection Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win32hlp.cnf

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-29 )))))))))))))))))))))))))))))))
.

2009-05-29 20:34 . 2008-04-14 00:12 50176 -c--a-w c:\windows\system32\dllcache\proquota.exe
2009-05-29 20:34 . 2008-04-14 00:12 50176 ----a-w c:\windows\system32\proquota.exe
2009-05-29 20:34 . 2008-04-14 00:12 39424 -c--a-w c:\windows\system32\dllcache\grpconv.exe
2009-05-29 20:34 . 2008-04-14 00:12 39424 ----a-w c:\windows\system32\grpconv.exe
2009-05-29 20:23 . 2009-05-29 20:26 62 ----a-w c:\windows\system32\apphelp.bat
2009-05-29 00:23 . 2009-05-29 00:23 -------- d-----w c:\documents and settings\Mom & Dad\Application Data\Malwarebytes
2009-05-29 00:23 . 2009-05-26 17:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 00:23 . 2009-05-29 00:23 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-29 00:23 . 2009-05-26 17:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-29 00:23 . 2009-05-29 00:23 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-28 23:37 . 2009-05-28 23:37 -------- d-----w c:\program files\Trend Micro
2009-05-28 02:01 . 2009-05-28 02:01 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-02 22:30 . 2009-05-02 22:30 -------- d-----w c:\documents and settings\Guest Users\Application Data\Cosmi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 21:04 . 2009-04-17 00:08 4972832 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-29 21:04 . 2009-04-17 00:08 240416 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-29 20:36 . 2008-12-24 17:09 720 ----a-w c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-05-29 20:35 . 2009-04-17 00:08 66620 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-29 20:35 . 2009-04-17 00:08 23084 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-13 10:55 . 2008-11-04 02:08 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-07 10:42 . 2008-11-04 02:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-02 22:29 . 2008-11-07 14:44 103616 ----a-w c:\documents and settings\Guest Users\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-27 00:16 . 2009-04-27 00:16 -------- d-----w c:\documents and settings\Mom & Dad\Application Data\Cosmi
2009-04-27 00:16 . 2008-11-04 01:57 103616 ----a-w c:\documents and settings\Mom & Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-26 21:50 . 2009-04-26 21:50 -------- d-----w c:\program files\NZCSM
2009-04-26 21:47 . 2009-04-26 21:47 -------- d-----w c:\program files\Cosmi
2009-04-22 19:07 . 2009-04-22 19:06 -------- d-----w c:\documents and settings\Guest Users\Application Data\Rogers Online Protection
2009-04-19 17:38 . 2009-04-19 17:37 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-19 17:38 . 2008-11-04 22:16 -------- d-----w c:\program files\iTunes
2009-04-19 17:37 . 2009-04-19 17:37 -------- d-----w c:\program files\iPod
2009-04-19 17:37 . 2008-11-04 22:15 -------- d-----w c:\program files\Common Files\Apple
2009-04-19 17:35 . 2009-04-19 17:35 -------- d-----w c:\program files\QuickTime
2009-04-19 17:30 . 2009-04-19 17:30 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-19 17:29 . 2008-12-01 22:50 -------- d-----w c:\program files\Safari
2009-04-17 01:00 . 2009-04-16 23:15 -------- d-----w c:\documents and settings\Mom & Dad\Application Data\Rogers Online Protection
2009-04-17 00:03 . 2009-04-17 00:03 -------- d-----w c:\program files\Raxco
2009-04-17 00:03 . 2009-04-17 00:03 -------- d-----w c:\documents and settings\All Users\Application Data\Raxco
2009-04-17 00:02 . 2009-04-16 23:34 -------- d-----w c:\program files\Rogers Online Protection
2009-04-17 00:02 . 2009-04-16 23:15 -------- d-----w c:\documents and settings\All Users\Application Data\Rogers Online Protection
2009-04-16 23:57 . 2008-11-05 00:41 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-16 23:54 . 2009-04-16 23:54 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-16 23:21 . 2009-01-31 22:42 57764 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-16 23:20 . 2008-11-04 22:16 -------- d-----w c:\documents and settings\Mom & Dad\Application Data\Apple Computer
2009-04-16 23:10 . 2008-11-05 00:37 -------- d-----w c:\program files\Yahoo!
2009-04-16 23:09 . 2008-11-05 00:41 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-12 20:20 . 2008-11-09 17:49 -------- d-----w c:\documents and settings\Guest Users\Application Data\Red Alert 3
2009-04-03 20:46 . 2009-04-03 20:46 -------- d-----w c:\documents and settings\All Users\Application Data\Razer
2009-04-03 20:46 . 2009-04-03 20:46 -------- d-----w c:\program files\DIFX
2009-04-03 20:45 . 2009-04-03 20:45 -------- d-----w c:\program files\Razer
2009-04-03 20:45 . 2009-04-03 20:45 -------- d-----w c:\documents and settings\Guest Users\Application Data\InstallShield
2009-04-01 01:38 . 2008-11-04 02:11 -------- d-----w c:\program files\MSBuild
2009-04-01 01:38 . 2009-04-01 01:38 -------- d-----w c:\program files\Reference Assemblies
2009-03-26 19:23 . 2009-04-19 17:32 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-26 19:23 . 2008-11-04 22:15 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-11-04 22:16 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 08:34 . 2008-11-04 01:23 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2008-11-04 01:22 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2008-11-04 01:20 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2008-11-04 01:23 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2008-11-04 01:20 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2008-11-04 01:21 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2008-11-04 01:21 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2008-11-04 01:22 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2008-11-04 01:22 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2008-11-04 01:22 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2008-11-04 01:22 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 18:31 . 2009-03-04 18:31 68608 ----a-w c:\documents and settings\Mom & Dad\Application Data\Rogers Online Protection\Rogers Servicepoint Agent\downloads\RpsWelcome.6334.zip.dir\en\tools\RpsInstallerFinder.exe
2009-03-04 18:31 . 2009-03-04 18:31 68608 ----a-w c:\documents and settings\Guest Users\Application Data\Rogers Online Protection\Rogers Servicepoint Agent\downloads\RpsWelcome.18467.zip.dir\en\tools\RpsInstallerFinder.exe
2009-03-02 14:47 . 2009-03-02 14:47 68608 ----a-w c:\documents and settings\Mom & Dad\Application Data\Rogers Online Protection\Rogers Servicepoint Agent\downloads\RpsFulfillment.18467.zip.dir\en\tools\RpsInstallerFinder.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2008-10-16 147456]
"RogersServicepointAgent.exe"="c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" [2009-02-27 3228912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

c:\documents and settings\Guest Users\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom & Dad^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Mom & Dad\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Digital Display\\KodakDigitalDisplaySoftware.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\OrbKodakLauncher\\DllStartupService.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 FrameManager Service;FrameManager Service;c:\program files\Samsung\FrameManager\sam_service.exe [26/12/2008 1:43 PM 188416]
R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [14/08/2008 2:10 PM 98304]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [03/04/2009 4:45 PM 16896]
R3 SODI;SODI;c:\windows\system32\drivers\sam_miniport.sys [26/12/2008 1:43 PM 11392]
S3 miniusb;FrameManager Display Adapter;c:\windows\system32\drivers\sam_miniusb.sys [26/12/2008 1:44 PM 9728]
S3 Radialpoint Security Services;Rogers Online Protection;c:\program files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe [27/02/2009 10:52 PM 97520]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-27 14:59]

2009-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-29 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2008-11-05 04:55]

2009-05-29 c:\windows\Tasks\User_Feed_Synchronization-{888A4570-A8F4-47C4-AE91-1BAE6889BB53}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2009-05-29 c:\windows\Tasks\User_Feed_Synchronization-{E334AE0B-252F-41AA-BFDF-3FD54EB85B79}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\docume~1\GUESTU~1\LOCALS~1\Temp\ntdll64.dll
FF - ProfilePath - c:\documents and settings\Mom & Dad\Application Data\Mozilla\Firefox\Profiles\se33sz6l.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.finance.yahoo.com/
FF - plugin: c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\nprpspa.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 17:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-05-29 17:05
ComboFix-quarantined-files.txt 2009-05-29 21:05
ComboFix2.txt 2009-05-29 20:41

Pre-Run: 185,692,295,168 bytes free
Post-Run: 185,676,611,584 bytes free

188 --- E O F --- 2009-05-13 10:55

#11 Tsylord

Tsylord
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 May 2009 - 04:13 PM

Also my security suit is disabled, I did this myself in order to run the scanner properly. Also with firefox there is a banner at the top that says "x Trojans Were Found !!!Warning your system is at risk!!! !!!Free Virus Scan!!!" the browser won't navigate to any pages besides my homepage but Safari and IE are working fine.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:07 AM

Posted 29 May 2009 - 04:19 PM

Why did you disable your Security suite in the first place? How are you supposed to prevent malware if you disable it?

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Then,
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\apphelp.bat
c:\docume~1\GUESTU~1\LOCALS~1\Temp\ntdll64.dll
DDS::
LSP: c:\docume~1\GUESTU~1\LOCALS~1\Temp\ntdll64.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

In case you lost internet connection, Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
hit enter.

This should solve your broken connection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Tsylord

Tsylord
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 May 2009 - 04:42 PM

Heres the latest from the front.
ComboFix 09-05-28.09 - Mom & Dad 29/05/2009 17:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2295 [GMT -4:00]
Running from: c:\documents and settings\Mom & Dad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mom & Dad\Desktop\CFScript.txt
AV: Rogers Online Protection Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Rogers Online Protection Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
* Resident AV is active


FILE ::
"c:\docume~1\GUESTU~1\LOCALS~1\Temp\ntdll64.dll"
"c:\windows\system32\apphelp.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\GUESTU~1\LOCALS~1\Temp\ntdll64.dll
c:\windows\system32\apphelp.bat
c:\windows\system32\win32hlp.cnf

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-29 )))))))))))))))))))))))))))))))
.

2009-05-29 20:34 . 2008-04-14 00:12 50176 -c--a-w c:\windows\system32\dllcache\proquota.exe
2009-05-29 20:34 . 2008-04-14 00:12 50176 ----a-w c:\windows\system32\proquota.exe
2009-05-29 20:34 . 2008-04-14 00:12 39424 -c--a-w c:\windows\system32\dllcache\grpconv.exe
2009-05-29 20:34 . 2008-04-14 00:12 39424 ----a-w c:\windows\system32\grpconv.exe
2009-05-29 00:23 . 2009-05-29 00:23 -------- d-----w c:\documents and settings\Mom & Dad\Application Data\Malwarebytes
2009-05-29 00:23 . 2009-05-26 17:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 00:23 . 2009-05-29 00:23 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-29 00:23 . 2009-05-26 17:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-29 00:23 . 2009-05-29 00:23 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-28 23:37 . 2009-05-28 23:37 -------- d-----w c:\program files\Trend Micro
2009-05-28 02:01 . 2009-05-28 02:01 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-02 22:30 . 2009-05-02 22:30 -------- d-----w c:\documents and settings\Guest Users\Application Data\Cosmi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 21:30 . 2009-04-17 00:08 5048096 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-29 21:30 . 2009-04-17 00:08 244512 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-29 21:28 . 2008-12-24 17:09 720 ----a-w c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-05-29 21:27 . 2009-04-17 00:08 68612 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-29 21:27 . 2009-04-17 00:08 23924 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-13 10:55 . 2008-11-04 02:08 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-07 10:42 . 2008-11-04 02:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-02 22:29 . 2008-11-07 14:44 103616 ----a-w c:\documents and settings\Guest Users\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-27 00:16 . 2009-04-27 00:16 -------- d-----w c:\documents and settings\Mom & Dad\Application Data\Cosmi
2009-04-27 00:16 . 2008-11-04 01:57 103616 ----a-w c:\documents and settings\Mom & Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-26 21:50 . 2009-04-26 21:50 -------- d-----w c:\program files\NZCSM
2009-04-26 21:47 . 2009-04-26 21:47 -------- d-----w c:\program files\Cosmi
2009-04-22 19:07 . 2009-04-22 19:06 -------- d-----w c:\documents and settings\Guest Users\Application Data\Rogers Online Protection
2009-04-19 17:38 . 2009-04-19 17:37 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-19 17:38 . 2008-11-04 22:16 -------- d-----w c:\program files\iTunes
2009-04-19 17:37 . 2009-04-19 17:37 -------- d-----w c:\program files\iPod
2009-04-19 17:37 . 2008-11-04 22:15 -------- d-----w c:\program files\Common Files\Apple
2009-04-19 17:35 . 2009-04-19 17:35 -------- d-----w c:\program files\QuickTime
2009-04-19 17:30 . 2009-04-19 17:30 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-19 17:29 . 2008-12-01 22:50 -------- d-----w c:\program files\Safari
2009-04-17 01:00 . 2009-04-16 23:15 -------- d-----w c:\documents and settings\Mom & Dad\Application Data\Rogers Online Protection
2009-04-17 00:03 . 2009-04-17 00:03 -------- d-----w c:\program files\Raxco
2009-04-17 00:03 . 2009-04-17 00:03 -------- d-----w c:\documents and settings\All Users\Application Data\Raxco
2009-04-17 00:02 . 2009-04-16 23:34 -------- d-----w c:\program files\Rogers Online Protection
2009-04-17 00:02 . 2009-04-16 23:15 -------- d-----w c:\documents and settings\All Users\Application Data\Rogers Online Protection
2009-04-16 23:57 . 2008-11-05 00:41 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-16 23:54 . 2009-04-16 23:54 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-16 23:21 . 2009-01-31 22:42 57764 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-16 23:20 . 2008-11-04 22:16 -------- d-----w c:\documents and settings\Mom & Dad\Application Data\Apple Computer
2009-04-16 23:10 . 2008-11-05 00:37 -------- d-----w c:\program files\Yahoo!
2009-04-16 23:09 . 2008-11-05 00:41 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-12 20:20 . 2008-11-09 17:49 -------- d-----w c:\documents and settings\Guest Users\Application Data\Red Alert 3
2009-04-03 20:46 . 2009-04-03 20:46 -------- d-----w c:\documents and settings\All Users\Application Data\Razer
2009-04-03 20:46 . 2009-04-03 20:46 -------- d-----w c:\program files\DIFX
2009-04-03 20:45 . 2009-04-03 20:45 -------- d-----w c:\program files\Razer
2009-04-03 20:45 . 2009-04-03 20:45 -------- d-----w c:\documents and settings\Guest Users\Application Data\InstallShield
2009-04-01 01:38 . 2008-11-04 02:11 -------- d-----w c:\program files\MSBuild
2009-04-01 01:38 . 2009-04-01 01:38 -------- d-----w c:\program files\Reference Assemblies
2009-03-26 19:23 . 2009-04-19 17:32 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-26 19:23 . 2008-11-04 22:15 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-11-04 22:16 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 08:34 . 2008-11-04 01:23 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2008-11-04 01:22 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2008-11-04 01:20 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2008-11-04 01:23 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2008-11-04 01:20 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2008-11-04 01:21 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2008-11-04 01:21 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2008-11-04 01:22 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2008-11-04 01:22 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2008-11-04 01:22 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2008-11-04 01:22 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 18:31 . 2009-03-04 18:31 68608 ----a-w c:\documents and settings\Mom & Dad\Application Data\Rogers Online Protection\Rogers Servicepoint Agent\downloads\RpsWelcome.6334.zip.dir\en\tools\RpsInstallerFinder.exe
2009-03-04 18:31 . 2009-03-04 18:31 68608 ----a-w c:\documents and settings\Guest Users\Application Data\Rogers Online Protection\Rogers Servicepoint Agent\downloads\RpsWelcome.18467.zip.dir\en\tools\RpsInstallerFinder.exe
2009-03-02 14:47 . 2009-03-02 14:47 68608 ----a-w c:\documents and settings\Mom & Dad\Application Data\Rogers Online Protection\Rogers Servicepoint Agent\downloads\RpsFulfillment.18467.zip.dir\en\tools\RpsInstallerFinder.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2008-10-16 147456]
"RogersServicepointAgent.exe"="c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" [2009-02-27 3228912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

c:\documents and settings\Guest Users\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom & Dad^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Mom & Dad\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Digital Display\\KodakDigitalDisplaySoftware.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\OrbKodakLauncher\\DllStartupService.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 FrameManager Service;FrameManager Service;c:\program files\Samsung\FrameManager\sam_service.exe [26/12/2008 1:43 PM 188416]
R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [14/08/2008 2:10 PM 98304]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [03/04/2009 4:45 PM 16896]
R3 Radialpoint Security Services;Rogers Online Protection;c:\program files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe [27/02/2009 10:52 PM 97520]
R3 SODI;SODI;c:\windows\system32\drivers\sam_miniport.sys [26/12/2008 1:43 PM 11392]
S3 miniusb;FrameManager Display Adapter;c:\windows\system32\drivers\sam_miniusb.sys [26/12/2008 1:44 PM 9728]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-27 14:59]

2009-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-29 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2008-11-05 04:55]

2009-05-29 c:\windows\Tasks\User_Feed_Synchronization-{888A4570-A8F4-47C4-AE91-1BAE6889BB53}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2009-05-29 c:\windows\Tasks\User_Feed_Synchronization-{E334AE0B-252F-41AA-BFDF-3FD54EB85B79}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mom & Dad\Application Data\Mozilla\Firefox\Profiles\se33sz6l.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.finance.yahoo.com/
FF - plugin: c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\nprpspa.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 17:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3716)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Samsung\FrameManager\sam_controller.exe
c:\program files\Rogers Online Protection\Rogers Online Protection\Fws.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\windows\system32\dllhost.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Razer\Lycosa\razertra.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-29 17:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-29 21:34
ComboFix2.txt 2009-05-29 21:05
ComboFix3.txt 2009-05-29 20:41

Pre-Run: 185,684,619,264 bytes free
Post-Run: 185,666,613,248 bytes free

222 --- E O F --- 2009-05-13 10:55

It also appears that my security suit is being disabled by something (not me this time) or at least Windows Security is saying its disabled.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:07 AM

Posted 30 May 2009 - 02:18 AM

It also appears that my security suit is being disabled by something (not me this time) or at least Windows Security is saying its disabled.

I suggest you uninstall your Current security suite temporary and install another Antivirus instead. This because your Current security suite may indeed be corrupted.

so uninstall your Security suite and reboot.

Then, * Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Tsylord

Tsylord
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 30 May 2009 - 08:16 AM

Were now using Kapersky Internet Security 2009, because the Rogers thing is terrible. Will the Report be the same?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users