Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

adware.purityscan infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 nancy4s

nancy4s

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 27 August 2009 - 09:41 PM

My Norton AntiVirus2006 keeps telling me that I'm infected with adware.purityscan - it can't remove it automatically. I've tried the manual removal using their instructions but that didn't work either. I'm afraid to get into the registry without help so I'm hoping that someone here can help me.

I'm incuding the attach.txt, the dds.txt and a new hijack this log.

Thank you for your time!
Nancy


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 4/4/2006 4:01:07 PM
System Uptime: 8/27/2009 8:59:08 AM (13 hours ago)

Motherboard: Dell Computer Corp. | | 02Y832
Processor: Intel® Pentium® 4 CPU 2.60GHz | Microprocessor | 2593/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 51.878 GiB free.
D: is CDROM ()
E: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 8/27/2009 11:12:11 AM - System Checkpoint
RP2: 8/27/2009 1:00:37 PM - Software Distribution Service 3.0

==== Installed Programs ======================

3D Groove Playback Engine
7300
7300_Help
7300Trb
ACDSee
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
AIM 6
AIM Toolbar 5.0
AiO_Scan
AiOSoftware
AOL Coach Version 1.0(Build:20030807.3)
AOL Explorer
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
Apple Software Update
Avery Wizard 3.1
Banctec Service Agreement
Brother MFL Pro Suite
BufferChm
Business Contact Manager for Outlook 2003
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
ccCommon
CCleaner (remove only)
Classic PhoneTools
COMODO Firewall Pro
Compatibility Pack for the 2007 Office system
Conexant SmartHSFi V92 56K Speakerphone PCI Modem
Copy
CreativeProjects
CreativeProjectsTemplates
CueTour
DAO
Dell Networking Guide
Dell Picture Studio - Dell Image Expert
Dell Solution Center
DellSupport
Destinations
Digital Line Detect
Director
DocProc
DocumentViewer
DS21Patch
DVDSentry
Fax
Google Talk (remove only)
Help and Support Customization
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
HP Diagnostic Assistant
HP Image Zone 4.2
HP Photo Imaging Software
HP Photo Printing Software
HP PSC & OfficeJet 4.2
HP Software Update
HPODiscovery
HPSystemDiagnostics
InstantShare
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Internet Explorer Q903235
Internet Worm Protection
Java™ 6 Update 15
Java™ 6 Update 7
Learn2 Player (Uninstall Only)
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Modem Helper
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MUSICMATCH Jukebox
MusicNet@AOL
NAVShortcut
NetWaiting
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Norton WMI Update
NVIDIA Windows 2000/XP Display Drivers
overland
Paint Shop Pro 7
PaperPort 8.0 SE
Pattern Pieces: The DMC Edition
PCStitch
PCStitch Pattern Viewer
PhotoGallery
PowerDVD
PrintScreen
ProductContext
QFolder
QuickProjects
QuickTime
Readme
RealOne Player
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
SkinsHP1
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Live!
SPBBC
Spybot - Search & Destroy
SpywareBlaster 4.2
Symantec
SymNet
TrayApp
Unload
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WinZip

==== Event Viewer Messages From Past Week ========

8/27/2009 9:33:59 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
8/27/2009 9:00:50 AM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
8/27/2009 9:00:41 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AOL Connectivity Service service to connect.
8/27/2009 9:00:41 AM, error: Service Control Manager [7000] - The AOL Connectivity Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/27/2009 8:52:23 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/27/2009 5:29:45 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/27/2009 5:29:32 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD cmdGuard cmdHlp eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRTPEL SPBBCDrv SYMTDI Tcpip
8/27/2009 5:29:32 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
8/27/2009 5:29:32 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/27/2009 5:29:32 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/27/2009 5:29:32 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/27/2009 5:29:14 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/27/2009 4:19:21 AM, error: NtServicePack [4373] - Windows XP KB968389 installation failed.
Access is denied.
8/24/2009 12:34:35 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer RIGHTCOMPUTER that believes that it is the master browser for the domain on transport NetBT_Tcpip_{4A4D0B9A-50AC-. The master browser is stopping or an election is being forced.

==== End Of File ===========================


DDS (Ver_09-07-30.01) - NTFSx86
Run by Elizabeth at 21:34:46.56 on Thu 08/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.1776 [GMT -4:00]

AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1151601080\ee\AOLSoftware.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\AOL 9.0b\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Documents and Settings\Elizabeth\Desktop\dds.scr
C:\Documents and Settings\Elizabeth\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = 1
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton antivirus\NavShExt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AOL Fast Start] "c:\program files\aol 9.0b\AOL.EXE" -b
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [<NO NAME>] c:\program files\internet explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/P...000018.000000A8
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HostManager] c:\program files\common files\aol\1151601080\ee\AOLSoftware.exe
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [COMODO Internet Security] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-explorer: <NO NAME> =
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Shorten URL - http://www.cjb.net/menuext.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136574226359
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/activedata/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
AppInit_DLLs: c:\windows\system32\guard32.dll

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-4-27 132040]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-4-27 25160]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169320]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2008-4-27 707152]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2005-9-23 139888]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-4-27 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-28 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090826.009\NAVENG.Sys [2009-8-27 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090826.009\NavEx15.Sys [2009-8-27 1323568]
R3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2005-8-26 334984]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2003-11-15 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2003-11-15 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2003-11-15 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2003-11-15 10368]
S3 SAVScan;Symantec AVScan;c:\program files\norton antivirus\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2009-08-27 13:52 <DIR> --d----- c:\docume~1\elizab~1\applic~1\Malwarebytes
2009-08-27 13:47 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 13:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-27 13:47 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-27 13:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 04:39 116,187,962 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-08-17 22:49 54,156 a---h--- c:\windows\QTFont.qfn
2009-08-17 22:49 1,409 a------- c:\windows\QTFont.for
2009-08-12 16:28 655,872 -c------ c:\windows\system32\dllcache\mstscax.dll
2009-08-05 05:11 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-07-30 01:08 <DIR> --d----- C:\dcb67e0a75baecff148046da6b
2009-07-29 13:00 <DIR> --d----- C:\000212c5811cdf5c4c

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 14:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 14:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 14:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 14:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 14:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 14:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 14:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 14:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 14:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 14:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 14:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 14:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-22 07:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 07:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 07:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-08 10:04 179,792 a------- c:\windows\system32\guard32.dll
2009-06-05 03:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2006-01-05 14:39 223,166 ---sh--- c:\windows\system32\cbeeg.bak1
2006-01-06 02:39 215,570 ---sh--- c:\windows\system32\cbeeg.bak2
2006-01-05 22:44 224,560 ---sh--- c:\windows\system32\cbeeg.ini2
2005-10-31 15:33 210,012 ---sh--- c:\windows\system32\ybeeg.bak1
2005-10-31 21:15 209,110 ---sh--- c:\windows\system32\ybeeg.bak2
2005-11-01 15:38 209,827 ---sh--- c:\windows\system32\ybeeg.ini2

============= FINISH: 21:35:56.66 ===============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:35 PM, on 8/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1151601080\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\AOL 9.0b\shellmon.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Elizabeth\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = 1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1151601080\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0b\AOL.EXE" -b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/P...000018.000000A8
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136574226359
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\SYSTEM32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12119 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:59 AM

Posted 27 August 2009 - 10:41 PM

Hi Nancy,

I see some vundo malware on your computer.

Uninstall this old version of Java, as old verions are malware magnets.
Java 6 Update 7

Reboot your computer

******************


Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
http://www.outerinfo.com/howto.html
Tutorial for the uninstaller if needed

Reboot when done and if found, delete this folder:

C:\Program Files\PurityScan

******************

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Norton Antivirus before running ComboFix, as it will prevent it from running.

To disable Norton Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 nancy4s

nancy4s
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 27 August 2009 - 11:56 PM

Thanks for your quick response SifuMike!

I was unable to download the OiUninstaller even with my computer security setting at the lowest setting humanly possible. I did uninstall the old version of Java and I did run Combo Fix. The log is below.

Nancy

ComboFix 09-08-27.02 - Elizabeth 08/28/2009 0:16.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.1974 [GMT -4:00]
Running from: c:\documents and settings\Elizabeth\Desktop\ComboFix.exe
AV: Norton AntiVirus 2006 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Elizabeth\My Documents\ZbThumbnail.info
c:\program files\cas
c:\windows\avazh.dll
c:\windows\SYSTEM32\cbeeg.bak1
c:\windows\SYSTEM32\cbeeg.bak2
c:\windows\SYSTEM32\cbeeg.ini
c:\windows\SYSTEM32\cbeeg.ini2
c:\windows\system32\Data
c:\windows\system32\mbols~1
c:\windows\system32\open.ico
c:\windows\system32\Process.exe
c:\windows\SYSTEM32\ybeeg.bak1
c:\windows\SYSTEM32\ybeeg.bak2
c:\windows\SYSTEM32\ybeeg.ini
c:\windows\SYSTEM32\ybeeg.ini2
c:\windows\SYSTEM32\ybeeg.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ISEXENG
-------\Legacy_ZESOFT


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.

2009-08-27 21:45 . 2009-08-27 21:45 -------- d-----w- c:\documents and settings\Elizabeth\Application Data\Viewpoint
2009-08-27 17:52 . 2009-08-27 17:52 -------- d-----w- c:\documents and settings\Elizabeth\Application Data\Malwarebytes
2009-08-27 17:47 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 17:47 . 2009-08-27 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-27 17:47 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 17:47 . 2009-08-27 17:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 08:39 . 2009-08-27 08:39 116187962 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2009-08-25 22:44 . 2009-08-25 22:44 152576 ----a-w- c:\documents and settings\Elizabeth\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-12 20:28 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-30 05:08 . 2009-07-30 05:08 -------- d-----w- C:\dcb67e0a75baecff148046da6b
2009-07-29 17:00 . 2009-07-29 17:00 -------- d-----w- C:\000212c5811cdf5c4c

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 03:45 . 2003-10-17 04:51 -------- d-----w- c:\program files\Java
2009-08-28 02:29 . 2009-01-18 02:16 -------- d-----w- c:\program files\Google
2009-08-27 21:42 . 2003-11-18 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-27 15:19 . 2008-03-07 13:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-27 15:19 . 2005-08-16 21:26 -------- d-----w- c:\program files\SpywareBlaster
2009-08-19 19:56 . 2003-11-21 21:21 -------- d-----w- c:\program files\PCStitch 7
2009-08-13 12:14 . 2003-10-17 05:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-11 12:06 . 2008-04-27 18:03 -------- d-----w- c:\program files\AOL 9.0b
2009-08-05 09:11 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 14:11 . 2003-10-17 05:01 115432 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-25 09:23 . 2009-02-10 16:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 20:45 . 2009-07-21 20:45 -------- d-----w- c:\program files\Avery
2009-07-17 18:55 . 2003-07-16 16:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-06-29 16:12 . 2006-04-28 14:58 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-07-22 16:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-07-16 16:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 19:27 . 2007-09-16 04:20 1915520 ----a-w- c:\documents and settings\Elizabeth\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-25 18:36 . 2003-07-16 16:29 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2003-07-16 16:29 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2003-07-16 16:29 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2003-07-16 16:29 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2003-07-16 16:29 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2003-07-16 16:29 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2003-07-16 16:29 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2003-07-16 16:29 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2003-07-16 16:29 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2003-07-16 16:28 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2003-07-16 16:28 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2003-07-16 16:28 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-22 11:49 . 2003-07-16 16:29 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2003-07-16 16:28 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2003-07-16 16:29 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2003-07-16 16:28 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:55 . 2003-07-16 16:41 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2003-07-16 16:22 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-10 18:47 . 2009-06-10 18:47 152576 ----a-w- c:\documents and settings\Elizabeth\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-08 14:04 . 2008-04-27 16:04 179792 ----a-w- c:\windows\system32\guard32.dll
2009-06-08 14:04 . 2008-04-27 16:04 132040 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-06-05 14:02 . 2008-04-27 16:04 86976 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-06-05 14:02 . 2008-04-27 16:04 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-06-05 07:42 . 2002-08-29 10:00 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2005-08-30 13:14 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\program files\AOL 9.0b\AOL.EXE" [2007-04-18 50736]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\IEXPLORE.EXE" [2009-06-29 634632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"HostManager"="c:\program files\Common Files\AOL\1151601080\ee\AOLSoftware.exe" [2008-06-24 41824]
"COMODO Firewall Pro"="c:\program files\Comodo\Firewall\cfp.exe" [2009-06-05 1793808]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"COMODO Internet Security"="c:\program files\Comodo\Firewall\cfp.exe" [2009-06-05 1793808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk]
backup=c:\windows\pss\SmartUI.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IE Menu Extension toolbar"=rundll32.exe "c:\progra~1\IEMENU~1\tbextn.dll" DllShowTB

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1151601080\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1151601080\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\AOL 9.0b\\waol.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [4/27/2008 12:04 PM 132040]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [4/27/2008 12:04 PM 25160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/28/2009 2:54 PM 101936]
S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [11/15/2003 9:08 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [11/15/2003 9:08 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\SYSTEM32\DRIVERS\BrUsbMdm.sys [11/15/2003 9:08 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\SYSTEM32\DRIVERS\BrUsbScn.sys [11/15/2003 9:08 PM 10368]
.
Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Elizabeth.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-09-24 16:13]

2008-04-28 c:\windows\Tasks\Norton AntiVirus - Run Norton QuickScan - Elizabeth.job
- c:\progra~1\NORTON~1\NAVW32.EXE [2005-09-24 16:13]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = 1
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Shorten URL - http://www.cjb.net/menuext.html
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-28 00:32
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4036)
c:\windows\system32\WININET.dll
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Comodo\Firewall\cmdagent.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\brss01a.exe
c:\program files\AOL 9.0b\waol.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\windows\SYSTEM32\Brmfrmps.exe
c:\windows\SYSTEM32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Norton AntiVirus\IWP\NPFMNTOR.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\program files\AOL 9.0b\shellmon.exe
.
**************************************************************************
.
Completion time: 2009-08-28 0:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-28 04:48

Pre-Run: 55,655,682,048 bytes free
Post-Run: 55,656,087,552 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

234 --- E O F --- 2009-08-27 17:06

Attached Files

  • Attached File  log.txt   14.7KB   0 downloads


#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:59 AM

Posted 28 August 2009 - 12:55 AM

Hi Nancy,

You need to disable your Norton Antivirus before running ComboFix, as it will prevent it from running.

To disable Norton Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 nancy4s

nancy4s
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 28 August 2009 - 08:35 AM

My Norton WAS disabled when I started the ComboFix scan BUT whenever the computer reboots, Norton runs this little quick scan thing and there is no place in the Norton program to disable it. So I sat there watching ComboFix running, rebooting and Norton scanning even though the Norton program itself had this big red X through it.

This morning I went into MSCONFIG to stop Norton from starting at bootup time and the program isn't even showing up in my taskbar now so I thought everything was ok.

I started ComboFix again and it's giving me a warning message saying ComboFix has detected a real time scanner from NortonAntiVirus2006 to be active and to disable it. It goes on to say that I can damage my machine if I don't disable the Norton. I have no idea how to do that since Norton isn't even showing that it's even on my system now.

I tried doing the CTRL/ALT/DEL and I did find something from Norton in the processes section and I tried to stop it from running, but it wouldn't allow me to do that.

So - what do I do now other than uninstall Norton from my system to get ComboFix to run?

Nancy

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:59 AM

Posted 28 August 2009 - 09:56 AM

Hi Nancy,

I think the best thing to do is to uninstall Norton unitl we get done using ComboFix. Then run ComboFix with my script again and post the log.

Be sure that you do not surf the internet as you will have not antivirus protection.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 nancy4s

nancy4s
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 28 August 2009 - 12:26 PM

Sorry this took so long. It took a while for the Norton to get unstalled completely and I wanted to reinstall it before I went back on the internet.

Here is the ComboFix without any Norton AntiVirus at all.

ComboFix 09-08-27.02 - Elizabeth 08/28/2009 11:55.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.2178 [GMT -4:00]
Running from: c:\documents and settings\Elizabeth\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Elizabeth\Desktop\CFScript.txt
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.

2009-08-27 21:45 . 2009-08-27 21:45 -------- d-----w- c:\documents and settings\Elizabeth\Application Data\Viewpoint
2009-08-27 17:52 . 2009-08-27 17:52 -------- d-----w- c:\documents and settings\Elizabeth\Application Data\Malwarebytes
2009-08-27 17:47 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 17:47 . 2009-08-27 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-27 17:47 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 17:47 . 2009-08-27 17:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 08:39 . 2009-08-27 08:39 116187962 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2009-08-25 22:44 . 2009-08-25 22:44 152576 ----a-w- c:\documents and settings\Elizabeth\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-12 20:28 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-30 05:08 . 2009-07-30 05:08 -------- d-----w- C:\dcb67e0a75baecff148046da6b
2009-07-29 17:00 . 2009-07-29 17:00 -------- d-----w- C:\000212c5811cdf5c4c

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 15:46 . 2003-10-17 05:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-28 05:39 . 2008-04-27 16:04 179792 ----a-w- c:\windows\system32\guard32.dll
2009-08-28 05:39 . 2008-04-27 16:04 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-08-28 05:39 . 2008-04-27 16:04 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-08-28 05:39 . 2008-04-27 16:04 132168 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-08-28 03:45 . 2003-10-17 04:51 -------- d-----w- c:\program files\Java
2009-08-28 02:29 . 2009-01-18 02:16 -------- d-----w- c:\program files\Google
2009-08-27 21:42 . 2003-11-18 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-27 15:19 . 2008-03-07 13:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-27 15:19 . 2005-08-16 21:26 -------- d-----w- c:\program files\SpywareBlaster
2009-08-19 19:56 . 2003-11-21 21:21 -------- d-----w- c:\program files\PCStitch 7
2009-08-11 12:06 . 2008-04-27 18:03 -------- d-----w- c:\program files\AOL 9.0b
2009-08-05 09:11 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 14:11 . 2003-10-17 05:01 115432 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-25 09:23 . 2009-02-10 16:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 20:45 . 2009-07-21 20:45 -------- d-----w- c:\program files\Avery
2009-07-17 18:55 . 2003-07-16 16:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-06-29 16:12 . 2006-04-28 14:58 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-07-22 16:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-07-16 16:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 19:27 . 2007-09-16 04:20 1915520 ----a-w- c:\documents and settings\Elizabeth\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-25 18:36 . 2003-07-16 16:29 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2003-07-16 16:29 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2003-07-16 16:29 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2003-07-16 16:29 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2003-07-16 16:29 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2003-07-16 16:29 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2003-07-16 16:29 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2003-07-16 16:29 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2003-07-16 16:29 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2003-07-16 16:28 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2003-07-16 16:28 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2003-07-16 16:28 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-22 11:49 . 2003-07-16 16:29 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2003-07-16 16:28 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2003-07-16 16:29 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2003-07-16 16:28 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:55 . 2003-07-16 16:41 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2003-07-16 16:22 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-10 18:47 . 2009-06-10 18:47 152576 ----a-w- c:\documents and settings\Elizabeth\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-05 07:42 . 2002-08-29 10:00 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2005-08-30 13:14 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-28_04.33.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-28 16:07 . 2009-08-28 16:07 16384 c:\windows\Temp\Perflib_Perfdata_7fc.dat
+ 2009-08-28 16:07 . 2009-08-28 16:07 16384 c:\windows\Temp\Perflib_Perfdata_76c.dat
- 2009-08-14 15:40 . 2008-07-08 13:02 26488 c:\windows\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\spcustom.dll
- 2009-08-14 15:40 . 2008-07-08 13:02 17272 c:\windows\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\spmsg.dll
- 2009-08-14 15:40 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\updspapi.dll
- 2009-08-14 15:40 . 2009-05-26 11:40 755576 c:\windows\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe
- 2009-08-14 15:40 . 2008-07-08 13:02 231288 c:\windows\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\spuninst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\IEXPLORE.EXE" [2009-06-29 634632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"HostManager"="c:\program files\Common Files\AOL\1151601080\ee\AOLSoftware.exe" [2008-06-24 41824]
"COMODO Firewall Pro"="c:\program files\Comodo\Firewall\cfp.exe" [2009-08-28 1796368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"COMODO Internet Security"="c:\program files\Comodo\Firewall\cfp.exe" [2009-08-28 1796368]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk]
backup=c:\windows\pss\SmartUI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IE Menu Extension toolbar"=rundll32.exe "c:\progra~1\IEMENU~1\tbextn.dll" DllShowTB

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1151601080\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1151601080\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\AOL 9.0b\\waol.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [4/27/2008 12:04 PM 132168]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [4/27/2008 12:04 PM 25160]
S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [11/15/2003 9:08 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [11/15/2003 9:08 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\SYSTEM32\DRIVERS\BrUsbMdm.sys [11/15/2003 9:08 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\SYSTEM32\DRIVERS\BrUsbScn.sys [11/15/2003 9:08 PM 10368]
S3 EraserUtilDrv10920;EraserUtilDrv10920;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10920.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10920.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = 1
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Shorten URL - http://www.cjb.net/menuext.html
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-28 12:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3720)
c:\windows\system32\WININET.dll
c:\windows\system32\browselc.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Comodo\Firewall\cmdagent.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\brss01a.exe
c:\windows\SYSTEM32\Brmfrmps.exe
c:\windows\SYSTEM32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-28 12:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-28 16:21
ComboFix2.txt 2009-08-28 04:48

Pre-Run: 56,209,018,880 bytes free
Post-Run: 56,190,468,096 bytes free

182 --- E O F --- 2009-08-27 17:06

Attached Files

  • Attached File  log.txt   12.73KB   0 downloads


#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:59 AM

Posted 28 August 2009 - 12:55 PM

Hi nancy,

Looks good. :(

Now we look for stragglers. This scan next scan will take a while.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 nancy4s

nancy4s
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 28 August 2009 - 03:41 PM

Just as the Kapersky scan found the purityscan - my Norton popped up with "I found a threat" - so I guess what I need to know is - can we remove it or should I just tell Norton to ignore it?

Here's the Kapersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 28, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 28, 2009 20:28:52
Records in database: 2699504
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 92543
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:58:20


File name / Threat / Threats count
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4PQ7052J\ctxad-316[1].0000 Infected: not-a-virus:AdWare.Win32.PurityScan.ak 1

Selected area has been scanned.

Attached Files



#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:59 AM

Posted 28 August 2009 - 03:48 PM

Hi Nancy,

Not to worry. That is in your Temp files. :(

We will clean that out with a temp file cleaner.

Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!



Please run your Norton Antivirus and post out report. Make it a txt file, as those are easy to read.

Edited by SifuMike, 28 August 2009 - 03:49 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 nancy4s

nancy4s
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 28 August 2009 - 05:15 PM

Well - I ran my Norton AntiVirus and I have no report to post because it said NO THREATS FOUND!!!!! PurityScan is gone!!!!!!!!

A million thanks for helping me!!!!!!

Nancy

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:59 AM

Posted 28 August 2009 - 05:24 PM

Hi Nancy,

Your very welcome.

Looks like Comobfix did its job. :(

Now we just have one more step to do - progam cleanup.


Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, _OTM3), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow
How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.

Now your good to go. :(

Edited by SifuMike, 28 August 2009 - 05:25 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 nancy4s

nancy4s
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 28 August 2009 - 05:36 PM

I've uninstalled ComboFix.

Thank you again!!! I could never have done this myself !!!!

Nancy

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:59 AM

Posted 28 August 2009 - 05:40 PM

Your very welcome. And thank you for the donation. :(
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:59 AM

Posted 10 September 2009 - 06:52 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users