Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ???


  • This topic is locked This topic is locked
23 replies to this topic

#1 oh_no

oh_no

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 25 January 2010 - 03:14 AM

Recently got help w/ my laptop. I'd like to get help cleaning my desktop now that i've learned about rootkits.

My computer shutdown while running RootRepeal, it had been running for about 5 mins and had listed a file (hs... .sys) before my comp shutdown all of a sudden. When I tried to run RootRepeal again, the comp shutdown again, twice. A blue screen came up and the text included "IrqL not less or Equal" and "Windows did not shutdown successfully..."

Installed Vista Service Pack 2 about an hour ago.

Appreciate any assistance.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Family room 2 at 1:55:52.01 on 25/01/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.1918.763 [GMT -5:00]

AV: Rogers Online Protection Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
AV: Norton Security Online *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Security Online *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Rogers Online Protection Anti-Spyware *disabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
FW: Rogers Online Protection Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
FW: Norton Security Online *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\brsvc01a.exe
C:\Windows\system32\brss01a.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Rogers\SelfHealing\shs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\RPS.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\Kav\Bin\ScanningProcess.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Family room 2\Desktop\dds.scr
C:\Windows\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://sharenews.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\rogers online protection\rogers online protection\pkR.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Power2GoExpress]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [winntR1] c:\winnt_\winntR1.exe
uRun: [winntR2] c:\winnt_\winntR2.exe
uRun: [winnt2] c:\winnt_\winnt2.exe
uRun: [winnt3] c:\winnt_\winnt3.exe
uRun: [winnt4] c:\winnt_\winnt4.exe
uRun: [winnt5] c:\winnt_\winnt5.exe
uRun: [winnt6] c:\winnt_\winnt6.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [<NO NAME>]
mRun: [SiteAdvisor] "c:\program files\siteadvisor\6261\SiteAdv.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Rogers SHS] c:\program files\rogers\selfhealing\shs.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RogersServicepointAgent.exe] "c:\program files\rogers online protection\rogers servicepoint agent\RogersServicepointAgent.exe" /AUTORUN
mRun: [RtHDVCpl] RtHDVCpl.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-25 05:01:33 0 d-----w- c:\windows\system32\vi-VN
2010-01-25 05:01:33 0 d-----w- c:\windows\system32\eu-ES
2010-01-25 05:01:33 0 d-----w- c:\windows\system32\ca-ES
2010-01-25 01:34:34 0 d-----w- c:\users\family room 2\Tracing
2010-01-25 01:24:29 0 d-----w- c:\program files\Microsoft
2010-01-25 01:24:15 0 d-----w- c:\program files\Windows Live SkyDrive
2010-01-25 01:20:11 0 d-----w- c:\program files\common files\Windows Live
2010-01-24 17:49:52 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-24 17:21:10 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-24 17:21:09 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-24 17:21:09 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-01-24 17:18:11 243712 ----a-w- c:\windows\system32\rastls.dll
2010-01-24 17:10:57 0 d-----w- c:\programdata\Real
2010-01-19 16:22:07 0 d-----w- c:\users\family~1\appdata\roaming\WildTangent

==================== Find3M ====================

2010-01-25 06:56:17 637007648 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-25 05:05:51 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-25 05:05:51 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-25 05:05:51 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-25 05:03:04 8505728 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-25 05:01:30 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-25 04:56:21 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2008-04-05 03:57:26 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-21 13:32:19 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-08-18 04:23:57 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-08-18 04:23:57 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-08-18 04:23:57 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-01-05 17:49:34 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 1:59:39.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:02 PM

Posted 01 February 2010 - 03:52 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 oh_no

oh_no
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 01 February 2010 - 08:45 PM


DDS (Ver_09-12-01.01) - NTFSx86
Run by Family room 2 at 20:25:20.64 on 01/02/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.1918.1203 [GMT -5:00]

AV: Rogers Online Protection Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
AV: Norton Security Online *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Security Online *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Rogers Online Protection Anti-Spyware *disabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
FW: Rogers Online Protection Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
FW: Norton Security Online *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\brss01a.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\hp\kbd\kbd.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Family room 2\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://sharenews.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\rogers online protection\rogers online protection\pkR.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Paltalk Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: Paltalk Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Power2GoExpress]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [winntR1] c:\winnt_\winntR1.exe
uRun: [winntR2] c:\winnt_\winntR2.exe
uRun: [winnt2] c:\winnt_\winnt2.exe
uRun: [winnt3] c:\winnt_\winnt3.exe
uRun: [winnt4] c:\winnt_\winnt4.exe
uRun: [winnt5] c:\winnt_\winnt5.exe
uRun: [winnt6] c:\winnt_\winnt6.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [<NO NAME>]
mRun: [SiteAdvisor] "c:\program files\siteadvisor\6261\SiteAdv.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Rogers SHS] c:\program files\rogers\selfhealing\shs.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RogersServicepointAgent.exe] "c:\program files\rogers online protection\rogers servicepoint agent\RogersServicepointAgent.exe" /AUTORUN
mRun: [RtHDVCpl] RtHDVCpl.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll

============= SERVICES / DRIVERS ===============

R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\rogers\selfhealing\RogersSelfHelpService.exe [2009-5-25 144696]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\rogers\update manager\RogersUpdateManager.exe [2008-3-6 169992]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 Radialpoint Security Services;Rogers Online Protection;c:\program files\rogers online protection\rogers online protection\RpsSecurityAwareR.exe [2009-2-27 111312]

=============== Created Last 30 ================

2010-01-27 07:28:18 0 d-----w- c:\program files\Ask.com
2010-01-27 07:22:11 0 d-----w- c:\users\family~1\appdata\roaming\Paltalk
2010-01-27 07:22:09 0 d-----w- c:\windows\PaltalkScene
2010-01-27 07:22:08 0 d-----w- c:\program files\Paltalk Messenger
2010-01-25 07:23:29 281477062 ----a-w- c:\windows\MEMORY.DMP
2010-01-25 05:01:33 0 d-----w- c:\windows\system32\vi-VN
2010-01-25 05:01:33 0 d-----w- c:\windows\system32\eu-ES
2010-01-25 05:01:33 0 d-----w- c:\windows\system32\ca-ES
2010-01-25 01:34:34 0 d-----w- c:\users\family room 2\Tracing
2010-01-25 01:24:29 0 d-----w- c:\program files\Microsoft
2010-01-25 01:24:15 0 d-----w- c:\program files\Windows Live SkyDrive
2010-01-25 01:20:11 0 d-----w- c:\program files\common files\Windows Live
2010-01-24 17:49:52 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-24 17:21:10 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-24 17:21:09 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-24 17:21:09 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-01-24 17:18:11 243712 ----a-w- c:\windows\system32\rastls.dll
2010-01-24 17:10:57 0 d-----w- c:\programdata\Real
2010-01-19 16:22:07 0 d-----w- c:\users\family~1\appdata\roaming\WildTangent

==================== Find3M ====================

2010-02-02 01:24:05 675161120 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-01 22:22:05 9032228 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-25 05:05:51 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-25 05:05:51 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-25 05:05:51 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-25 05:01:30 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-25 04:56:21 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-04-05 03:57:26 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-21 13:32:19 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-08-18 04:23:57 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-08-18 04:23:57 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-08-18 04:23:57 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-01-05 17:49:34 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:26:07.59 ===============

Attached Files



#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:02 AM

Posted 02 February 2010 - 12:26 PM

Hello oh_no and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems. Please give me some time to research your Log and I will get back to you ASAP. thumbup2.gif

In the meantime:

1. Please TRACK this Topic
  • At the top-right of this thread, click on the button.
  • In the list that drops down, click on
  • Place a tick-mark next to Immediate E-Mail Notification
  • Then click on
  • You will now receive an e-mail as soon as a Reply is made to this Topic. smile.gif
2. Do Not Make Any Changes to the "Infected" Computer.
  • Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
    • Deleting Files/Folders
    • Installing/Uninstalling Programs
    • Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs
3. Please do not seek Help with this issue at another Computer Help Forum
  • While we are working together I must insist that you do not seek help with this matter at any other Help Forum.
  • Having multiple (more than one) Forums provide help for the same computer issue will result in confusion with preparing a Fix.
  • It is also not fair to the Volunteer who is helping you, as her/his time will be wasted trying to fix a computer that someone else is also trying to fix.
  • So, if you have posted at another Computer Help Forum for this same issue I would ask that you choose which Forum that you wish to stay with and inform the other Forum(s) that you no longer require their assistance.
4. Throughout the course of us working together, I will be posting step-by-step procedures for you to follow on your computer.
  • If at any time you do not fully understand what I have said, or you are not exactly sure what you are supposed to do, then please stop there and Post back to this topic and ask your questions. That way I will be able to more clearly explain the step/procedure and we won't have to worry about any steps being done incorrectly. smile.gif

Doc.

#5 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:02 AM

Posted 03 February 2010 - 11:52 AM

Hello oh_no,

Warnings and Advisories
1. Some of the files in your DDS Log were identified as a Password Stealing Trojan: Troj/Banker-EUR2. You have 2 Anti-virus programs installed
  • It is not recommended to have more than one anti-virus product installed and running on your computer at a time. If both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti-virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either Rogers Online Protection Anti-Virus or Norton Security Online.
3. You have 2 3rd-Party Firewall programs installed
  • It is not recommended to have more than one 3rd-Party Firewall program installed and running on your computer. This issue willl be resolved by the removal of one of the Anti-virus programs from above.
4. The Use of the Following Toolbar is Open for Debate
  • Ask.com Toolbar
    • Read HERE for information regarding the practices of Ask.com Toolbar.
    • If you decide that you no longer wish to have this Toolbar installed, you can remove it from Add/Remove programs.
    • Also, please let me know if you decided to get rid of it.



Instructions

1. Your version of Java is out of date.
  • Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the "Download JRE" button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
    • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    • When the Java Setup - Welcome window opens, click the Install > button.
    • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


2. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:
Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled above.

What I need in Your Next Reply:
  • ComboFix.txt


#6 oh_no

oh_no
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 05 February 2010 - 03:48 AM

Thanks.

Norton is not in my Add/Remove list and nothing came up when I did a search.
Also, Ask.com was suggested when I was downloading something a couple weeks ago and I clicked "no", so I'm surprised that it is on my comp. However, I also can't find it in my add/remove list or in search results.

ComboFix 10-02-04.06 - Family room 2 05/02/2010 2:59.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.1918.968 [GMT -5:00]
Running from: c:\users\Family room 2\Desktop\ComboFix.exe
AV: Norton Security Online *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Rogers Online Protection Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Norton Security Online *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Rogers Online Protection Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
SP: Norton Security Online *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Rogers Online Protection Anti-Spyware *disabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-182819563-2566682349-255276347-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-919037071-3490261164-277126455-500
c:\programdata\ntuser.dat{31e64d06-c71b-11dc-8f93-001e90089f77}.TMContainer00000000000000000001.regtrans-ms
c:\programdata\ntuser.dat{31e64d16-c71b-11dc-8f93-001e90089f77}.TMContainer00000000000000000001.regtrans-ms

.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-05 07:39 . 2010-02-05 07:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-05 07:23 . 2010-02-05 07:23 -------- d-----w- c:\program files\Sun
2010-02-03 00:45 . 2010-02-03 00:45 -------- d-----w- c:\users\Family room 2\AppData\Local\Apps
2010-01-27 07:28 . 2010-01-27 07:28 -------- d-----w- c:\program files\Ask.com
2010-01-27 07:22 . 2010-01-27 07:28 -------- d-----w- c:\users\Family room 2\AppData\Roaming\Paltalk
2010-01-27 07:22 . 2010-01-27 07:22 -------- d-----w- c:\windows\PaltalkScene
2010-01-27 07:22 . 2010-01-27 07:22 -------- d-----w- c:\program files\Paltalk Messenger
2010-01-26 05:26 . 2010-01-26 05:26 -------- d-----w- c:\program files\Apple Software Update
2010-01-25 05:01 . 2010-01-25 05:01 -------- d-----w- c:\windows\system32\ca-ES
2010-01-25 05:01 . 2010-01-25 05:01 -------- d-----w- c:\windows\system32\eu-ES
2010-01-25 05:01 . 2010-01-25 05:01 -------- d-----w- c:\windows\system32\vi-VN
2010-01-25 01:34 . 2010-01-25 01:34 680 ----a-w- c:\users\Family room 2\AppData\Local\d3d9caps.dat
2010-01-25 01:34 . 2010-02-04 22:35 -------- d-----w- c:\users\Family room 2\Tracing
2010-01-25 01:24 . 2010-01-25 01:24 -------- d-----w- c:\program files\Microsoft
2010-01-25 01:24 . 2010-01-25 01:24 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-01-25 01:20 . 2010-01-25 01:20 -------- d-----w- c:\program files\Common Files\Windows Live
2010-01-25 01:11 . 2010-01-25 01:11 118784 ----a-w- c:\users\Family room 2\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\compat.dll
2010-01-24 17:49 . 2010-01-14 16:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-24 17:21 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-24 17:21 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-01-24 17:21 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-24 17:18 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2010-01-24 17:10 . 2010-01-24 17:10 439816 ----a-w- c:\users\Family room 2\AppData\Roaming\Real\Update\setup3.09\setup.exe
2010-01-19 16:22 . 2010-01-19 16:22 -------- d-----w- c:\users\Family room 2\AppData\Roaming\WildTangent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 08:09 . 2009-08-18 13:39 689676320 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-05 07:55 . 2009-08-18 13:39 9236084 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-05 07:39 . 2007-01-05 18:37 -------- d-----w- c:\program files\Java
2010-02-05 06:47 . 2008-06-28 23:43 -------- d-----w- c:\programdata\Google Updater
2010-02-02 21:38 . 2008-01-21 13:06 -------- d-----w- c:\users\Family room 2\AppData\Roaming\SiteAdvisor
2010-01-27 22:13 . 2008-06-28 23:43 -------- d-----w- c:\program files\Google
2010-01-25 05:04 . 2008-01-27 23:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-25 05:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-25 05:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-25 05:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-25 05:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-25 05:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-25 05:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-25 05:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-25 05:01 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-25 01:23 . 2008-02-05 17:44 -------- d-----w- c:\program files\Windows Live
2010-01-19 16:23 . 2007-01-05 18:42 -------- d-----w- c:\programdata\WildTangent
2010-01-02 06:38 . 2010-01-24 17:19 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-24 17:19 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-24 17:19 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-24 17:19 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-05 14:49 . 2009-12-05 14:49 764168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2007-01-05 17:49 . 2007-01-05 17:44 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 22:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-09-12 4670704]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"SiteAdvisor"="c:\program files\SiteAdvisor\6261\SiteAdv.exe" [2007-12-04 36640]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2009-05-26 2741560]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-26 185896]
"RogersServicepointAgent.exe"="c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" [2009-02-27 3228912]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-02-22 11:30 217544 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-09 00:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-19 18:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-01 04:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 15:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]
2007-04-07 10:56 54936 ----a-w- c:\windows\System32\jureg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-09-12 19:04 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:d8,64,11,89,7c,9d,ca,01

R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [25/05/2009 10:05 PM 144696]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [06/03/2008 3:17 PM 169992]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [08/03/2008 2:11 PM 716272]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27/01/2010 5:11 PM 135664]
S3 Radialpoint Security Services;Rogers Online Protection;c:\program files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe [27/02/2009 9:52 PM 111312]
.
Contents of the 'Scheduled Tasks' folder

2010-02-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-28 00:02]

2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 22:11]

2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 22:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sharenews.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Power2GoExpress - (no file)
HKCU-Run-winntR1 - c:\winnt_\winntR1.exe
HKCU-Run-winntR2 - c:\winnt_\winntR2.exe
HKCU-Run-winnt2 - c:\winnt_\winnt2.exe
HKCU-Run-winnt3 - c:\winnt_\winnt3.exe
HKCU-Run-winnt4 - c:\winnt_\winnt4.exe
HKCU-Run-winnt5 - c:\winnt_\winnt5.exe
HKCU-Run-winnt6 - c:\winnt_\winnt6.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-YOP - c:\progra~1\Yahoo!\YOP\yop.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 03:09
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-05 03:11:37
ComboFix-quarantined-files.txt 2010-02-05 08:11

Pre-Run: 62,819,913,728 bytes free
Post-Run: 63,279,902,720 bytes free

- - End Of File - - E0B8612D9188F1F007093F2988BC9D6F


#7 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:02 AM

Posted 06 February 2010 - 02:10 PM

Hello oh_no,

I understand from your previous posts that you had your Laptop "cleaned" here at BC, but what was the reason for you posting about your Desktop Computer? Meaning, what kind of issues were you experiencing with your Desktop?

1. Please Download and Save SymNRT.exe to your Desktop
  • Close all programs and double click on SymNRT.exe.
  • Follow the on-screen instructions.
  • Restart the computer if asked.
  • Delete SymNRT.exefrom your desktop.
  • Open the Program Files folder:
    • Start --> My Computer --> Local Disk (C:) --> Program Files
  • Find and delete the following folders (if present):
    • Norton AntiVirus
    • Norton Internet Security
    • Norton SystemWorks
    • Norton Personal Firewall
2. Run this CFScirpt
Warning: This CFScript has been tailored to this User's particular system and should not be run on any other system.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    QUOTE
    Folder::
    c:\program files\Ask.com

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000

  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
3. What I need in your next Reply:
  • Answer to my questions above
  • New CFScript.txt
Doc.

#8 oh_no

oh_no
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 07 February 2010 - 02:36 AM

Thanks Doc,

"This version of Norton Removal Tool is expired" is what it said when I tried to run SymNRT.

The reason I wanted help with this Desktop is because there was always activitiy going on in the background that I was unsure of and I also just wanted to check if anything as dangerous as password stealing Trojans were on it as they were on my laptop. And as you told me, unfortunately, they are.

#9 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:02 AM

Posted 07 February 2010 - 08:56 AM

Hi oh_no,

Sorry About that, Symantec upgraded the Tool for 2010.

Try the following again:

1. Please Download and Save Norton_Removal_Tool.exe to your Desktop
  • Close all programs and double click on Norton_Removal_Tool.exe.
  • Follow the on-screen instructions.
  • Restart the computer if asked.
  • Delete Norton_Removal_Tool.exefrom your desktop.
  • Open the Program Files folder:
    • Start --> My Computer --> Local Disk (C:) --> Program Files
  • Find and delete the following folders (if present):
    • Norton AntiVirus
    • Norton Internet Security
    • Norton SystemWorks
    • Norton Personal Firewall

2. Run this CFScirpt
Warning: This CFScript has been tailored to this User's particular system and should not be run on any other system.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    QUOTE
    Folder::
    c:\program files\Ask.com

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000

  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
3. What I need in your next Reply:
  • New CFScript.txt
Doc.

#10 oh_no

oh_no
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 08 February 2010 - 03:23 AM

Thanks Doc.

The same "expired" message came up again. So, I searched for the current tool and found it here http://service1.symantec.com/SUPPORT/tsgen...&view=docid. I ran it.

Here is the ComboFix Log.
ComboFix 10-02-04.06 - Family room 2 08/02/2010 3:05.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.1918.966 [GMT -5:00]
Running from: c:\users\Family room 2\Desktop\ComboFix.exe
Command switches used :: c:\users\Family room 2\Desktop\CFScript.txt
AV: Rogers Online Protection Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Rogers Online Protection Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
SP: Rogers Online Protection Anti-Spyware *disabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Ask.com
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\UpdateTask.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-08 to 2010-02-08 )))))))))))))))))))))))))))))))
.

2010-02-08 08:13 . 2010-02-08 08:14 -------- d-----w- c:\users\Family room 2\AppData\Local\temp
2010-02-08 08:13 . 2010-02-08 08:13 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-08 08:13 . 2010-02-08 08:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-05 07:39 . 2010-02-05 07:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-05 07:23 . 2010-02-05 07:23 -------- d-----w- c:\program files\Sun
2010-02-03 00:45 . 2010-02-03 00:45 -------- d-----w- c:\users\Family room 2\AppData\Local\Apps
2010-01-27 07:22 . 2010-01-27 07:28 -------- d-----w- c:\users\Family room 2\AppData\Roaming\Paltalk
2010-01-27 07:22 . 2010-01-27 07:22 -------- d-----w- c:\windows\PaltalkScene
2010-01-27 07:22 . 2010-01-27 07:22 -------- d-----w- c:\program files\Paltalk Messenger
2010-01-26 05:26 . 2010-01-26 05:26 -------- d-----w- c:\program files\Apple Software Update
2010-01-25 05:01 . 2010-01-25 05:01 -------- d-----w- c:\windows\system32\ca-ES
2010-01-25 05:01 . 2010-01-25 05:01 -------- d-----w- c:\windows\system32\eu-ES
2010-01-25 05:01 . 2010-01-25 05:01 -------- d-----w- c:\windows\system32\vi-VN
2010-01-25 01:34 . 2010-01-25 01:34 680 ----a-w- c:\users\Family room 2\AppData\Local\d3d9caps.dat
2010-01-25 01:34 . 2010-02-07 18:51 -------- d-----w- c:\users\Family room 2\Tracing
2010-01-25 01:24 . 2010-01-25 01:24 -------- d-----w- c:\program files\Microsoft
2010-01-25 01:24 . 2010-01-25 01:24 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-01-25 01:20 . 2010-01-25 01:20 -------- d-----w- c:\program files\Common Files\Windows Live
2010-01-25 01:11 . 2010-01-25 01:11 118784 ----a-w- c:\users\Family room 2\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\compat.dll
2010-01-24 17:49 . 2010-01-14 16:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-24 17:21 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-24 17:21 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-01-24 17:21 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-24 17:18 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2010-01-24 17:10 . 2010-02-06 01:52 439816 ----a-w- c:\users\Family room 2\AppData\Roaming\Real\Update\setup3.09\setup.exe
2010-01-19 16:22 . 2010-01-19 16:22 -------- d-----w- c:\users\Family room 2\AppData\Roaming\WildTangent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-08 08:13 . 2009-08-18 13:39 704549920 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-08 07:59 . 2009-08-18 13:39 9433244 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-08 07:52 . 2008-01-20 06:02 -------- d-----w- c:\program files\Symantec
2010-02-08 07:50 . 2007-01-05 18:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-07 18:00 . 2008-06-28 23:43 -------- d-----w- c:\programdata\Google Updater
2010-02-05 07:39 . 2007-01-05 18:37 -------- d-----w- c:\program files\Java
2010-02-02 21:38 . 2008-01-21 13:06 -------- d-----w- c:\users\Family room 2\AppData\Roaming\SiteAdvisor
2010-01-27 22:13 . 2008-06-28 23:43 -------- d-----w- c:\program files\Google
2010-01-25 05:04 . 2008-01-27 23:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-25 05:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-25 05:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-25 05:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-25 05:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-25 05:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-25 05:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-25 05:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-25 05:01 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-25 01:23 . 2008-02-05 17:44 -------- d-----w- c:\program files\Windows Live
2010-01-19 16:23 . 2007-01-05 18:42 -------- d-----w- c:\programdata\WildTangent
2010-01-02 06:38 . 2010-01-24 17:19 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-24 17:19 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-24 17:19 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-24 17:19 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-05 14:49 . 2009-12-05 14:49 764168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2007-01-05 17:49 . 2007-01-05 17:44 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-09-12 4670704]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"SiteAdvisor"="c:\program files\SiteAdvisor\6261\SiteAdv.exe" [2007-12-04 36640]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2009-05-26 2741560]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-26 185896]
"RogersServicepointAgent.exe"="c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" [2009-02-27 3228912]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-02-22 11:30 217544 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-09 00:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-19 18:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-01 04:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 15:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]
2007-04-07 10:56 54936 ----a-w- c:\windows\System32\jureg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-09-12 19:04 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:d8,64,11,89,7c,9d,ca,01

R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [25/05/2009 10:05 PM 144696]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [06/03/2008 3:17 PM 169992]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [08/03/2008 2:11 PM 716272]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27/01/2010 5:11 PM 135664]
S3 Radialpoint Security Services;Rogers Online Protection;c:\program files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe [27/02/2009 9:52 PM 111312]
.
Contents of the 'Scheduled Tasks' folder

2010-02-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-28 00:02]

2010-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 22:11]

2010-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 22:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sharenews.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-08 03:14
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-08 03:16:29
ComboFix-quarantined-files.txt 2010-02-08 08:16
ComboFix2.txt 2010-02-05 08:11

Pre-Run: 59,290,423,296 bytes free
Post-Run: 59,323,420,672 bytes free

- - End Of File - - 6D5137306AC799CDE54B682B1252B5E6


#11 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:02 AM

Posted 08 February 2010 - 02:03 PM

Hello oh_no,

Good Job hunting down that Norton Removal Tool. thumbup2.gif
Don't know what happened with my new link, sorry about that. blush.gif

Log Looks Clean. We'll remove some left-over Symantec entries and then run an On-Line scan to sweep up anything else that may be hiding:

1. Run this Reg.File
  • Open NotePad and "copy and paste" the text in the box below into notepad.
      Start --> Run --> type "notepad.exe" without the quotation marks ---> Click "OK"
    CODE
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-

  • Save the File as DocFix to your desktop.
    • At the top of the window of the notepad that you have open, click on File --> Save As. Another window will pop up.
    • On the new window where it asks for "File Name" type DocFix.reg.
    • Where it asks for "Save As Type" choose All Files with the drop down arrow.
    • At the top of the same window where it says "Save In" use the drop down arrow and click on Desktop.
    • Now Click Save.
  • Now go to your desk top and find the DocFix.reg file you just saved and double-click on it.
    • The file will run automatically.
2. Please go to Kaspersky website and perform an online antivirus scan.
This Scan may take up to a couple of hours, depending on the computer being scanned
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs ArchivesMail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
3. What I need in your next reply:
  • Kaspersky Results
  • Any Problems/Concerns?
Doc.

#12 oh_no

oh_no
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 09 February 2010 - 09:52 PM

Oh Oh, I put in my USB stick and the antivirus popped up saying it found and quarantined "autorun.inf". Before running out this morning, I needed to make sure I had a file on my USB because I needed to print it. I thought the USB was clean because when cleaning my laptop, I was instructed to use Flash Disinfector. I thought the virus was disabled on my USB.

KASPERSKY ONLINE SCANNER 7.0: scan reportKASPERSKY ONLINE SCANNER 7.0:
scan report
Tuesday, February 9, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit
Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, February 09, 2010 07:47:08
Records in database: 3453552


Scan settings
scan using the following databaseextended
Scan archivesyes
Scan e-mail databasesyes

Scan areaMy Computer
C:\
D:\
E:\
F:\
I:\
J:\
K:\
L:\

Scan statistics
Objects scanned169292
Threats found0
Infected objects found0
Suspicious objects found0
Scan duration02:02:39

No threats found. Scanned area is clean.
Selected area has been scanned.


#13 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:02 AM

Posted 11 February 2010 - 07:16 AM

Hi oh_no,

Sorry for the delay, real life got busy.

Did you run the Kapersky Scan before or after the autorun.inf detection by your AV?

#14 oh_no

oh_no
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 12 February 2010 - 12:21 PM

I ran Kapersky after. I used my usb right before I ran out of the house in the morn.
My keyboard was just acting wierd a when I started typing this response. (First time I turned on the computer today) CAPS LOCK was doing the opposite and I couldn`t type Capital letters using shift. Also, the period key would only type `>`.
And in Windows, whenever I click on a file, all the files before it are selected. so, when i double click to open a file, all files before it are opened as well. (this all just started this morn) The same thing was happening on my laptop this past week, so I'm convinced now that I definately transferred another virus onto this desktop computer.

#15 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:02 AM

Posted 12 February 2010 - 12:34 PM

Can you post the Log from your AV from when it found the autorun.inf infection?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users