Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"HiJack This" log


  • This topic is locked This topic is locked
54 replies to this topic

#1 teckalypso

teckalypso

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 13 May 2010 - 08:44 PM

I've updated and run Spy Sweeper (from Webroot), Norton Symantec Antivirus (installed), and SpyBot. This is in response to a recent series of events on my 7-year-old PC that I haven't seen before:

-- 1. Google Chrome not displaying any pages, and not responding to "Kill" or "Wait" commands. I've now uninstalled Chrome and would like to reinstall it once the problem is solved.
-- 2. Being redirected to unrelated sites from links on Google search results (happens in Chrome, IE and Mozilla).
-- 3. Popups happening from sites from which they've specifically been blocked.

I finally ran HijackThis and created a log, copied below. Here's my 2-part request for help: First, could somebody please tell me what to do about the information in the log, and second, since the TrendMicro window is no longer open, how can I get back to the "Fix Problems" option without re-running the program? Or do I need to re-run it (not such a big deal really, but I don't want to cause any conflicts if I do).

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:40:24 AM, on 5/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
G:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
g:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.israelnationalnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - g:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [vptray] "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe"
O4 - HKLM\..\Run: [SpySweeper] "G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - G:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - g:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Andy\My Documents\My Pictures\Dovid at HMS Nov '07 #2.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Andy\Desktop\Family Photos\Dovid at Newark Liberty home for Pesach 09\Sibling reunion at Newark Liberty, pre-Pesach 5769.JPG
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Andy\Desktop\Family Photos\Family on 11-11-09\On the front porch before taking Dovid to the airport for Shana Bet -- cropped.JPG
O24 - Desktop Component 3: (no name) - C:\Documents and Settings\Andy\My Documents\My Pictures\Dovid at HMS Nov '07.jpg

--
End of file - 5839 bytes


Thanks.
Andy

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:44 PM

Posted 13 May 2010 - 09:24 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 teckalypso

teckalypso
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 14 May 2010 - 05:53 AM

Thanks, Gringo for the speedy reply.

Here are the logs you requested:

Before you review them, could you please just let me know first if it's okay to log off so another person can use the computer, or do I have to keep everyone from using it until this is fixed? What about shutting down completely?


DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Andy at 23:27:11.21 on Thu 05/13/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.496.104 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
G:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
g:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Andy\Desktop\BleepCom Downloads\Defogger.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Andy\Desktop\BleepCom Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://www.google.com/accounts/ServiceLogi...nue=http%3A%2F%

2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1<mpl=default<mplcache=2&hl=en
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - g:\program files\adobe\acrobat 5.0

\reader\activex\AcroIEHelper.ocx
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and

settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vptray] "c:\progra~1\symant~1\symant~1\vptray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: E&xport to Microsoft Excel - g:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~1\office11

\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andy\applic~1\mozilla\firefox\profiles\begaz7c6.default\
FF - component: c:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\andy\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\andy\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: g:\program files\adobe\acrobat 5.0\reader\browser\nppdf32.dll
FF - plugin: g:\program files\divx\divx web player\npdivx32.dll
FF - plugin: g:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: g:\realplayer\netscape6\nppl3260.dll
FF - plugin: g:\realplayer\netscape6\nprjplug.dll
FF - plugin: g:\realplayer\netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
g:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-

3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;g:\program files\webroot\spy sweeper\SpySweeper.exe [2009-11-6

4048240]
S3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100513.002\NAVENG.sys [2010-5-13 85552]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100513.002\NAVEX15.sys [2010-5-13 1347504]
S4 WRConsumerService;Webroot Client Service;g:\program files\webroot\spy sweeper\WRConsumerService.exe [2010-3-23 1201640]

=============== Created Last 30 ================

2010-05-14 03:23:34 0 ----a-w- c:\documents and settings\andy\defogger_reenable
2010-05-13 03:39:16 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-13 03:34:26 171 ----a-w- c:\windows\system32\MRT.INI
2010-05-11 01:38:14 24576 ----a-w- c:\documents and settings\andy\Andy Letterhead -- tutor.doc

==================== Find3M ====================

2010-04-15 12:49:41 1956 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 23:29:42.59 ===============


Attach.txt



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/1/2009 1:03:38 AM
System Uptime: 5/13/2010 8:51:32 PM (3 hours ago)

Motherboard: ASUSTeK Computer INC. | | TUSI-M
Processor: Intel® Celeron™ CPU 1000MHz | PGA 370 | 1002/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 25 GiB total, 5.872 GiB free.
D: is CDROM ()
F: is FIXED (NTFS) - 0 GiB total, 0.184 GiB free.
G: is FIXED (NTFS) - 3 GiB total, 0.304 GiB free.
H: is FIXED (NTFS) - 1 GiB total, 0.486 GiB free.
I: is FIXED (NTFS) - 0 GiB total, 0.364 GiB free.
J: is FIXED (NTFS) - 7 GiB total, 1.929 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP358: 4/16/2010 3:59:30 PM - System Checkpoint
RP359: 4/18/2010 11:19:13 AM - System Checkpoint
RP360: 4/19/2010 11:25:40 AM - System Checkpoint
RP361: 4/20/2010 5:11:11 PM - System Checkpoint
RP362: 4/21/2010 6:12:46 PM - System Checkpoint
RP363: 4/22/2010 7:18:06 PM - System Checkpoint
RP364: 4/25/2010 11:46:11 AM - System Checkpoint
RP365: 4/26/2010 9:00:03 PM - System Checkpoint
RP366: 4/27/2010 9:20:07 PM - System Checkpoint
RP367: 4/28/2010 11:42:34 PM - System Checkpoint
RP368: 4/30/2010 4:02:23 PM - System Checkpoint
RP369: 5/2/2010 9:57:41 AM - System Checkpoint
RP370: 5/3/2010 3:11:48 PM - System Checkpoint
RP371: 5/4/2010 8:43:37 PM - System Checkpoint
RP372: 5/5/2010 9:37:09 PM - System Checkpoint
RP373: 5/6/2010 9:54:52 PM - System Checkpoint
RP374: 5/7/2010 10:00:29 PM - System Checkpoint
RP375: 5/8/2010 10:01:25 PM - System Checkpoint
RP376: 5/9/2010 10:29:24 PM - System Checkpoint
RP377: 5/11/2010 9:58:49 AM - System Checkpoint
RP378: 5/12/2010 3:22:13 PM - System Checkpoint
RP379: 5/12/2010 11:26:35 PM - Software Distribution Service 3.0
RP380: 5/13/2010 11:18:17 AM - Installed HiJackThis

==== Installed Programs ======================

Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe PageMaker 7.0
Apple Application Support
Apple Software Update
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Carbonite
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Diskeeper Professional Edition
DivX Web Player
DriverAgent by eSupport.com
Foxit Creator
Foxit PDF Editor
Foxit Reader
Foxit Toolbar
FreeMind
Gimp 2.6.2 Debug
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
hp instant support
hp officejet 6100 series
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp officejet 6100 series
Java™ 6 Update 15
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Move Media Player
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
PCI Audio Driver
QuickTime
RealPlayer
RealUpgrade 1.0
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Spy Sweeper
Spy Sweeper Core
Symantec AntiVirus Client
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
WebFldrs XP
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

5/7/2010 7:43:43 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds)

waiting for a transaction response from the Dnscache service.
5/13/2010 6:48:39 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed.

Make sure there is a page file on the boot partition and that is large enough to contain all

physical memory.
5/13/2010 6:48:39 PM, error: Ftdisk [45] - The system could not sucessfully load the crash

dump driver.
5/10/2010 10:11:32 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the

service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-

92CC-4C614CD06666}

==== End Of File ===========================




gmer.txt

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-14 06:24:39
Windows 5.1.2600 Service Pack 3
Running: e40y92yb.exe; Driver: C:\DOCUME~1\Andy\LOCALS~1\Temp\pxloqpoc.sys


---- System - GMER 1.0.15 ----

SSDT 857DD918 ZwAllocateVirtualMemory
SSDT 857AF1A8 ZwCreateKey
SSDT 857DDE40 ZwCreateProcess
SSDT 857DDDC8 ZwCreateProcessEx
SSDT 857DDBE8 ZwCreateThread
SSDT 857DE158 ZwDeleteKey
SSDT 857DDEB8 ZwDeleteValueKey
SSDT 857DD990 ZwQueueApcThread
SSDT 857DD828 ZwReadVirtualMemory
SSDT 857DD020 ZwRenameKey
SSDT 857DDA80 ZwSetContextThread
SSDT 857DDFA8 ZwSetInformationKey
SSDT 857DDCD8 ZwSetInformationProcess
SSDT 857DDAF8 ZwSetInformationThread
SSDT 857DDF30 ZwSetValueKey
SSDT 857DDC60 ZwSuspendProcess
SSDT 857DDA08 ZwSuspendThread
SSDT 857DDD50 ZwTerminateProcess
SSDT 857DDB70 ZwTerminateThread
SSDT 857DD8A0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 120 804E278C 4 Bytes CALL BDD3A56C
.rsrc C:\WINDOWS\system32\drivers\pci.sys entry point in ".rsrc" section [0xF7546994]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[996] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00CD000A
.text C:\WINDOWS\System32\svchost.exe[996] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00CC000A
.text C:\WINDOWS\Explorer.EXE[2912] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[2912] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[2912] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E352046 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FC7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E35200B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F53 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F8D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] USER32.dll!DialogBoxIndirectParamA 7E456D7D 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352081 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3668] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E352243 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \Driver\Tcpip \Device\Ip 854F1D50
Device \Driver\Tcpip \Device\Ip 8551B3D0
Device \Driver\Tcpip \Device\Ip 85344D98
Device \Driver\Tcpip \Device\Ip 857790F8
Device \Driver\Tcpip \Device\Ip 85653F18
Device \Driver\Tcpip \Device\Tcp 854F1D50
Device \Driver\Tcpip \Device\Tcp 8551B3D0
Device \Driver\Tcpip \Device\Tcp 85344D98
Device \Driver\Tcpip \Device\Tcp 857790F8
Device \Driver\Tcpip \Device\Tcp 85653F18
Device \Driver\Tcpip \Device\Udp 854F1D50
Device \Driver\Tcpip \Device\Udp 8551B3D0
Device \Driver\Tcpip \Device\Udp 85344D98
Device \Driver\Tcpip \Device\Udp 857790F8
Device \Driver\Tcpip \Device\Udp 85653F18
Device \Driver\Tcpip \Device\RawIp 854F1D50
Device \Driver\Tcpip \Device\RawIp 8551B3D0
Device \Driver\Tcpip \Device\RawIp 85344D98
Device \Driver\Tcpip \Device\RawIp 857790F8
Device \Driver\Tcpip \Device\RawIp 85653F18
Device \Driver\Tcpip \Device\IPMULTICAST 854F1D50
Device \Driver\Tcpip \Device\IPMULTICAST 8551B3D0
Device \Driver\Tcpip \Device\IPMULTICAST 85344D98
Device \Driver\Tcpip \Device\IPMULTICAST 857790F8
Device \Driver\Tcpip \Device\IPMULTICAST 85653F18
Device -> \Driver\atapi \Device\Harddisk0\DR0 8570FEE4

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore@Count 5135

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pci.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


There were no problems running any of these.

However, since GMER was taking so long, I went to sleep while it finished its work. On coming back to the computer at 6:25 a.m. this morning, I discovered that Norton's antivirus program was notifying me that it had detected and quarantined a new threat. In addition, looking at the Virus HIstory, I see that there is a Trojan that it could not act on, left alone. Here is that portion of the log that deals with those 2 items (it's saved in comma-delimited format):

Date,Filename,Virus Name,Virus Type,Action Taken,Computer,User,Original Location,Status,Current Location,Primary Action,Secondary Action,Scan Type
5/14/2010 4:08:07 AM,Applet5[1].htm,Bloodhound.Exploit.292,File,Quarantined,LW45UPSTAIRS,SYSTEM,C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YXFGFEEO\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Realtime scan
5/13/2010 11:04:43 AM,flashH264decoder[1].swf,Trojan.FakeAV,File,Left alone,LW45UPSTAIRS,Andy,I:\Temporary Internet Files\Content.IE5\IIYAJCT6\,Infected,I:\Temporary Internet Files\Content.IE5\IIYAJCT6\,Clean virus from file,Quarantine infected file,Realtime scan


Also, I have a question about what I discovered when SpySweeper finished its scan yesterday morning. One of the tabs I clicked on showed something about IP addresses that had been changed, which may be related to the problems we were have with being redirected to unrelated sites. I didn't directly save that information, but perhaps it's saved in the programs Scan History, if it has one. Is that relevant to this fix you're helping me with, and do you need me to send a log of that to you as well?

Thanks for your patience with this.

Andy.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:44 PM

Posted 14 May 2010 - 12:43 PM

Hello teckalypso

QUOTE
Before you review them, could you please just let me know first if it's okay to log off so another person can use the computer, or do I have to keep everyone from using it until this is fixed? What about shutting down completely?
it is ok for other people to use the computer, just try not to install anything untill we are done (it makes it harder to read the logs). and it is ok to shutdown the computer.

QUOTE
Also, I have a question about what I discovered when SpySweeper finished its scan yesterday morning. One of the tabs I clicked on showed something about IP addresses that had been changed, which may be related to the problems we were have with being redirected to unrelated sites. I didn't directly save that information, but perhaps it's saved in the programs Scan History, if it has one. Is that relevant to this fix you're helping me with, and do you need me to send a log of that to you as well?
I have seen the information I need to see in the logs that you gave me but I will keep this in mind if needed later, thanks

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 teckalypso

teckalypso
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 16 May 2010 - 12:55 PM

Gringo, before I shut down on Friday there were at least 3 new spywares that had started running after I had run the programs you recommended and had sent you the logs. I have not restarted the computer since then, and am replying from a different computer. I have disconnected the original one from the Internet in the meantime. I am worried that if I restart that computer now, those programs will start running immediately and damage it even further. Is there anything you can recommend I do before I restart it and run the Combofix?

Andy

#6 teckalypso

teckalypso
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 16 May 2010 - 12:57 PM

P.S. I see from the topics list in this forum that hundreds of other people are reporting the "redirect" problem. What's going on?


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:44 PM

Posted 16 May 2010 - 02:35 PM

Greetings

Is there anything you can recommend I do before I restart it and run the Combofix? I need you to shut down amy security program you have running (so it will not interfer) and run combofix for me


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 teckalypso

teckalypso
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 16 May 2010 - 03:36 PM

Should I start up in Safe mode, or Normal?

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:44 PM

Posted 16 May 2010 - 03:51 PM

normal


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 teckalypso

teckalypso
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 16 May 2010 - 04:03 PM

Thanks. I'm going to do this now. I'll get back to you soon.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:44 PM

Posted 16 May 2010 - 05:31 PM

I'll be waiting
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 teckalypso

teckalypso
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 16 May 2010 - 06:34 PM

Here's the Combofix log, and what happened before it was generated:

First I downloaded it as instructed, no problem. Then I un-enabled the Symantec Realtime Virus Scan. Ignoring the spoofing version of the Windows Security Center window (obvious from its typos and sentence structure errors), I opened the real one from Control Panel, in order to turn off the Firewall. However, there was a message at the top of the window that the Service wasn't running at all, and would have to be manually turned on.

From the MMC window, I went into the Security Center Properties, and discovered that there was no "Start" option available. I tried to change the Startup Type on the General tab from "Disabled" (gee, I wonder how that got there?) to either Manual or Automatic. However, each time I clicked on Apply, the property reverted to Disabled. So then I went to the Recovery Tab and changed the First, Second and Subsequent Failure options from "Take no Action" (gee, I wonder how they got set to that?) to "Restart the Service". After clicking "Apply" at that point, I was now able to successuflly reset the Startup Type to Automatic. Now the link for "Start" apppeared, and seemed to be active. However, it failed to work. I figured I might as well leave it alone at that point, since I didn't want the Firewall to be on anyway.

I started to run Combofix, but after it went through the download, install and create process for a Recovery Console and Restore Point (which I hope it did successfully), the computer shut down and restarted right after the first notification appeared in the Command window about "scanning for infected files".

After I re-logged in, Combofix began immediately running again, before any icons appeared on the screen or services appeared in the System Tray. Therefore, I can only assume that Symantec re-enabled its Realtime Scan as usual, because although Combofix ran successfully, I had to close several Symantec windows that popped up warning of virus or other malware detections.



Anyway, here's the Combofix log, that I've renamed to include today's date. I hope it has what you need: (at least I know that the three porn sites are no longer shortcutted to my desktop...)

ComboFix 10-05-16.01 - Andy 05/16/2010 18:25:09.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.496.74 [GMT -4:00]
Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\Andy\Application Data\Microsoft\Internet Explorer\Quick Launch\Data Protection.lnk
c:\documents and settings\Andy\Desktop\Data Protection Support.lnk
c:\documents and settings\Andy\Desktop\Data Protection.lnk
c:\documents and settings\Andy\Desktop\nudetube.com.lnk
c:\documents and settings\Andy\Desktop\pornotube.com.lnk
c:\documents and settings\Andy\Desktop\spam001.exe
c:\documents and settings\Andy\Desktop\spam003.exe
c:\documents and settings\Andy\Desktop\troj000.exe
c:\documents and settings\Andy\Desktop\youporn.com.lnk
c:\documents and settings\Andy\Start Menu\Programs\Data Protection
c:\documents and settings\Andy\Start Menu\Programs\Data Protection\About.lnk
c:\documents and settings\Andy\Start Menu\Programs\Data Protection\Activate.lnk
c:\documents and settings\Andy\Start Menu\Programs\Data Protection\Buy.lnk
c:\documents and settings\Andy\Start Menu\Programs\Data Protection\Data Protection Support.lnk
c:\documents and settings\Andy\Start Menu\Programs\Data Protection\Data Protection.lnk
c:\documents and settings\Andy\Start Menu\Programs\Data Protection\Scan.lnk
c:\documents and settings\Andy\Start Menu\Programs\Data Protection\Settings.lnk
c:\documents and settings\Andy\Start Menu\Programs\Data Protection\Update.lnk
c:\documents and settings\YTO\The Man Who Questions Chemotherapy .doc
c:\program files\Data Protection
c:\program files\Data Protection\about.ico
c:\program files\Data Protection\activate.ico
c:\program files\Data Protection\buy.ico
c:\program files\Data Protection\dat.db
c:\program files\Data Protection\datext.dll
c:\program files\Data Protection\dathook.dll
c:\program files\Data Protection\help.ico
c:\program files\Data Protection\scan.ico
c:\program files\Data Protection\settings.ico
c:\program files\Data Protection\splash.mp3
c:\program files\Data Protection\Uninstall.exe
c:\program files\Data Protection\update.ico
c:\program files\Data Protection\virus.mp3
c:\windows\bk23567.dat
c:\windows\PRAGMAqqpxxoyqom
c:\windows\PRAGMAqqpxxoyqom\pragmabbr.dll
c:\windows\PRAGMAqqpxxoyqom\PRAGMAc.dll
c:\windows\PRAGMAqqpxxoyqom\PRAGMAcfg.ini
c:\windows\PRAGMAqqpxxoyqom\pragmaserf.dll
c:\windows\PRAGMAqqpxxoyqom\PRAGMAsrcr.dat

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PRAGMAqqpxxoyqom
-------\Legacy_PRAGMAqqpxxoyqom


((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-13 18:01 . 2010-05-13 18:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-05-13 05:36 . 2010-05-13 05:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
2010-05-13 03:39 . 2010-05-13 04:58 -------- d-----w- c:\windows\system32\MpEngineStore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-13 18:02 . 2009-11-05 22:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-13 15:18 . 2010-05-13 15:18 388096 ----a-r- c:\documents and settings\Andy\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-13 12:20 . 2009-08-03 05:18 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-05-13 04:26 . 2010-03-23 16:40 164 ----a-w- c:\windows\install.dat
2010-05-12 23:39 . 2009-01-04 01:51 -------- d-----w- c:\documents and settings\Tova\Application Data\ZoomBrowser EX
2010-04-15 22:37 . 2010-02-11 06:11 2068 ----a-w- c:\documents and settings\Tova\Local Settings\Application Data\d3d9caps.tmp
2010-04-15 22:34 . 2010-04-15 22:34 -------- d-----w- c:\documents and settings\Tova\Application Data\Webroot
2010-04-15 12:49 . 2009-01-01 06:14 1956 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-14 21:13 . 2009-01-01 20:31 94560 ----a-w- c:\documents and settings\Tova\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-12 16:34 . 2010-04-12 16:31 -------- d-----w- c:\program files\QuickTime
2010-04-12 16:30 . 2010-04-12 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-12 00:03 . 2010-01-10 15:10 -------- d-----w- c:\program files\FreeMind
2010-03-24 16:38 . 2010-03-24 16:38 -------- d-----w- c:\program files\MSXML 4.0
2010-03-24 03:37 . 2010-03-24 00:30 -------- d-----w- c:\program files\InstallShield Installation Information
2010-03-23 16:46 . 2010-03-23 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-03-23 16:41 . 2010-03-23 16:41 -------- d-----w- c:\program files\MSSOAP
2010-03-23 15:26 . 2010-03-23 15:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\Webroot
2010-03-23 15:26 . 2010-03-23 15:26 -------- d-----w- c:\documents and settings\Andy\Application Data\Webroot
2010-03-17 15:10 . 2010-03-17 15:05 2068 ----a-w- c:\documents and settings\Dovid\Local Settings\Application Data\d3d9caps.tmp
2010-03-17 15:10 . 2009-01-02 04:17 94560 ----a-w- c:\documents and settings\Dovid\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-16 17:23 . 2010-03-16 17:23 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-16 17:23 . 2010-03-16 17:23 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-16 17:23 . 2010-03-16 17:23 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-16 17:23 . 2010-03-16 17:23 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-16 17:23 . 2010-03-16 17:23 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-16 17:23 . 2010-03-16 17:23 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-16 17:23 . 2010-03-16 17:23 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-16 17:23 . 2010-03-16 17:23 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-15 15:31 . 2009-01-01 07:09 94560 ----a-w- c:\documents and settings\Andy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2002-08-29 03:41 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-01-01 07:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2001-08-23 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2002-08-29 03:41 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2002-08-29 01:59 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2002-08-29 02:03 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 16:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Andy\My Documents\My Pictures\Dovid at HMS Nov '07 #2.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\documents and settings\Andy\Desktop\Family Photos\Dovid at Newark Liberty home for Pesach 09\Sibling reunion at Newark Liberty, pre-Pesach 5769.JPG
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= c:\documents and settings\Andy\Desktop\Family Photos\Family on 11-11-09\On the front porch before taking Dovid to the airport for Shana Bet -- cropped.JPG
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= c:\documents and settings\Andy\My Documents\My Pictures\Dovid at HMS Nov '07.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2001-12-07 20:24 1216512 ----a-r- c:\windows\Mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
2009-12-03 21:52 670864 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2005-11-22 22:38 221184 ----a-w- g:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2008-06-10 19:56 1406024 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2009-11-06 19:19 6515784 ----a-w- g:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-16 17:20 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootSpySweeperService"=2 (0x2)
"WRConsumerService"=2 (0x2)
"Pctspk"=2 (0x2)
"CarboniteService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
S4 WRConsumerService;Webroot Client Service;g:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [3/23/2010 12:43 PM 1201640]
.
Contents of the 'Scheduled Tasks' folder

2010-05-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-28 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p officejet 6100 series272A572217594EBCF1CEE215E352B92AD073FDE4258579663.job
- g:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-854245398-1198407331-1006Core.job
- c:\documents and settings\Tova\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-14 02:28]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-854245398-1198407331-1006UA.job
- c:\documents and settings\Tova\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-14 02:28]

2010-05-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-854245398-1198407331-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-854245398-1198407331-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-854245398-1198407331-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-854245398-1198407331-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-854245398-1198407331-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-854245398-1198407331-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-854245398-1198407331-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-854245398-1198407331-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-16 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-01-03 16:21]

2010-03-23 c:\windows\Tasks\wrSpySweeper_L7EE2798E422D47E0B337D71CECEE583D.job
- g:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2010-03-23 19:19]

2010-03-23 c:\windows\Tasks\wrSpySweeper_L7EE2798E422D47E0B337D71CECEE583D.job
- g:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2010-03-23 19:19]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogi...che=2&hl=en
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\begaz7c6.default\
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Andy\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: g:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF - plugin: g:\program files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: g:\realplayer\Netscape6\nppl3260.dll
FF - plugin: g:\realplayer\Netscape6\nprjplug.dll
FF - plugin: g:\realplayer\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
g:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Data Protection - c:\program files\Data Protection\datprot.exe
MSConfigStartUp-Google Update - c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
AddRemove-Data Protection - c:\program files\Data Protection\Pklkvqdii+`}`



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 18:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-16 18:49:26
ComboFix-quarantined-files.txt 2010-05-16 22:49

Pre-Run: 6,373,081,088 bytes free
Post-Run: 6,614,818,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 48C2BC27B14E62944DECB0335DBE566A


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:44 PM

Posted 16 May 2010 - 06:49 PM

Hello


Please Download PragmaFix and double click run it. After it has runa log will open up when done.

Post me the log please.

Note - when you run PragmaFix you need an active internet connection!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 teckalypso

teckalypso
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:44 PM

Posted 16 May 2010 - 06:57 PM

Thanks for all your help, Gringo. Could you please explain to me, just a little, what all these logs are showing and why you need me to run all these different ones?

Also, is it okay if I restart the computer before downloading Pragmafix, since I see that the Symantec software has disappeared completely from the system tray. Do I need to disable it and the Firewall again?

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:44 PM

Posted 16 May 2010 - 07:20 PM

Hello

Could you please explain to me, just a little, what all these logs are showing and why you need me to run all these different ones? I can't explain to much because that will let the bad guys know what we know.

but they are things in your log that is very hard to remove and needs some extra help.

Also, is it okay if I restart the computer before downloading Pragmafix, since I see that the Symantec software has disappeared completely from the system tray. Do I need to disable it and the Firewall again? yes it is ok to restart the computer and it is ok to leave it on during this scan as it is only a scan and not a fix, it will show mw if there is still this one type of infection

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users