Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whitesmoke and Antivirus Action problem


  • This topic is locked This topic is locked
22 replies to this topic

#1 mikemb

mikemb

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 17 December 2010 - 04:39 PM

My PC has been hit by the Antiirus Action virus and then Witesmoke. It has disabled my Norton and I am not convinced the Malwarebytes is working against it. Hoe can I be sure it is clean before I reinstall my antivirus software?

Edit: Moved topic from XP to the more appropriate forum, at the request of Malware Response Team member. ~ Animal

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:20 PM

Posted 17 December 2010 - 05:41 PM

Hello mikemb ,

Posted Image

There is likely a lot more wrong than what you think, so I'd like for you to run the scans here : http://www.bleepingcomputer.com/forums/topic34773.html

Then we'll see where to go. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 mikemb

mikemb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 17 December 2010 - 06:35 PM

Here is my report The GMER has trouble running so I dont know if it finished.

Thanks for the help



DDS (Ver_10-12-12.02) - NTFSx86
Run by HP_Owner at 16:57:05.15 on Fri 12/17/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.573 [GMT -5:00]

AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:59274
uSearchAssistant =
uCustomizeSearch =
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.0.0.127\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
uRun: [Msuwiyu] rundll32.exe "c:\windows\xmsclbd.dll",Startup
uRun: [MKesN] c:\windows\svchost .exe
uRun: [MKesJc] c:\windows\svchost .exe
uRun: [MKesJK] c:\windows\svchost .exe
uRun: [MKesJ0] c:\windows\svchost .exe
uRun: [MKesJj] c:\windows\svchost .exe
uRun: [MKesJgc] c:\windows\svchost .exe
uRun: [MKesJgK] c:\windows\svchost .exe
uRun: [oscquhvh] c:\docume~1\hp_owner\locals~1\temp\pelseftjs\cjtmpxwaffm.exe
uRun: [foqrubxd] c:\docume~1\hp_owner\locals~1\temp\niunghanb\clvgclgaffm.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Windows Monitor] c:\documents and settings\all users\application data\avsqomjh.exe
dRun: [MKcuggj] c:\windows\lsass .exe
dRun: [Windows Live Guards] c:\windows\temp\Plugin03.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Search
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
LSP: c:\windows\system32\lsp20.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {3BF72F68-72D8-461D-A884-329D936C5581} - hxxp://www.totsites.com/admin2/includes/imageuploader5_5_6/ImageUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139582973015
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139582962265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {BBF89515-EDB6-4236-8FBB-B6045290076D} - hxxp://www.totsites.com/admin/includes/imageuploader/ImageUploader4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0400000.07f\SymDS.sys [2010-12-14 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0400000.07f\SymEFA.sys [2010-12-14 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20091205.001\BHDrvx86.sys [2010-12-14 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0400000.07f\cchpx86.sys [2010-12-14 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0400000.07f\Ironx86.sys [2010-12-14 116272]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.0.0.127\ccSvcHst.exe [2010-12-14 126392]
S0 cbjtmjsu;cbjtmjsu; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-16 136176]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20091105.001\IDSxpx86.sys [2010-12-14 329592]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [2005-2-5 83552]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100302.004\naveng.sys [2010-12-14 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100302.004\navex15.sys [2010-12-14 1324720]

=============== Created Last 30 ================

2010-12-17 21:56:26 54016 ----a-w- c:\windows\system32\drivers\btkwf.sys
2010-12-17 21:09:50 -------- d-----w- c:\docume~1\hp_owner\applic~1\FixCleaner
2010-12-17 21:09:41 -------- d-----w- c:\program files\FixCleaner
2010-12-16 21:07:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-16 20:47:28 43624 ----a-w- c:\docume~1\hp_owner\locals~1\applic~1\Yuk4g0.exe
2010-12-16 20:02:47 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 20:00:13 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-16 18:50:05 43624 ----a-w- c:\docume~1\alluse~1\applic~1\Yuk4g0.exe
2010-12-16 18:47:03 40996 ---ha-w- c:\windows\system32\Yuk4g0.com
2010-12-16 18:20:33 -------- d-----w- c:\docume~1\hp_owner\locals~1\applic~1\NPE
2010-12-16 01:39:49 -------- d-----w- c:\docume~1\hp_owner\applic~1\Malwarebytes
2010-12-16 00:23:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-16 00:23:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-16 00:23:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-16 00:20:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-12-15 01:27:22 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-12-15 01:27:22 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-15 01:27:21 -------- d-----w- c:\program files\Symantec
2010-12-15 01:26:43 362032 ----a-r- c:\windows\system32\drivers\n360\0400000.07f\symtdi.sys
2010-12-15 01:26:43 340016 ----a-r- c:\windows\system32\drivers\n360\0400000.07f\symtdiv.sys
2010-12-15 01:26:43 172592 ----a-r- c:\windows\system32\drivers\n360\0400000.07f\SymEFA.sys
2010-12-15 01:26:42 43696 ----a-r- c:\windows\system32\drivers\n360\0400000.07f\srtspx.sys
2010-12-15 01:26:42 328752 ----a-r- c:\windows\system32\drivers\n360\0400000.07f\SymDS.sys
2010-12-15 01:26:42 325168 ----a-r- c:\windows\system32\drivers\n360\0400000.07f\srtsp.sys
2010-12-15 01:26:42 116272 ----a-r- c:\windows\system32\drivers\n360\0400000.07f\Ironx86.sys
2010-12-15 01:26:41 501888 ----a-r- c:\windows\system32\drivers\n360\0400000.07f\cchpx86.sys
2010-12-15 01:25:29 -------- d-----w- c:\windows\system32\drivers\n360\0400000.07F
2010-12-15 01:25:29 -------- d-----w- c:\windows\system32\drivers\N360
2010-12-15 01:25:19 -------- d-----w- c:\program files\Norton 360
2010-12-15 00:51:04 9 ----a-w- c:\docume~1\hp_owner\applic~1\google__u1[s7_7]rk-h.tmp
2010-12-15 00:51:03 9 ----a-w- c:\docume~1\hp_owner\applic~1\google_u1[s7_7]rk-h.tmp
2010-12-15 00:45:56 -------- d-----w- c:\program files\KAZAA
2010-12-15 00:45:51 40976 ----a-w- c:\program files\winlogon .exe
2010-12-15 00:45:51 40976 ----a-w- c:\program files\winlogon .exe
2010-12-15 00:45:51 17920 --sha-r- c:\program files\winlogon .exe
2010-12-14 22:07:25 40972 ----a-w- c:\docume~1\alluse~1\applic~1\agmsyagm.exe
2010-12-14 22:07:25 40960 ----a-w- c:\docume~1\alluse~1\applic~1\agmsyagm .exe
2010-12-14 20:45:02 -------- d-----w- c:\docume~1\hp_owner\applic~1\Tific
2010-12-14 20:44:50 -------- d-----w- c:\docume~1\hp_owner\locals~1\applic~1\Symantec
2010-12-14 20:30:10 40988 ---h--w- c:\windows\drweb.exe
2010-12-14 14:02:36 41004 ----a-w- c:\windows\login .exe
2010-12-14 14:02:36 40984 ----a-w- c:\windows\login .exe
2010-12-14 14:02:36 40980 ----a-w- c:\windows\login .exe
2010-12-14 14:02:36 40980 ----a-w- c:\windows\login .exe
2010-12-14 14:02:33 40976 ----a-w- c:\windows\avp32 .exe
2010-12-14 14:02:33 40976 ----a-w- c:\windows\avp32 .exe
2010-12-14 14:00:06 40992 ---ha-w- c:\documents and settings\hp_owner\Yuk4g0.com
2010-12-14 13:59:40 40976 ---h--w- c:\windows\wininst.exe
2010-12-14 13:59:37 40976 ---h--w- c:\windows\user.exe
2010-12-14 13:59:35 40976 ---h--w- c:\windows\setup.exe
2010-12-14 13:59:34 40976 ---h--w- c:\windows\cmd.exe
2010-12-14 13:36:27 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-14 13:24:44 40960 ----a-w- c:\docume~1\alluse~1\applic~1\agmsyekq .exe
2010-12-14 00:00:56 82434 ----a-w- c:\docume~1\alluse~1\applic~1\djH7D35k.exe
2010-12-13 23:15:03 40968 ----a-w- c:\docume~1\alluse~1\applic~1\avsqomjh.exe
2010-12-13 23:15:03 40960 ----a-w- c:\docume~1\alluse~1\applic~1\avsqomjh .exe
2010-12-13 22:01:59 41000 ----a-w- c:\windows\system .exe
2010-12-13 22:00:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\boost_interprocess
2010-12-13 21:59:03 -------- d-----w- c:\docume~1\hp_owner\applic~1\Ilfyv
2010-12-13 21:59:03 -------- d-----w- c:\docume~1\hp_owner\applic~1\Fume
2010-12-13 19:48:47 47425 ----a-w- c:\windows\system32\lsp20.dll
2010-12-13 19:48:47 0 ----a-w- c:\windows\system32\lsp20.tmp
2010-11-18 18:12:44 81920 -c----w- c:\windows\system32\dllcache\isign32.dll

==================== Find3M ====================

2010-12-16 18:46:10 41000 ---ha-w- c:\windows\csrss .exe
2010-12-16 18:46:10 41000 ---ha-w- c:\windows\csrss .exe
2010-12-16 18:46:10 41000 ---ha-w- c:\windows\csrss .exe
2010-12-16 18:39:36 41044 ----a-w- c:\windows\csrss .exe
2010-12-16 18:39:26 41044 ----a-w- c:\windows\csrss .exe
2010-12-16 18:39:26 41044 ----a-w- c:\windows\csrss .exe
2010-12-16 18:39:26 41044 ----a-w- c:\windows\csrss .exe
2010-12-16 18:38:34 41020 ----a-w- c:\windows\csrss .exe
2010-12-16 18:38:24 41012 ----a-w- c:\windows\csrss .exe
2010-12-16 18:33:35 40992 ----a-w- c:\windows\csrss .exe
2010-12-16 18:33:19 40972 ----a-w- c:\windows\csrss .exe
2010-12-16 01:39:50 40980 ----a-w- c:\windows\lsass .exe
2010-12-16 01:39:49 40980 ----a-w- c:\windows\system .exe
2010-12-16 01:39:48 40980 ----a-w- c:\windows\gdi32 .exe
2010-12-16 01:39:48 40980 ----a-w- c:\windows\debug .exe
2010-12-14 22:25:10 40988 ----a-w- c:\windows\system .exe
2010-12-14 22:24:35 40996 ----a-w- c:\windows\system .exe
2010-12-14 21:40:35 44048 ----a-w- c:\windows\debug .exe
2010-12-14 21:35:53 41012 ----a-w- c:\windows\debug .exe
2010-12-14 21:35:29 41004 ----a-w- c:\windows\debug .exe
2010-12-14 21:34:57 40996 ----a-w- c:\windows\debug .exe
2010-12-14 21:34:34 40988 ----a-w- c:\windows\gdi32 .exe
2010-12-14 20:47:00 40976 ----a-w- c:\windows\csrss .exe
2010-12-14 20:46:44 40972 ----a-w- c:\windows\lsass .exe
2010-12-14 20:46:20 40996 ---ha-w- c:\windows\lsass .exe
2010-12-14 20:45:58 40988 ----a-w- c:\windows\lsass .exe
2010-12-14 20:45:46 40992 ----a-w- c:\windows\csrss .exe
2010-12-14 20:44:44 40988 ----a-w- c:\windows\lsass .exe
2010-12-14 20:44:40 40988 ----a-w- c:\windows\system .exe
2010-12-14 20:44:30 40980 ----a-w- c:\windows\csrss .exe
2010-12-14 20:40:47 40988 ----a-w- c:\windows\lsass .exe
2010-12-14 20:40:45 40984 ----a-w- c:\windows\system .exe
2010-12-14 20:40:34 40980 ----a-w- c:\windows\csrss .exe
2010-12-14 20:36:15 40984 ----a-w- c:\windows\gdi32 .exe
2010-12-14 20:36:11 40984 ----a-w- c:\windows\debug .exe
2010-12-14 20:31:29 40976 ----a-w- c:\windows\system .exe
2010-12-14 20:29:39 40984 ----a-w- c:\windows\debug .exe
2010-12-14 20:29:39 40980 ----a-w- c:\windows\gdi32 .exe
2010-12-14 20:23:08 40980 ----a-w- c:\windows\system .exe
2010-12-14 14:06:35 41000 ----a-w- c:\windows\csrss .exe
2010-12-14 14:04:59 40992 ----a-w- c:\windows\lsass .exe
2010-12-14 14:04:58 40992 ----a-w- c:\windows\csrss .exe
2010-12-14 14:03:11 40984 ----a-w- c:\windows\csrss .exe
2010-12-14 14:02:32 40980 ----a-w- c:\windows\lsass .exe
2010-12-14 14:02:32 40976 ----a-w- c:\windows\debug .exe
2010-12-14 14:01:06 40976 ----a-w- c:\windows\debug .exe
2010-12-14 13:59:23 40972 ----a-w- c:\windows\debug .exe
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:11 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:11 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25:53 389120 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 16:58:03.89 ===============

#4 mikemb

mikemb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 17 December 2010 - 06:40 PM

Just did it~
Thanks!

#5 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:12:20 PM

Posted 17 December 2010 - 08:02 PM

Merged your log with this topic. Please keep all replies related to this malware topic in this thread. No need to post new topics as replies, makes it much less confusing for you and the person helping you. Use the reply button and type your response, then when done click the add reply button. Thank you.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:20 PM

Posted 17 December 2010 - 08:16 PM

YOUCH!! Yes sir....lots more going on there. :blink: I'm surprised you aren't having more trouble. Let's see about it :

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to mikemb.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 mikemb

mikemb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 17 December 2010 - 10:23 PM

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.642 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\djH7D35k.exe
c:\windows\Fonts\Yuk4g0.com

.
((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))
.

2010-12-17 21:09 . 2010-12-17 21:10 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\FixCleaner
2010-12-17 21:09 . 2010-12-17 21:17 -------- d-----w- c:\program files\FixCleaner
2010-12-16 21:07 . 2010-12-16 21:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-16 20:02 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 20:00 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-16 18:47 . 2010-12-15 01:24 40996 ---ha-w- c:\windows\system32\Yuk4g0.com
2010-12-16 18:20 . 2010-12-16 19:06 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\NPE
2010-12-16 01:39 . 2010-12-16 01:39 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2010-12-16 00:23 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-16 00:23 . 2010-12-16 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-16 00:23 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-16 00:22 . 2010-12-16 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-16 00:20 . 2010-12-16 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-12-16 00:05 . 2010-12-16 00:05 -------- d-----w- c:\documents and settings\Administrator
2010-12-15 01:27 . 2010-12-15 01:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-12-15 01:27 . 2010-12-15 01:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-15 01:27 . 2010-12-15 01:27 -------- d-----w- c:\program files\Symantec
2010-12-15 01:25 . 2010-12-15 01:25 -------- d-----w- c:\windows\system32\drivers\N360
2010-12-15 01:25 . 2010-12-15 01:25 -------- d-----w- c:\program files\Norton 360
2010-12-15 01:16 . 2010-12-15 01:16 9 ----a-w- c:\documents and settings\Mike\Application Data\google_u1[s7_7]rk-h.tmp
2010-12-15 00:51 . 2010-12-15 00:51 9 ----a-w- c:\documents and settings\HP_Owner\Application Data\google_u1[s7_7]rk-h.tmp
2010-12-15 00:45 . 2010-12-15 00:45 -------- d-----w- c:\program files\KAZAA
2010-12-15 00:45 . 2010-12-15 01:16 40976 ----a-w- c:\program files\winlogon .exe
2010-12-15 00:45 . 2010-12-15 00:51 40976 ----a-w- c:\program files\winlogon .exe
2010-12-15 00:45 . 2010-12-15 00:45 17920 --sha-r- c:\program files\winlogon .exe
2010-12-14 22:04 . 2010-12-14 22:31 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\U3
2010-12-14 20:45 . 2010-12-14 20:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Tific
2010-12-14 20:44 . 2010-12-14 20:44 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Symantec
2010-12-14 20:30 . 2010-12-14 20:30 40988 ---h--w- c:\windows\drweb.exe
2010-12-14 14:07 . 2010-12-14 14:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-14 14:02 . 2010-12-16 01:39 40980 ----a-w- c:\windows\login .exe
2010-12-14 14:02 . 2010-12-14 22:25 41004 ----a-w- c:\windows\login .exe
2010-12-14 14:02 . 2010-12-14 22:24 40984 ----a-w- c:\windows\login .exe
2010-12-14 14:02 . 2010-12-14 22:23 40980 ----a-w- c:\windows\login .exe
2010-12-14 14:02 . 2010-12-16 01:39 40976 ----a-w- c:\windows\avp32 .exe
2010-12-14 14:02 . 2010-12-14 21:32 40976 ----a-w- c:\windows\avp32 .exe
2010-12-14 13:59 . 2010-12-14 13:59 40976 ---h--w- c:\windows\wininst.exe
2010-12-14 13:59 . 2010-12-14 13:59 40976 ---h--w- c:\windows\setup.exe
2010-12-14 13:36 . 2010-12-14 13:42 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-14 00:25 . 2010-12-14 00:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-12-13 22:01 . 2010-12-16 01:39 40980 ----a-w- c:\windows\lsass .exe
2010-12-13 22:00 . 2010-12-14 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-12-13 21:59 . 2010-12-16 03:00 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Ilfyv
2010-12-13 19:48 . 2010-12-13 19:48 0 ----a-w- c:\windows\system32\lsp20.tmp
2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2004-11-03 18:50 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2004-11-03 18:52 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2004-11-03 19:19 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-06 00:34 . 2004-11-03 18:50 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2004-11-03 18:50 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:25 . 2004-11-03 18:50 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-09-18 16:04 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-11-03 19:19 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-09-18 16:04 1853312 ----a-w- c:\windows\system32\win32k.sys
.
<pre>
c:\program files\winlogon   .exe
c:\program files\winlogon  .exe
c:\program files\winlogon .exe
c:\windows\avp32      .exe
c:\windows\avp32     .exe
c:\windows\debug           .exe
c:\windows\debug          .exe
c:\windows\debug         .exe
c:\windows\debug        .exe
c:\windows\debug       .exe
c:\windows\debug      .exe
c:\windows\debug     .exe
c:\windows\debug    .exe
c:\windows\debug   .exe
c:\windows\debug  .exe
c:\windows\gdi32        .exe
c:\windows\gdi32       .exe
c:\windows\gdi32      .exe
c:\windows\gdi32     .exe
c:\windows\login        .exe
c:\windows\login       .exe
c:\windows\login      .exe
c:\windows\login     .exe
c:\windows\lsass            .exe
c:\windows\lsass           .exe
c:\windows\lsass          .exe
c:\windows\lsass         .exe
c:\windows\lsass        .exe
c:\windows\lsass       .exe
c:\windows\lsass      .exe
c:\windows\lsass     .exe
c:\windows\system           .exe
c:\windows\system          .exe
c:\windows\system         .exe
c:\windows\system        .exe
c:\windows\system       .exe
c:\windows\system      .exe
c:\windows\system     .exe
c:\windows\system    .exe
c:\windows\SMINST\RECGUARD .exe
c:\windows\system32\rundll32 .exe
</pre>

((((((((((((((((((((((((((((( SnapShot@2010-12-18_02.21.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-18 03:11 . 2010-12-18 03:11 16384 c:\windows\Temp\Perflib_Perfdata_1b8.dat
+ 2007-02-04 22:13 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
- 2007-02-04 22:13 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [N/A]
"Msuwiyu"="c:\windows\xmsclbd.dll" [N/A]
"MKesN"="c:\windows\svchost .exe" [N/A]
"MKesJc"="c:\windows\svchost .exe" [N/A]
"MKesJK"="c:\windows\svchost .exe" [N/A]
"MKesJ0"="c:\windows\svchost .exe" [N/A]
"MKesJj"="c:\windows\svchost .exe" [N/A]
"MKesJgc"="c:\windows\svchost .exe" [N/A]
"MKesJgK"="c:\windows\svchost .exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [N/A]
"VTTimer"="VTTimer.exe" [N/A]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-07 172032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Monitor"="c:\documents and settings\All Users\Application Data\avsqomjh.exe" [N/A]
"MKcuggj"="c:\windows\lsass .exe" [2010-12-16 40980]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664]
Launch Whitesmoke Translator.lnk - c:\program files\Whitesmoke Translator\WSTrayDictMode.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"Windows Live Guards"= c:\program files\winlogon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0400000.07F\SymDS.sys [12/14/2010 8:26 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0400000.07F\SymEFA.sys [12/14/2010 8:26 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20091205.001\BHDrvx86.sys [12/14/2010 8:26 PM 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0400000.07F\cchpx86.sys [12/14/2010 8:26 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0400000.07F\Ironx86.sys [12/14/2010 8:26 PM 116272]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe [12/14/2010 8:25 PM 126392]
S0 cbjtmjsu;cbjtmjsu; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/16/2010 6:49 AM 136176]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20091105.001\IDSxpx86.sys [12/14/2010 8:26 PM 329592]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [2/5/2005 8:52 PM 83552]
.
Contents of the 'Scheduled Tasks' folder

2010-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-12-16 c:\windows\Tasks\At102.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-16 c:\windows\Tasks\At106.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-16 c:\windows\Tasks\At110.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-17 c:\windows\Tasks\At113.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-17 c:\windows\Tasks\At117.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-16 c:\windows\Tasks\At121.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-17 c:\windows\Tasks\At125.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-16 c:\windows\Tasks\At129.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-18 c:\windows\Tasks\At133.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At137.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At141.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-16 c:\windows\Tasks\At319.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-16 c:\windows\Tasks\At326.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-16 c:\windows\Tasks\At327.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-16 c:\windows\Tasks\At328.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-17 c:\windows\Tasks\At329.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-16 c:\windows\Tasks\At336.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At52.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At55.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At58.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At62.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At66.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At70.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At74.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At78.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At82.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-16 c:\windows\Tasks\At86.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At90.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At94.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2010-12-14 c:\windows\Tasks\At98.job
- c:\windows\system32\Yuk4g0.com [2010-12-16 01:24]

2005-08-06 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 15:50]

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 11:48]

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 11:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:59274
uSearchAssistant =
uCustomizeSearch =
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
DPF: {3BF72F68-72D8-461D-A884-329D936C5581} - hxxp://www.totsites.com/admin2/includes/imageuploader5_5_6/ImageUploader5.cab
DPF: {BBF89515-EDB6-4236-8FBB-B6045290076D} - hxxp://www.totsites.com/admin/includes/imageuploader/ImageUploader4.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-17 22:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
Here it is!


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.0.0.127\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-12-17 22:21:45
ComboFix-quarantined-files.txt 2010-12-18 03:21
ComboFix2.txt 2010-12-18 02:36

Pre-Run: 160,973,795,328 bytes free
Post-Run: 160,973,078,528 bytes free

- - End Of File - - 2BE1563B47C227C30A17260CB86D52F4

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:20 PM

Posted 18 December 2010 - 01:35 AM

Hello,

Yikes....this is a mess....sorry it took so long, but there is a ton to do here. :blink:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

FILE::
c:\program files\winlogon   .exe
c:\program files\winlogon  .exe
c:\program files\winlogon .exe
c:\windows\avp32      .exe
c:\windows\avp32     .exe
c:\windows\debug           .exe
c:\windows\debug          .exe
c:\windows\debug         .exe
c:\windows\debug        .exe
c:\windows\debug       .exe
c:\windows\debug      .exe
c:\windows\debug     .exe
c:\windows\debug    .exe
c:\windows\debug   .exe
c:\windows\debug  .exe
c:\windows\gdi32        .exe
c:\windows\gdi32       .exe
c:\windows\gdi32      .exe
c:\windows\gdi32     .exe
c:\windows\login        .exe
c:\windows\login       .exe
c:\windows\login      .exe
c:\windows\login     .exe
c:\windows\lsass            .exe
c:\windows\lsass           .exe
c:\windows\lsass          .exe
c:\windows\lsass         .exe
c:\windows\lsass        .exe
c:\windows\lsass       .exe
c:\windows\lsass      .exe
c:\windows\lsass     .exe
c:\windows\system           .exe
c:\windows\system          .exe
c:\windows\system         .exe
c:\windows\system        .exe
c:\windows\system       .exe
c:\windows\system      .exe
c:\windows\system     .exe
c:\windows\system    .exe
c:\documents and settings\all users\application data\avsqomjh.exe
c:\windows\drweb.exe
c:\windows\temp\Plugin03.exe
c:\windows\system32\drivers\btkwf.sys
c:\windows\system32\Yuk4g0.com
c:\docume~1\hp_owner\locals~1\applic~1\Yuk4g0.exe
c:\docume~1\alluse~1\applic~1\Yuk4g0.exe
c:\docume~1\alluse~1\applic~1\agmsyagm.exe
c:\docume~1\alluse~1\applic~1\agmsyagm .exe
c:\docume~1\alluse~1\applic~1\agmsyekq .exe
c:\docume~1\alluse~1\applic~1\djH7D35k.exe
c:\docume~1\alluse~1\applic~1\avsqomjh.exe
c:\docume~1\alluse~1\applic~1\avsqomjh .exe
c:\windows\system .exe
c:\docume~1\alluse~1\applic~1\boost_interprocess
c:\docume~1\hp_owner\applic~1\Ilfyv
c:\docume~1\hp_owner\applic~1\Fume
c:\windows\system32\lsp20.dll
c:\windows\wininst.exe
c:\windows\user.exe
c:\windows\setup.exe
c:\windows\cmd.exe
c:\program files\winlogon .exe
c:\windows\login .exe
c:\windows\avp32 .exe
c:\windows\lsass .exe
c:\windows\gdi32 .exe
c:\windows\system32\lsp20.tmp
c:\docume~1\hp_owner\applic~1\google_u1[s7_7]rk-h.tmp
c:\windows\Tasks\At102.job
c:\windows\Tasks\At106.job
c:\windows\Tasks\At110.job
c:\windows\Tasks\At113.job
c:\windows\Tasks\At117.job
c:\windows\Tasks\At121.job
c:\windows\Tasks\At125.job
c:\windows\Tasks\At129.job
c:\windows\Tasks\At133.job
c:\windows\Tasks\At137.job
c:\windows\Tasks\At141.job
c:\windows\Tasks\At319.job
c:\windows\Tasks\At326.job
c:\windows\Tasks\At327.job
c:\windows\Tasks\At328.job
c:\windows\Tasks\At329.job
c:\windows\Tasks\At336.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At74.job
c:\windows\Tasks\At78.job
c:\windows\Tasks\At82.job
c:\windows\Tasks\At86.job
c:\windows\Tasks\At90.job
c:\windows\Tasks\At94.job
c:\windows\Tasks\At98.job

DIRLOOK::
c:\documents and settings\HP_Owner\Local Settings\Application Data\NPE
c:\windows\system32\%APPDATA%

FOLDER::
c:\documents and settings\HP_Owner\Application Data\Ilfyv
c:\program files\Whitesmoke Translator

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:59274

RENV::
c:\windows\SMINST\RECGUARD .exe
c:\windows\system32\rundll32 .exe

REGISTRY::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Msuwiyu"="-
"MKesN"="-
"MKesJc"="-
"MKesJK"="-
"MKesJ0"="-
"MKesJj"="-
"MKesJgc"="-
"MKesJgK"="-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Monitor"="-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"Windows Live Guards"=-
"MKcuggj"="-

DRIVER::
btkwf

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 mikemb

mikemb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 18 December 2010 - 09:20 AM

Here you go. Just an FYI the Combofix promoted me about a newer version but I did not accept it.

I really appreciate your help.

Mike



ComboFix 10-12-16.05 - HP_Owner 12/18/2010 9:06.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.600 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\docume~1\alluse~1\applic~1\agmsyagm .exe"
"c:\docume~1\alluse~1\applic~1\agmsyagm.exe"
"c:\docume~1\alluse~1\applic~1\agmsyekq .exe"
"c:\docume~1\alluse~1\applic~1\avsqomjh .exe"
"c:\docume~1\alluse~1\applic~1\avsqomjh.exe"
"c:\docume~1\alluse~1\applic~1\boost_interprocess"
"c:\docume~1\alluse~1\applic~1\djH7D35k.exe"
"c:\docume~1\alluse~1\applic~1\Yuk4g0.exe"
"c:\docume~1\hp_owner\applic~1\Fume"
"c:\docume~1\hp_owner\applic~1\google_u1[s7_7]rk-h.tmp"
"c:\docume~1\hp_owner\applic~1\Ilfyv"
"c:\docume~1\hp_owner\locals~1\applic~1\Yuk4g0.exe"
"c:\documents and settings\all users\application data\avsqomjh.exe"
"c:\program files\winlogon .exe"
"c:\program files\winlogon .exe"
"c:\program files\winlogon .exe"
"c:\windows\avp32 .exe"
"c:\windows\avp32 .exe"
"c:\windows\avp32 .exe"
"c:\windows\cmd.exe"
"c:\windows\debug .exe"
"c:\windows\debug .exe"
"c:\windows\debug .exe"
"c:\windows\debug .exe"
"c:\windows\debug .exe"
"c:\windows\debug .exe"
"c:\windows\debug .exe"
"c:\windows\debug .exe"
"c:\windows\debug .exe"
"c:\windows\debug .exe"
"c:\windows\drweb.exe"
"c:\windows\gdi32 .exe"
"c:\windows\gdi32 .exe"
"c:\windows\gdi32 .exe"
"c:\windows\gdi32 .exe"
"c:\windows\gdi32 .exe"
"c:\windows\login .exe"
"c:\windows\login .exe"
"c:\windows\login .exe"
"c:\windows\login .exe"
"c:\windows\login .exe"
"c:\windows\lsass .exe"
"c:\windows\lsass .exe"
"c:\windows\lsass .exe"
"c:\windows\lsass .exe"
"c:\windows\lsass .exe"
"c:\windows\lsass .exe"
"c:\windows\lsass .exe"
"c:\windows\lsass .exe"
"c:\windows\lsass .exe"
"c:\windows\setup.exe"
"c:\windows\system .exe"
"c:\windows\system .exe"
"c:\windows\system .exe"
"c:\windows\system .exe"
"c:\windows\system .exe"
"c:\windows\system .exe"
"c:\windows\system .exe"
"c:\windows\system .exe"
"c:\windows\system .exe"
"c:\windows\system32\drivers\btkwf.sys"
"c:\windows\system32\lsp20.dll"
"c:\windows\system32\lsp20.tmp"
"c:\windows\system32\Yuk4g0.com"
"c:\windows\Tasks\At102.job"
"c:\windows\Tasks\At106.job"
"c:\windows\Tasks\At110.job"
"c:\windows\Tasks\At113.job"
"c:\windows\Tasks\At117.job"
"c:\windows\Tasks\At121.job"
"c:\windows\Tasks\At125.job"
"c:\windows\Tasks\At129.job"
"c:\windows\Tasks\At133.job"
"c:\windows\Tasks\At137.job"
"c:\windows\Tasks\At141.job"
"c:\windows\Tasks\At319.job"
"c:\windows\Tasks\At326.job"
"c:\windows\Tasks\At327.job"
"c:\windows\Tasks\At328.job"
"c:\windows\Tasks\At329.job"
"c:\windows\Tasks\At336.job"
"c:\windows\Tasks\At52.job"
"c:\windows\Tasks\At55.job"
"c:\windows\Tasks\At58.job"
"c:\windows\Tasks\At62.job"
"c:\windows\Tasks\At66.job"
"c:\windows\Tasks\At70.job"
"c:\windows\Tasks\At74.job"
"c:\windows\Tasks\At78.job"
"c:\windows\Tasks\At82.job"
"c:\windows\Tasks\At86.job"
"c:\windows\Tasks\At90.job"
"c:\windows\Tasks\At94.job"
"c:\windows\Tasks\At98.job"
"c:\windows\temp\Plugin03.exe"
"c:\windows\user.exe"
"c:\windows\wininst.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\hp_owner\applic~1\google_u1[s7_7]rk-h.tmp
c:\documents and settings\HP_Owner\Application Data\Ilfyv
c:\documents and settings\HP_Owner\Application Data\Ilfyv\itapx .exe
c:\program files\winlogon .exe
c:\program files\winlogon .exe
c:\program files\winlogon .exe
c:\windows\avp32 .exe
c:\windows\avp32 .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\drweb.exe
c:\windows\Fonts\Yuk4g0.com
c:\windows\gdi32 .exe
c:\windows\gdi32 .exe
c:\windows\gdi32 .exe
c:\windows\gdi32 .exe
c:\windows\login .exe
c:\windows\login .exe
c:\windows\login .exe
c:\windows\login .exe
c:\windows\lsass .exe
c:\windows\lsass .exe
c:\windows\lsass .exe
c:\windows\lsass .exe
c:\windows\lsass .exe
c:\windows\lsass .exe
c:\windows\lsass .exe
c:\windows\lsass .exe
c:\windows\setup.exe
c:\windows\system .exe
c:\windows\system .exe
c:\windows\system .exe
c:\windows\system .exe
c:\windows\system .exe
c:\windows\system .exe
c:\windows\system .exe
c:\windows\system .exe
c:\windows\system32\lsp20.tmp
c:\windows\system32\Yuk4g0.com
c:\windows\Tasks\At102.job
c:\windows\Tasks\At106.job
c:\windows\Tasks\At110.job
c:\windows\Tasks\At113.job
c:\windows\Tasks\At117.job
c:\windows\Tasks\At121.job
c:\windows\Tasks\At125.job
c:\windows\Tasks\At129.job
c:\windows\Tasks\At133.job
c:\windows\Tasks\At137.job
c:\windows\Tasks\At141.job
c:\windows\Tasks\At319.job
c:\windows\Tasks\At326.job
c:\windows\Tasks\At327.job
c:\windows\Tasks\At328.job
c:\windows\Tasks\At329.job
c:\windows\Tasks\At336.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At74.job
c:\windows\Tasks\At78.job
c:\windows\Tasks\At82.job
c:\windows\Tasks\At86.job
c:\windows\Tasks\At90.job
c:\windows\Tasks\At94.job
c:\windows\Tasks\At98.job
c:\windows\wininst.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))
.

2010-12-17 21:09 . 2010-12-17 21:10 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\FixCleaner
2010-12-17 21:09 . 2010-12-17 21:17 -------- d-----w- c:\program files\FixCleaner
2010-12-16 21:07 . 2010-12-16 21:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-16 20:02 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 20:00 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-16 18:20 . 2010-12-16 19:06 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\NPE
2010-12-16 01:39 . 2010-12-16 01:39 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2010-12-16 00:23 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-16 00:23 . 2010-12-16 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-16 00:23 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-16 00:22 . 2010-12-16 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-16 00:20 . 2010-12-16 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-12-16 00:05 . 2010-12-16 00:05 -------- d-----w- c:\documents and settings\Administrator
2010-12-15 01:27 . 2010-12-15 01:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-12-15 01:27 . 2010-12-15 01:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-15 01:27 . 2010-12-15 01:27 -------- d-----w- c:\program files\Symantec
2010-12-15 01:25 . 2010-12-15 01:25 -------- d-----w- c:\windows\system32\drivers\N360
2010-12-15 01:25 . 2010-12-15 01:25 -------- d-----w- c:\program files\Norton 360
2010-12-15 01:16 . 2010-12-15 01:16 9 ----a-w- c:\documents and settings\Mike\Application Data\google_u1[s7_7]rk-h.tmp
2010-12-15 00:45 . 2010-12-15 00:45 -------- d-----w- c:\program files\KAZAA
2010-12-14 22:04 . 2010-12-14 22:31 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\U3
2010-12-14 20:45 . 2010-12-14 20:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Tific
2010-12-14 20:44 . 2010-12-14 20:44 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Symantec
2010-12-14 14:07 . 2010-12-14 14:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-14 13:36 . 2010-12-14 13:42 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-14 00:25 . 2010-12-14 00:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-12-13 22:00 . 2010-12-14 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2004-11-03 18:50 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2004-11-03 18:52 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2004-11-03 19:19 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-06 00:34 . 2004-11-03 18:50 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2004-11-03 18:50 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:25 . 2004-11-03 18:50 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-09-18 16:04 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-11-03 19:19 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-09-18 16:04 1853312 ----a-w- c:\windows\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\HP_Owner\Local Settings\Application Data\NPE ----

2010-12-16 19:06 . 2010-12-16 20:10 135720614 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\NPE\Remediate2010121613493571811000000.dat
2010-12-16 18:56 . 2010-12-16 20:33 849274 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\NPE\Info20101216134935.xml
2010-12-16 18:33 . 2010-12-16 18:40 735886 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\NPE\Info20101216132613.xml
2010-12-16 18:33 . 2010-12-16 18:45 727138 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\NPE\Info20101216132701.xml
2010-12-16 18:24 . 2010-12-16 18:47 118784 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\NPE\bootlog_NPETraceSession.etl
2010-12-16 18:20 . 2010-12-16 18:50 794624 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\NPE\NPETraceSession.etl

---- Directory of c:\windows\system32\%APPDATA% ----

2010-12-15 00:46 . 2010-12-15 00:46 9 ----a-w- c:\windows\system32\%APPDATA%\google__u1[s7_7]rk-h.tmp
2010-12-15 00:46 . 2010-12-15 00:46 9 ----a-w- c:\windows\system32\%APPDATA%\google_u1[s7_7]rk-h.tmp
2010-12-14 13:42 . 2010-12-16 17:57 2560 ----a-w- c:\windows\system32\%APPDATA%\Microsoft\Mse\ObjBrow.dat
2010-12-14 13:42 . 2010-12-16 17:57 144 ----a-w- c:\windows\system32\%APPDATA%\Microsoft\Office\VB11.pip
2010-12-14 13:42 . 2010-12-16 17:57 31954 ----a-w- c:\windows\system32\%APPDATA%\Microsoft\Mse\1033\CmdUI.PRF
2010-12-14 13:42 . 2010-12-14 13:42 546 ----a-w- c:\windows\system32\%APPDATA%\Microsoft\Mse\VsFontLk.dat
2010-12-14 13:42 . 2010-12-16 17:57 9015 ----a-w- c:\windows\system32\%APPDATA%\Microsoft\Mse\toolbox.tbd
2010-12-14 13:42 . 2010-12-16 17:57 42351 ----a-w- c:\windows\system32\%APPDATA%\Microsoft\Mse\viewsspt.xml
2010-12-14 13:42 . 2000-08-08 05:31 39514 ----a-w- c:\windows\system32\%APPDATA%\Microsoft\Mse\viewssrc.xml
2010-12-14 13:42 . 2010-12-14 13:42 126 ----a-w- c:\windows\system32\%APPDATA%\Microsoft\Mse\mse.sln
2010-12-14 13:36 . 2010-12-16 16:27 86 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.log
2010-12-14 13:36 . 2010-06-14 15:06 165 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.iss
2010-12-14 13:36 . 2010-07-07 09:45 31743 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.hdr
2010-12-14 13:36 . 2010-07-07 09:44 234304 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.inx
2010-12-14 13:36 . 2009-06-10 11:57 550192 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.ocx
2010-12-14 13:36 . 2010-07-07 09:45 581440 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\ISSetup.dll
2010-12-14 13:36 . 2010-07-07 09:45 807744 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.exe
2010-12-14 13:36 . 2010-07-07 09:44 1178 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.ini
2010-12-14 13:36 . 2009-05-21 12:53 21494 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\0x0409.ini
2010-12-14 13:36 . 2010-06-14 15:32 152 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\config.txt
2010-12-14 13:36 . 2010-07-07 09:45 473 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\layout.bin
2010-12-14 13:36 . 2010-07-07 09:45 3525401 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data2.cab
2010-12-14 13:36 . 2010-07-07 09:45 567840 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.cab


((((((((((((((((((((((((((((( SnapShot@2010-12-18_02.21.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-18 03:11 . 2010-12-18 03:11 16384 c:\windows\Temp\Perflib_Perfdata_1b8.dat
+ 2007-02-04 22:13 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
- 2007-02-04 22:13 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\RECGUARD.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-07 172032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664]
Launch Whitesmoke Translator.lnk - c:\program files\Whitesmoke Translator\WSTrayDictMode.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0400000.07F\SymDS.sys [12/14/2010 8:26 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0400000.07F\SymEFA.sys [12/14/2010 8:26 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20091205.001\BHDrvx86.sys [12/14/2010 8:26 PM 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0400000.07F\cchpx86.sys [12/14/2010 8:26 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0400000.07F\Ironx86.sys [12/14/2010 8:26 PM 116272]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe [12/14/2010 8:25 PM 126392]
S0 cbjtmjsu;cbjtmjsu; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/16/2010 6:49 AM 136176]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20091105.001\IDSxpx86.sys [12/14/2010 8:26 PM 329592]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [2/5/2005 8:52 PM 83552]
.
Contents of the 'Scheduled Tasks' folder

2010-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2005-08-06 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 15:50]

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 11:48]

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 11:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
uSearchAssistant =
uCustomizeSearch =
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
DPF: {3BF72F68-72D8-461D-A884-329D936C5581} - hxxp://www.totsites.com/admin2/includes/imageuploader5_5_6/ImageUploader5.cab
DPF: {BBF89515-EDB6-4236-8FBB-B6045290076D} - hxxp://www.totsites.com/admin/includes/imageuploader/ImageUploader4.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-Msuwiyu - c:\windows\xmsclbd.dll
HKCU-Run-MKesN - c:\windows\svchost .exe
HKCU-Run-MKesJc - c:\windows\svchost .exe
HKCU-Run-MKesJK - c:\windows\svchost .exe
HKCU-Run-MKesJ0 - c:\windows\svchost .exe
HKCU-Run-MKesJj - c:\windows\svchost .exe
HKCU-Run-MKesJgc - c:\windows\svchost .exe
HKCU-Run-MKesJgK - c:\windows\svchost .exe
HKLM-Run-KBD - c:\hp\KBD\KBD.EXE
HKLM-Run-VTTimer - VTTimer.exe
HKU-Default-Run-Windows Monitor - c:\documents and settings\All Users\Application Data\avsqomjh.exe
HKU-Default-Run-MKcuggj - c:\windows\lsass .exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-18 09:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.0.0.127\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-12-18 09:15:27
ComboFix-quarantined-files.txt 2010-12-18 14:15
ComboFix2.txt 2010-12-18 03:21
ComboFix3.txt 2010-12-18 02:36

Pre-Run: 160,987,086,848 bytes free
Post-Run: 160,962,781,184 bytes free

- - End Of File - - 421A68882213018B4756A32BEE4BB300

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:20 PM

Posted 18 December 2010 - 11:21 AM

Hello there,

You're most welcome. :)

That looks so much better already! :clapping: How is it running? Still some to do though....

Make sure your Malwarebytes is updated and have a scan with it. It "should" take out Whitesmoke. If it doesn't, we'll get tough with it. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 mikemb

mikemb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 18 December 2010 - 01:21 PM

Finally got a clear scan! Seems to be working well, although I am having a hard time uninstalling my Norton antivirus.

Everything else is great!

Thanks so much!!

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:20 PM

Posted 18 December 2010 - 01:27 PM

Excellent, and you're most welcome. :thumbup2: Did MBAM take out the Whitesmoke?

Use this for the Norton : The Norton uninstall tool uninstalls ALL Norton 2004-2010 products from your computer. It also uninstalls Norton Ghost 10.0/9.0/2003. http://service1.symantec.com/SUPPORT/tsgen...005033108162039

Can you please run and post me a new DDS log? There were still some questionable things in the last ComboFix log and I want to be sure those are gone before I give you the all clear. :)

Thanks!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 mikemb

mikemb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 18 December 2010 - 02:11 PM

Here is the latest DDS. There is still something going on. I keep hearing 'congratulations you have won!" But i am not feeling lke a winner.



DDS (Ver_10-12-12.02) - NTFSx86
Run by HP_Owner at 14:08:22.34 on Sat 12/18/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.603 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
uSearchAssistant =
uCustomizeSearch =
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {3BF72F68-72D8-461D-A884-329D936C5581} - hxxp://www.totsites.com/admin2/includes/imageuploader5_5_6/ImageUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139582973015
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139582962265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {BBF89515-EDB6-4236-8FBB-B6045290076D} - hxxp://www.totsites.com/admin/includes/imageuploader/ImageUploader4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S0 cbjtmjsu;cbjtmjsu; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-16 136176]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [2005-2-5 83552]

=============== Created Last 30 ================

2010-12-18 18:20:08 82434 ----a-w- c:\docume~1\alluse~1\applic~1\djH7D35k.exe
2010-12-18 01:56:24 98816 ----a-w- c:\windows\sed.exe
2010-12-18 01:56:24 89088 ----a-w- c:\windows\MBR.exe
2010-12-18 01:56:24 256512 ----a-w- c:\windows\PEV.exe
2010-12-18 01:56:24 161792 ----a-w- c:\windows\SWREG.exe
2010-12-17 21:09:50 -------- d-----w- c:\docume~1\hp_owner\applic~1\FixCleaner
2010-12-17 21:09:41 -------- d-----w- c:\program files\FixCleaner
2010-12-16 21:07:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-16 20:02:47 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 20:00:13 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-16 18:20:33 -------- d-----w- c:\docume~1\hp_owner\locals~1\applic~1\NPE
2010-12-16 01:39:49 -------- d-----w- c:\docume~1\hp_owner\applic~1\Malwarebytes
2010-12-16 00:23:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-16 00:23:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-16 00:23:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-16 00:20:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-12-15 01:25:29 -------- d-----w- c:\windows\system32\drivers\n360\0400000.07F
2010-12-15 01:25:29 -------- d-----w- c:\windows\system32\drivers\N360
2010-12-15 00:45:56 -------- d-----w- c:\program files\KAZAA
2010-12-14 20:45:02 -------- d-----w- c:\docume~1\hp_owner\applic~1\Tific
2010-12-14 20:44:50 -------- d-----w- c:\docume~1\hp_owner\locals~1\applic~1\Symantec
2010-12-14 13:36:27 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-13 22:00:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\boost_interprocess

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:11 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:11 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25:53 389120 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 14:09:07.46 ===============

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:20 PM

Posted 18 December 2010 - 02:26 PM

Hi there,

Right....still some stuff there as I thought, and that includes Whitesmoke. <_<

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

FOLDER::
c:\program files\whitesmoke translator
c:\docume~1\alluse~1\applic~1\boost_interprocess
c:\program files\partygaming
c:\program files\asksbar
FILE::
c:\docume~1\alluse~1\applic~1\djH7D35k.exe
c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Let me know how it's behaving. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 mikemb

mikemb
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 18 December 2010 - 02:47 PM

ComboFix 10-12-16.05 - HP_Owner 12/18/2010 14:38:41.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.683 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt

FILE ::
"c:\docume~1\alluse~1\applic~1\djH7D35k.exe"
"c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\applic~1\boost_interprocess
c:\docume~1\alluse~1\applic~1\boost_interprocess\20101214151640.375000\GoogleImpl
c:\docume~1\alluse~1\applic~1\djH7D35k.exe
c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk
c:\documents and settings\All Users\Application Data\djH7D35k.exe
c:\program files\asksbar
c:\program files\asksbar\bar\1.bin\A2FFXTBR.JAR
c:\program files\asksbar\bar\1.bin\A2FFXTBR.MANIFEST
c:\program files\asksbar\bar\1.bin\A2HIGHIN.EXE
c:\program files\asksbar\bar\1.bin\A2NTSTBR.JAR
c:\program files\asksbar\bar\1.bin\A2NTSTBR.MANIFEST
c:\program files\asksbar\bar\1.bin\A2PLUGIN.DLL
c:\program files\asksbar\bar\1.bin\NPASKSBR.DLL
c:\program files\asksbar\bar\Cache\0001DA8C.bin
c:\program files\asksbar\bar\Cache\0001DBD4.bin
c:\program files\asksbar\bar\Cache\0001DC80.bin
c:\program files\asksbar\bar\Cache\0001DF3F.bin
c:\program files\asksbar\bar\Cache\0001E1CF.bin
c:\program files\asksbar\bar\Cache\0001E29A.bin
c:\program files\asksbar\bar\Cache\0001E385.bin
c:\program files\asksbar\bar\Cache\0001E654.bin
c:\program files\asksbar\bar\Cache\0005D180
c:\program files\asksbar\bar\Cache\00065B71
c:\program files\asksbar\bar\Cache\03460A54
c:\program files\asksbar\bar\Cache\files.ini
c:\program files\asksbar\bar\History\search2
c:\program files\asksbar\bar\Settings\prevcfg2.htm
c:\program files\asksbar\SrchAstt\1.bin\A2SRCHAS.DLL
c:\program files\partygaming
c:\program files\partygaming\images\habeas_webseal.gif
c:\program files\partygaming\INSTALL.LOG
c:\program files\partygaming\Language\en_US\lang_pack_en_US.txt
c:\program files\partygaming\MFC42LU.DLL
c:\program files\partygaming\MSLUP60.dll
c:\program files\partygaming\MSLURT.dll
c:\program files\partygaming\PartyCasino\Images\lhn_ani_refresh.gif
c:\program files\partygaming\PartyCasino\Images\loading.gif
c:\program files\partygaming\PartyCasino\Images\sys_icons.jpg
c:\program files\partygaming\PartyCasino\Images\system_but_bets.jpg
c:\program files\partygaming\PartyCasino\Images\system_but_bingo.jpg
c:\program files\partygaming\PartyCasino\Images\system_but_gammon.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\format.ini
c:\program files\partygaming\PartyCasino\Language\en_US\Images\account_but_newacobleep.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\account_button_background.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\active_popup-bottom.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\active_popup-bottomleft.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\active_popup-bottomleft.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\active_popup-bottomright.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\active_popup-bottomright.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\active_popup-left.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\active_popup-right.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\active_title-background.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\active_title-topleft.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\active_title-topleft.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\active_title-topright.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\active_title-topright.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\allversion.txt
c:\program files\partygaming\PartyCasino\Language\en_US\Images\but.bmp
c:\program files\partygaming\PartyCasino\Language\en_US\Images\but_account.bmp
c:\program files\partygaming\PartyCasino\Language\en_US\Images\but_skin.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\but_skin_account.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\client_bottom.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\client_bottom_right.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\client_gradient.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\client_lobby_left.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\client_lobby_right.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\client_top.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\connect_screen_bg.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\balance_strip.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\but_skin.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\6_bigcardback.bmp
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\bj_check.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\BlackJack.dll
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\blackjack.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\blackjack\bj_table.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\blackjack\pff_betinfo.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\blackjack\version.txt
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\chip1_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\chip100_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\chip25_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\chip5_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\chip500_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\clear_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\deal_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\double_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\hit_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\insurance.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\insure_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\number_circle.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\pointer_R.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\push.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\repeatbet_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\result_bj.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\result_bust.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\result_insure.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\result_lost.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\result_push.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\result_won.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\split.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\split_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\stand_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\surrender_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\blackjack\version.txt
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\c50.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\c95.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\Card.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\card_deck.bmp
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\CardFlip.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\d1.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\d100.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\d1000.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\d1k.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\d2000.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\d25.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\d2k.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\d5.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\d50.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\d500.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\d5000.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\d5k.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\action_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\action_pending_panel.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\autostand.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\away_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\backcard.bmp
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\bj_check.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\blackjack.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\card_pointer.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\card_pointer.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\chip_pointer.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\chip1_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\chip100_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\chip25_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\chip5_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\chip500_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\clear_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\deal_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\double_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\first_hand.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\game_topbar_pff.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\hit_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\iam_back_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\insurance.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\leave_seat_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\looser.rgn
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\looser_popup.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\mpbj_deck.bmp
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\multiplayerbj.dll
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\multiplayerblackjack\mpbj_table.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\multiplayerblackjack\mpbj_trny_table.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\multiplayerblackjack\version.txt
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\number_circle.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\player_area.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\push.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\repeatbet_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\result_bj.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\result_bust.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\result_push.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\result_won.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\sittingout_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\skip_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\split.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\split_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\stand_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\surrender_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\take_seat_button.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\title_tourneybuyin.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\trny_player_area.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\trny_watcher_area.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\version.txt
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\watcher_area.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\winner.rgn
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\winners_closebutton.png
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\multiplayerbj\winners_popup.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\number_circle.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\pointer_R.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\Rr.bmp
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\rules_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cardgames\version.txt
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cashier_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\cent_strip.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\chips.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\exit_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\format.ini
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\game_topbar_pff.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\gamebalance_free.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\gamelogs_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\popup_but_cancel.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\popup_but_cashier.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\popup_but_ok.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\popup_but_playmoney.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\popup_buyin_box.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\popup_buyin_but_all.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\popup_buyin_tab.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\popup_buyin_top.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\PushBut.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\status_dlg.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\version.txt
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\version_button.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\games\win.wav
c:\program files\partygaming\PartyCasino\Language\en_US\Images\inactive_popup-bottom.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\inactive_popup-bottomleft.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\inactive_popup-bottomleft.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\inactive_popup-bottomright.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\inactive_popup-bottomright.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\inactive_popup-left.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\inactive_popup-right.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\inactive_title-background.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\inactive_title-left.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\inactive_title-left.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\inactive_title-right.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\inactive_title-right.JPG
c:\program files\partygaming\PartyCasino\Language\en_US\Images\jackpotwin_bg.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_account_background.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_account_divider.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_ani_refresh.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_bar_jackpot.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_bar_jackpot_numbers.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_bar_news.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_but_cashout.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_but_deposit.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_but_deposit_large.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_but_options.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_but_redeem.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_but_refresh.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_but_reload_play.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_but_status.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_details_open.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_link_arrow.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lhn_tab_background.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\loading.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\lobby\lobbyconfig.txt
c:\program files\partygaming\PartyCasino\Language\en_US\Images\menu_01_myaccount.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\menu_02_cashier.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\menu_03_news.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\menu_04_rules.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\menu_05_tellfriend.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\menu_06_about.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\menu_07_help.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\PartyCasino.ico
c:\program files\partygaming\PartyCasino\Language\en_US\Images\popup_login_bottom.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\popup_login_top.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\popup_register_bottomleft.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\popup_register_top.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\skin.bmp
c:\program files\partygaming\PartyCasino\Language\en_US\Images\skin_account.bmp
c:\program files\partygaming\PartyCasino\Language\en_US\Images\sys_icons.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\system_but_bets.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\system_but_bingo.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\system_but_cashier.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\system_but_close.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\system_but_connected.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\system_but_gammon.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\system_but_inactive_close.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\system_but_inactive_minimise.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\system_but_login.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\system_but_minimise.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\system_but_poker.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\system_but_security.jpg
c:\program files\partygaming\PartyCasino\Language\en_US\Images\title_changevalidateemail.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\title_chgpwd.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\title_weak_password.gif
c:\program files\partygaming\PartyCasino\Language\en_US\Images\version.txt
c:\program files\partygaming\PartyCasino\Language\en_US\lang_pack_en_US.txt
c:\program files\partygaming\PartyPoker\Articles\2.html
c:\program files\partygaming\PartyPoker\Articles\282.atc
c:\program files\partygaming\PartyPoker\Articles\318.atc
c:\program files\partygaming\PartyPoker\Articles\320.atc
c:\program files\partygaming\PartyPoker\Articles\328.atc
c:\program files\partygaming\PartyPoker\Articles\362.atc
c:\program files\partygaming\PartyPoker\Articles\4.html
c:\program files\partygaming\PartyPoker\Articles\406.atc
c:\program files\partygaming\PartyPoker\Articles\494.atc
c:\program files\partygaming\PartyPoker\Articles\496.atc
c:\program files\partygaming\PartyPoker\Articles\500.atc
c:\program files\partygaming\PartyPoker\Articles\520.atc
c:\program files\partygaming\PartyPoker\Articles\564.atc
c:\program files\partygaming\PartyPoker\Articles\566.atc
c:\program files\partygaming\PartyPoker\Articles\568.atc
c:\program files\partygaming\PartyPoker\Images\fold_to_off.jpg
c:\program files\partygaming\PartyPoker\Images\fold_to_on.jpg
c:\program files\partygaming\PartyPoker\Images\lhn_ani_refresh.gif
c:\program files\partygaming\PartyPoker\Images\lhn_bar_prize.jpg
c:\program files\partygaming\PartyPoker\Images\menu_background.jpg
c:\program files\partygaming\PartyPoker\Images\popup.css
c:\program files\partygaming\PartyPoker\Images\popup_logo_monster.jpg
c:\program files\partygaming\PartyPoker\Images\popup_logo_monster_buyin.jpg
c:\program files\partygaming\PartyPoker\Images\prize_numbers.jpg
c:\program files\partygaming\PartyPoker\Images\system_but_bets.jpg
c:\program files\partygaming\PartyPoker\Images\system_but_bingo.jpg
c:\program files\partygaming\PartyPoker\Images\system_but_gammon.jpg
c:\program files\partygaming\PartyPoker\Images\t_logout.jpg
c:\program files\partygaming\PartyPoker\Images\table_jp_pin.jpg
c:\program files\partygaming\PartyPoker\Images\table_jp_pin_tacked.jpg
c:\program files\partygaming\PartyPoker\Images\table_prize_dollar.bmp
c:\program files\partygaming\PartyPoker\Images\table_prize_dollar_comma.bmp
c:\program files\partygaming\PartyPoker\Images\table_prize_label.jpg
c:\program files\partygaming\PartyPoker\Images\table_prize_pin.jpg
c:\program files\partygaming\PartyPoker\Images\table_prize_pin_tacked.jpg
c:\program files\partygaming\PartyPoker\Images\table_prize_stip_bottom.bmp
c:\program files\partygaming\PartyPoker\Images\table_prize_stip_left.bmp
c:\program files\partygaming\PartyPoker\Images\table_prize_stip_right.bmp
c:\program files\partygaming\PartyPoker\Images\table_prize_stip_top.bmp
c:\program files\partygaming\PartyPoker\Language\en_US\articles\2.html
c:\program files\partygaming\PartyPoker\Language\en_US\articles\4.html
c:\program files\partygaming\PartyPoker\Language\en_US\articles\46222.atc
c:\program files\partygaming\PartyPoker\Language\en_US\images\bulletin_background.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\bulletin_box_background.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\bulletin_nav_background.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\bulletin_nav_buttons.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\but_help.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\client_top.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\congratulations.gif
c:\program files\partygaming\PartyPoker\Language\en_US\images\conn.gif
c:\program files\partygaming\PartyPoker\Language\en_US\images\conn_lost.gif
c:\program files\partygaming\PartyPoker\Language\en_US\images\connect_screen_bg.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\help_background.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\help_but_continue.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\highcarding.gif
c:\program files\partygaming\PartyPoker\Language\en_US\images\lhn_bar_blackjack.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\lhn_bar_news.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\lhn_but_cashout.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\lhn_but_deposit.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\lhn_but_deposit_large.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\lhn_but_redeem.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\lhn_but_reload_play.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\lhn_but_status.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\loading.gif
c:\program files\partygaming\PartyPoker\Language\en_US\images\OtherPayouts.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\out.gif
c:\program files\partygaming\PartyPoker\Language\en_US\images\PayoutInfo.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\payouts.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\popup_login_bottom.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\SideBetClose.bmp
c:\program files\partygaming\PartyPoker\Language\en_US\images\SideBetCloseBet.bmp
c:\program files\partygaming\PartyPoker\Language\en_US\images\SideBetOpen.bmp
c:\program files\partygaming\PartyPoker\Language\en_US\images\SideBetOpenBet.bmp
c:\program files\partygaming\PartyPoker\Language\en_US\images\SideBetOpenBetNoborder.bmp
c:\program files\partygaming\PartyPoker\Language\en_US\images\SidebetOpenNoborder.bmp
c:\program files\partygaming\PartyPoker\Language\en_US\images\t_shootout_grid.gif
c:\program files\partygaming\PartyPoker\Language\en_US\images\tab_description.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\tab_game_info.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\tab_players.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\tab_players_right.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\tab_tournament_info.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\tourn_congrats.gif
c:\program files\partygaming\PartyPoker\Language\en_US\images\tourneylobby.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\tree_but_filtercash.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\tree_but_filtershowall.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\tree_but_filtertournaments.jpg
c:\program files\partygaming\PartyPoker\Language\en_US\images\you_win.bmp
c:\program files\partygaming\PartyPoker\Language\en_US\lang_pack_en_US.txt
c:\program files\partygaming\PartyPoker\Notes.txt
c:\program files\partygaming\PartyPoker\tmpUpgrade\INSTALL.LOG
c:\program files\partygaming\PartyPoker\tmpUpgrade\upgradepp106-107man.exe
c:\program files\partygaming\PartyPoker\tmpUpgrade\upgradepp107-108man.exe
c:\program files\partygaming\PartyPoker\Uninstall.exe
c:\program files\partygaming\PartyPoker\usertab.txt
c:\program files\partygaming\tmpUpgrade\upgradePG106-107man.exe
c:\program files\partygaming\tmpUpgrade\upgradePG107-108man.exe
c:\program files\partygaming\UNICOWS.DLL
c:\windows\Fonts\Yuk4g0.com
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))
.

2010-12-17 21:09 . 2010-12-17 21:10 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\FixCleaner
2010-12-17 21:09 . 2010-12-17 21:17 -------- d-----w- c:\program files\FixCleaner
2010-12-16 21:07 . 2010-12-16 21:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-16 20:02 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 20:00 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-16 18:20 . 2010-12-16 19:06 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\NPE
2010-12-16 01:39 . 2010-12-16 01:39 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2010-12-16 00:23 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-16 00:23 . 2010-12-16 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-16 00:23 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-16 00:22 . 2010-12-16 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-16 00:20 . 2010-12-16 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-12-16 00:05 . 2010-12-16 00:05 -------- d-----w- c:\documents and settings\Administrator
2010-12-15 01:25 . 2010-12-15 01:25 -------- d-----w- c:\windows\system32\drivers\N360
2010-12-15 01:16 . 2010-12-15 01:16 9 ----a-w- c:\documents and settings\Mike\Application Data\google_u1[s7_7]rk-h.tmp
2010-12-15 00:45 . 2010-12-15 00:45 -------- d-----w- c:\program files\KAZAA
2010-12-14 22:04 . 2010-12-14 22:31 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\U3
2010-12-14 20:45 . 2010-12-14 20:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Tific
2010-12-14 20:44 . 2010-12-14 20:44 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Symantec
2010-12-14 14:07 . 2010-12-14 14:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-14 13:36 . 2010-12-14 13:42 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-14 00:25 . 2010-12-14 00:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2004-11-03 18:50 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2004-11-03 18:52 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2004-11-03 19:19 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-06 00:34 . 2004-11-03 18:50 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2004-11-03 18:50 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:25 . 2004-11-03 18:50 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-09-18 16:04 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-11-03 19:19 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-09-18 16:04 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-12-18_02.21.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-02-04 22:13 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
- 2007-02-04 22:13 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\RECGUARD.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-07 172032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S0 cbjtmjsu;cbjtmjsu; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/16/2010 6:49 AM 136176]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [2/5/2005 8:52 PM 83552]
.
Contents of the 'Scheduled Tasks' folder

2010-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2005-08-06 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 15:50]

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 11:48]

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 11:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
uSearchAssistant =
uCustomizeSearch =
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
DPF: {3BF72F68-72D8-461D-A884-329D936C5581} - hxxp://www.totsites.com/admin2/includes/imageuploader5_5_6/ImageUploader5.cab
DPF: {BBF89515-EDB6-4236-8FBB-B6045290076D} - hxxp://www.totsites.com/admin/includes/imageuploader/ImageUploader4.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-18 14:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-12-18 14:46:02
ComboFix-quarantined-files.txt 2010-12-18 19:46
ComboFix2.txt 2010-12-18 14:15
ComboFix3.txt 2010-12-18 03:21
ComboFix4.txt 2010-12-18 02:36

Pre-Run: 161,086,992,384 bytes free
Post-Run: 161,103,613,952 bytes free

- - End Of File - - 64356113A0A81636674513724A4DDF7D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users