Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32:TratBHO and now Win32:Inject-EV [RESOLVED]

Started by dogmom , Mar 07 2008 09:15 PM

  • This topic is locked This topic is locked

#1
dogmom
Posted 07 March 2008 - 09:15 PM

dogmom

    New Member

  • Member
  • Pip
  • 7 posts
Hello! I am new here and having frustrations. Long story short.....first experience with Malware and it's been a LONG month. After much trial and tribulation, I did a PC restore. All was well for a week and it started again. I have avast installed and running. Now also have AdAware, Spybot, and SpywareBlaster. After reading logs on your site about TratBHO (which was causing the initial problem), I downloaded & ran VundoFix. It found and removed Virtumonde. All was well until this afternoon when avast found another instance of TratBHO and now an instance of Inject-EV. Spybot gives me constant warning boxes of values changed on the start-up menu. I'm running Spybot as I am typing this and it has found another Virtumonde.

I am not totally computer literate, but I will do my best to provide you with information to clear this mess up. Sure thought I'd be safer after a PC restore, but I am frustrated again.

Thanks in advance for you help!

Kari in Tennessee
  • 0

Advertisements

#2
kahdah
Posted 08 March 2008 - 03:50 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello dogmom

Welcome to G2Go. :)
=====================
* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
dogmom
Posted 08 March 2008 - 05:33 PM

dogmom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for your help! I'll look forward to your reply for my next step...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:46 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BM9792cda6] Rundll32.exe "C:\WINDOWS\system32\jcflwtem.dll",s
O4 - HKLM\..\Run: [94a1fe3a] rundll32.exe "C:\WINDOWS\system32\rsiyeivl.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9286 bytes
  • 0

#4
kahdah
Posted 08 March 2008 - 05:48 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
dogmom
Posted 08 March 2008 - 06:46 PM

dogmom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here are the requested logs....


ComboFix 08-03-07.4 - Kari Lawson 2008-03-08 18:37:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.120 [GMT -6:00]
Running from: C:\Documents and Settings\Kari Lawson\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM9792cda6.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\beprcfst.dll
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\dfeeuoug.dll
C:\WINDOWS\system32\drrgiluq.ini
C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\egjlm.ini2
C:\WINDOWS\system32\flmqhwre.dll
C:\WINDOWS\system32\gwxrptvs.dll
C:\WINDOWS\system32\ijhpkeis.dll
C:\WINDOWS\system32\jcflwtem.dll
C:\WINDOWS\system32\jfgwmshx.ini
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\lvieyisr.ini
C:\WINDOWS\system32\lxeqmgap.dll
C:\WINDOWS\system32\niagjuvr.dll
C:\WINDOWS\system32\psxsrmox.dll
C:\WINDOWS\system32\qtutv.ini
C:\WINDOWS\system32\qtutv.ini2
C:\WINDOWS\system32\quligrrd.dll
C:\WINDOWS\system32\rsiyeivl.dll
C:\WINDOWS\system32\siekphji.ini
C:\WINDOWS\system32\ssetbmpn.dll
C:\WINDOWS\system32\svvwa.ini
C:\WINDOWS\system32\svvwa.ini2
C:\WINDOWS\system32\wbhmthob.dll
C:\WINDOWS\system32\xbadd.ini
C:\WINDOWS\system32\xbadd.ini2
C:\WINDOWS\system32\xhsmwgfj.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-08 17:32 . 2008-03-08 17:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-06 21:41 . 2008-03-06 21:55 <DIR> d-------- C:\VundoFix Backups
2008-03-06 21:40 . 2001-05-21 11:46 198,656 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-03-06 21:09 . 2008-03-06 21:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-06 17:38 . 2008-03-08 09:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-06 17:37 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-04 21:34 . 2008-03-04 21:34 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\Snapfish
2008-03-04 15:54 . 2008-03-07 20:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-01 20:16 . 2008-03-01 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-28 18:38 . 2008-02-28 18:38 <DIR> d-------- C:\WINDOWS\Sun
2008-02-25 18:40 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-02-25 18:40 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-25 18:40 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-02-25 18:40 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-02-25 10:45 . 2008-03-04 21:34 1,780 --a------ C:\WINDOWS\mozver.dat
2008-02-24 22:26 . 2008-02-24 22:26 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-24 22:26 . 2008-02-24 22:26 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\AdobeUM
2008-02-24 20:46 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-24 10:40 . 2008-02-24 10:40 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-24 10:24 . 2007-08-21 00:15 683,520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-02-24 10:17 . 2007-07-09 07:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-24 10:12 . 2006-03-20 21:23 23,040 --------- C:\WINDOWS\kb913800.exe
2008-02-24 10:02 . 2006-12-06 22:14 2,330,624 --------- C:\WINDOWS\system32\dllcache\wmvcore.dll
2008-02-24 10:00 . 2006-07-13 02:48 202,240 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-02-23 21:46 . 2008-02-23 21:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 21:46 . 2008-02-23 22:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-23 21:19 . 2008-02-23 21:19 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-23 21:18 . 2008-02-23 21:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-23 21:18 . 2008-02-23 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-23 20:44 . 2006-12-26 07:07 536,576 --------- C:\WINDOWS\system32\dllcache\msado15.dll
2008-02-23 20:44 . 2006-12-26 07:07 200,704 --------- C:\WINDOWS\system32\dllcache\msadox.dll
2008-02-23 20:44 . 2006-12-26 07:07 180,224 --------- C:\WINDOWS\system32\dllcache\msadomd.dll
2008-02-23 20:44 . 2006-12-26 07:07 102,400 --------- C:\WINDOWS\system32\dllcache\msjro.dll
2008-02-23 20:43 . 2006-12-14 07:45 981,760 --------- C:\WINDOWS\system32\dllcache\mfc42u.dll
2008-02-23 20:43 . 2006-11-01 13:17 927,504 --------- C:\WINDOWS\system32\dllcache\mfc40u.dll
2008-02-23 20:43 . 2006-06-26 11:37 148,480 --------- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-23 20:43 . 2006-06-26 11:37 8,192 --------- C:\WINDOWS\system32\dllcache\rasadhlp.dll
2008-02-23 20:21 . 2008-02-23 20:21 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\Leadertech
2008-02-23 20:20 . 2008-02-23 20:20 4,128 --a------ C:\INFCACHE.1
2008-02-23 20:18 . 2008-03-06 17:17 <DIR> d-------- C:\Program Files\Palm
2008-02-23 20:18 . 2008-02-23 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2008-02-23 20:18 . 2008-02-23 20:17 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2008-02-23 20:17 . 2008-02-23 20:17 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\HotSync
2008-02-23 20:15 . 2008-02-23 20:15 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2008-02-23 20:15 . 2008-02-23 20:15 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-02-23 20:15 . 2004-07-08 16:41 17,864 --a------ C:\WINDOWS\system32\KPD.xml
2008-02-23 20:15 . 2004-04-08 10:41 14,739 --a------ C:\WINDOWS\system32\natural.tli
2008-02-23 20:15 . 2004-06-28 15:57 14,739 --a------ C:\WINDOWS\system32\nat3.tli
2008-02-23 20:15 . 2004-04-08 10:41 14,739 --a------ C:\WINDOWS\system32\nat2.tli
2008-02-23 20:15 . 2004-04-08 10:41 14,739 --a------ C:\WINDOWS\system32\enhanced.tli
2008-02-23 20:15 . 2004-06-28 15:57 14,739 --a------ C:\WINDOWS\system32\enh3.tli
2008-02-23 20:15 . 2004-06-08 14:58 14,739 --a------ C:\WINDOWS\system32\enh2.tli
2008-02-23 20:15 . 2004-07-08 16:41 1,332 --a------ C:\WINDOWS\system32\KPDIDs.xml
2008-02-23 20:14 . 2008-02-23 20:14 <DIR> d-------- C:\WINDOWS\system32\color
2008-02-23 20:14 . 2008-02-23 20:14 <DIR> d-------- C:\KPCMS
2008-02-23 20:13 . 2008-02-23 20:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-02-23 20:12 . 2008-02-23 20:15 <DIR> d-------- C:\Program Files\Kodak
2008-02-23 20:10 . 2003-03-24 16:52 94,208 --a------ C:\WINDOWS\system32\dllcache\fpencode.dll
2008-02-23 20:10 . 2008-02-23 20:10 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-23 20:08 . 2008-02-23 20:08 <DIR> d-------- C:\WINDOWS\ShellNew
2008-02-23 20:07 . 2008-02-23 20:07 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\Microsoft Web Folders
2008-02-23 19:19 . 2008-02-23 19:19 2 --a------ C:\WINDOWS\msoffice.ini
2008-02-23 18:30 . 2008-02-23 18:30 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-23 18:26 . 2008-02-23 18:29 <DIR> d-------- C:\Program Files\Firefox
2008-02-23 18:23 . 2008-02-23 18:23 <DIR> d-------- C:\Program Files\DellSupport
2008-02-23 18:20 . 2008-02-23 18:20 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-23 18:20 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-23 18:20 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-23 18:20 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-23 18:20 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-23 18:20 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-23 18:20 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-23 18:20 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-23 18:20 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-23 16:01 . 2008-02-23 16:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2008-02-23 16:01 . 2008-02-23 16:01 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\McAfee.com Personal Firewall
2008-02-23 16:00 . 2008-02-23 16:00 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-02-23 16:00 . 2006-06-05 17:36 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\Symantec
2008-02-23 16:00 . 2006-06-05 17:24 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\Intel
2008-02-23 16:00 . 2008-02-23 18:29 <DIR> d--h----- C:\Documents and Settings\Kari Lawson\Application Data\Gtek
2008-02-23 15:55 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-23 15:55 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-23 15:55 . 2008-02-23 15:55 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-02-23 15:54 . 2004-08-03 23:07 8,832 --a------ C:\WINDOWS\system32\drivers\wmiacpi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 02:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-24 02:17 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2008-02-24 02:07 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-24 01:53 --------- d-----w C:\Program Files\Google
2008-02-24 01:19 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-24 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-24 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB0F4C3-9A66-4DB1-927F-EBA4C8197701}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94260824-39E0-45F8-9730-B65D920FBF4F}]
C:\WINDOWS\system32\vtutq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B47F0EB7-85D6-41F0-A7BD-706FD3D41B0E}]
C:\WINDOWS\system32\awvvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9D26A41-718F-4A49-92AB-98D4952C308D}]
C:\WINDOWS\system32\mljge.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDFA76B8-3FAD-4851-B99A-550F01EB699E}]
C:\WINDOWS\system32\pmkjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED120D76-BF31-412C-A99B-783C6676E128}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 01:24 20480]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-23 18:07 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 15:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 15:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 15:45 118784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 10:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 10:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 13:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 13:58 1032192]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 10:56 761947]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 19:29 49152]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 14:30 58992]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 15:05 1537696]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-05 17:45 169472]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 18:05 1117184]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 18:20 110592]

C:\Documents and Settings\Kari Lawson\Start Menu\Programs\Startup\
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2005-08-08 12:36:14 2494464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-05 17:29:15 24576]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgdax]
iifgdax.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 18:41:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-03-08 18:44:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-09 00:43:56
.
2008-02-25 04:42:24 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:31 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {94260824-39E0-45F8-9730-B65D920FBF4F} - C:\WINDOWS\system32\vtutq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B47F0EB7-85D6-41F0-A7BD-706FD3D41B0E} - C:\WINDOWS\system32\awvvs.dll (file missing)
O2 - BHO: (no name) - {B9D26A41-718F-4A49-92AB-98D4952C308D} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {DDFA76B8-3FAD-4851-B99A-550F01EB699E} - C:\WINDOWS\system32\pmkjj.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: iifgdax - iifgdax.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10404 bytes
  • 0

#6
kahdah
Posted 08 March 2008 - 07:37 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB0F4C3-9A66-4DB1-927F-EBA4C8197701}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94260824-39E0-45F8-9730-B65D920FBF4F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B47F0EB7-85D6-41F0-A7BD-706FD3D41B0E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9D26A41-718F-4A49-92AB-98D4952C308D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDFA76B8-3FAD-4851-B99A-550F01EB699E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED120D76-BF31-412C-A99B-783C6676E128}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgdax]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:Combofix.txt
===============================================================================
Then::

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#7
dogmom
Posted 08 March 2008 - 08:57 PM

dogmom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ComboFix 08-03-07.4 - Kari Lawson 2008-03-08 20:28:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.161 [GMT -6:00]
Running from: C:\Documents and Settings\Kari Lawson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kari Lawson\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-08 17:32 . 2008-03-08 17:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-06 21:41 . 2008-03-06 21:55 <DIR> d-------- C:\VundoFix Backups
2008-03-06 21:40 . 2001-05-21 11:46 198,656 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-03-06 21:09 . 2008-03-06 21:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-06 17:38 . 2008-03-08 09:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-06 17:37 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-04 21:34 . 2008-03-04 21:34 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\Snapfish
2008-03-04 15:54 . 2008-03-07 20:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-01 20:16 . 2008-03-01 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-28 18:38 . 2008-02-28 18:38 <DIR> d-------- C:\WINDOWS\Sun
2008-02-25 18:40 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-02-25 18:40 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-25 18:40 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-02-25 18:40 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-02-25 10:45 . 2008-03-04 21:34 1,780 --a------ C:\WINDOWS\mozver.dat
2008-02-24 22:26 . 2008-02-24 22:26 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-24 22:26 . 2008-02-24 22:26 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\AdobeUM
2008-02-24 20:46 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-24 10:40 . 2008-02-24 10:40 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-24 10:24 . 2007-08-21 00:15 683,520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-02-24 10:17 . 2007-07-09 07:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-24 10:12 . 2006-03-20 21:23 23,040 --------- C:\WINDOWS\kb913800.exe
2008-02-24 10:02 . 2006-12-06 22:14 2,330,624 --------- C:\WINDOWS\system32\dllcache\wmvcore.dll
2008-02-24 10:00 . 2006-07-13 02:48 202,240 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-02-23 21:46 . 2008-02-23 21:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 21:46 . 2008-02-23 22:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-23 21:19 . 2008-02-23 21:19 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-23 21:18 . 2008-02-23 21:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-23 21:18 . 2008-02-23 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-23 20:44 . 2006-12-26 07:07 536,576 --------- C:\WINDOWS\system32\dllcache\msado15.dll
2008-02-23 20:44 . 2006-12-26 07:07 200,704 --------- C:\WINDOWS\system32\dllcache\msadox.dll
2008-02-23 20:44 . 2006-12-26 07:07 180,224 --------- C:\WINDOWS\system32\dllcache\msadomd.dll
2008-02-23 20:44 . 2006-12-26 07:07 102,400 --------- C:\WINDOWS\system32\dllcache\msjro.dll
2008-02-23 20:43 . 2006-12-14 07:45 981,760 --------- C:\WINDOWS\system32\dllcache\mfc42u.dll
2008-02-23 20:43 . 2006-11-01 13:17 927,504 --------- C:\WINDOWS\system32\dllcache\mfc40u.dll
2008-02-23 20:43 . 2006-06-26 11:37 148,480 --------- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-23 20:43 . 2006-06-26 11:37 8,192 --------- C:\WINDOWS\system32\dllcache\rasadhlp.dll
2008-02-23 20:21 . 2008-02-23 20:21 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\Leadertech
2008-02-23 20:20 . 2008-02-23 20:20 4,128 --a------ C:\INFCACHE.1
2008-02-23 20:18 . 2008-03-06 17:17 <DIR> d-------- C:\Program Files\Palm
2008-02-23 20:18 . 2008-02-23 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2008-02-23 20:18 . 2008-02-23 20:17 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2008-02-23 20:17 . 2008-02-23 20:17 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\HotSync
2008-02-23 20:15 . 2008-02-23 20:15 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2008-02-23 20:15 . 2008-02-23 20:15 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-02-23 20:15 . 2004-07-08 16:41 17,864 --a------ C:\WINDOWS\system32\KPD.xml
2008-02-23 20:15 . 2004-04-08 10:41 14,739 --a------ C:\WINDOWS\system32\natural.tli
2008-02-23 20:15 . 2004-06-28 15:57 14,739 --a------ C:\WINDOWS\system32\nat3.tli
2008-02-23 20:15 . 2004-04-08 10:41 14,739 --a------ C:\WINDOWS\system32\nat2.tli
2008-02-23 20:15 . 2004-04-08 10:41 14,739 --a------ C:\WINDOWS\system32\enhanced.tli
2008-02-23 20:15 . 2004-06-28 15:57 14,739 --a------ C:\WINDOWS\system32\enh3.tli
2008-02-23 20:15 . 2004-06-08 14:58 14,739 --a------ C:\WINDOWS\system32\enh2.tli
2008-02-23 20:15 . 2004-07-08 16:41 1,332 --a------ C:\WINDOWS\system32\KPDIDs.xml
2008-02-23 20:14 . 2008-02-23 20:14 <DIR> d-------- C:\WINDOWS\system32\color
2008-02-23 20:14 . 2008-02-23 20:14 <DIR> d-------- C:\KPCMS
2008-02-23 20:13 . 2008-02-23 20:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-02-23 20:12 . 2008-02-23 20:15 <DIR> d-------- C:\Program Files\Kodak
2008-02-23 20:10 . 2003-03-24 16:52 94,208 --a------ C:\WINDOWS\system32\dllcache\fpencode.dll
2008-02-23 20:10 . 2008-02-23 20:10 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-23 20:08 . 2008-02-23 20:08 <DIR> d-------- C:\WINDOWS\ShellNew
2008-02-23 20:07 . 2008-02-23 20:07 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\Microsoft Web Folders
2008-02-23 19:19 . 2008-02-23 19:19 2 --a------ C:\WINDOWS\msoffice.ini
2008-02-23 18:30 . 2008-02-23 18:30 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-23 18:26 . 2008-02-23 18:29 <DIR> d-------- C:\Program Files\Firefox
2008-02-23 18:23 . 2008-02-23 18:23 <DIR> d-------- C:\Program Files\DellSupport
2008-02-23 18:20 . 2008-02-23 18:20 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-23 18:20 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-23 18:20 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-23 18:20 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-23 18:20 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-23 18:20 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-23 18:20 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-23 18:20 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-23 18:20 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-23 16:01 . 2008-02-23 16:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2008-02-23 16:01 . 2008-02-23 16:01 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\McAfee.com Personal Firewall
2008-02-23 16:00 . 2008-02-23 16:00 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-02-23 16:00 . 2006-06-05 17:36 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\Symantec
2008-02-23 16:00 . 2006-06-05 17:24 <DIR> d-------- C:\Documents and Settings\Kari Lawson\Application Data\Intel
2008-02-23 16:00 . 2008-02-23 18:29 <DIR> d--h----- C:\Documents and Settings\Kari Lawson\Application Data\Gtek
2008-02-23 15:55 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-23 15:55 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-23 15:55 . 2008-02-23 15:55 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-02-23 15:54 . 2004-08-03 23:07 8,832 --a------ C:\WINDOWS\system32\drivers\wmiacpi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 02:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-24 02:17 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2008-02-24 02:07 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-24 01:53 --------- d-----w C:\Program Files\Google
2008-02-24 01:19 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-24 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-24 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 01:24 20480]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-23 18:07 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 15:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 15:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 15:45 118784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 10:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 10:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 13:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 13:58 1032192]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 10:56 761947]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 19:29 49152]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 14:30 58992]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 15:05 1537696]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-05 17:45 169472]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 18:05 1117184]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 18:20 110592]

C:\Documents and Settings\Kari Lawson\Start Menu\Programs\Startup\
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2005-08-08 12:36:14 2494464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-05 17:29:15 24576]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 20:29:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-08 20:30:23
ComboFix-quarantined-files.txt 2008-03-09 02:30:21
ComboFix2.txt 2008-03-09 00:44:01
.
2008-02-25 04:42:24 --- E O F ---





Malwarebytes' Anti-Malware 1.07
Database version: 470

Scan type: Full Scan (C:\|)
Objects scanned: 64741
Time elapsed: 10 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed120d76-bf31-412c-a99b-783c6676e128} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#8
kahdah
Posted 09 March 2008 - 07:47 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

#9
dogmom
Posted 09 March 2008 - 12:56 PM

dogmom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Good morning! When I click on the "Scan your PC" button at the Panda site, a new window pops up, but it is empty. I tried the "Scan your PC now" button, too, with the same results. It says it is done loading, but nothing appears - no prompts or anything. What should I do next?

Thanks again!
  • 0

#10
kahdah
Posted 09 March 2008 - 01:24 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Try this one then.


Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#11
dogmom
Posted 09 March 2008 - 02:41 PM

dogmom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I was able to use Panda through IE (it didn't work via Firefox). Here is the result from the Panda report


Incident Status Location

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Kari Lawson\Application Data\Mozilla\Firefox\Profiles\p5s5inii.default\cookies.txt[.go.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Kari Lawson\Application Data\Mozilla\Firefox\Profiles\p5s5inii.default\cookies.txt[.target.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Kari Lawson\Application Data\Mozilla\Firefox\Profiles\p5s5inii.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Kari Lawson\Cookies\kari lawson@com[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Kari Lawson\Cookies\kari lawson@toplist[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\dfeeuoug.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\flmqhwre.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\niagjuvr.dll.vir
  • 0

#12
kahdah
Posted 09 March 2008 - 03:07 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It won't work through FIrefox.

Please delete your cookies in FIrefox.

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image

The above procedure will delete and do the following:

  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete\uninstall anything that we used that is left over.
===============================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#13
dogmom
Posted 09 March 2008 - 03:56 PM

dogmom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I deleted the cookies in Firefox. Were the Virtumonde found by the Panda scan deleted, too?

I completed the run command and it was successful. Should I delete or keep HJT? What about MalwareBytes?

Thank you for all of your assistance!! I read the article you suggested. Should I turn off the Windows Firewall before or after I download one of the suggested alternatives?

I appreciate you help very much! :)
  • 0

#14
kahdah
Posted 09 March 2008 - 03:59 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes doing the uninstall for combofix deltes the Vundo files detected by Panda.
You can delete Hijackthis via uninstall and also uninstall Malwarebytes antimalware.

Yes turn off the Windows Firewall before installing and runnng another.

You are welcome :)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#15
kahdah
Posted 09 March 2008 - 03:59 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP