Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93117 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help please! Can't get rid of this!

Started by veronica1010 , May 25 2010 08:26 PM

  • Please log in to reply
8 replies to this topic

#1 veronica1010

veronica1010

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 25 May 2010 - 08:26 PM

I have some kind of virus that I can't get off. Help please!!!

Hijack this log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:22:36 PM, on 5/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Sun\SDK\jdk\bin\javaw.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [BbPrintMonitor] C:\Program Files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe
O4 - HKLM\..\Run: [BbInstallUser] C:\Program Files\Bluebeam Software\Pushbutton PDF\Bluebeam Admin User.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [hsfe8owijfisjhgs7ye39gjsoighsd7y3eu] C:\DOCUME~1\Veronica\LOCALS~1\Temp\ui5lw.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://flightsafety...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7DD51B8-E95E-4C19-A41D-1324BABE7775}: NameServer = 93.188.165.167,93.188.161.171
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5E3FD59-C290-41E1-AA77-AF12EEDA11E9}: NameServer = 93.188.165.167,93.188.161.171
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.167,93.188.161.171
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.167,93.188.161.171
O20 - Winlogon Notify: DeviceNP - DeviceNP.dll (file missing)
O20 - Winlogon Notify: OneCard - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSWA-2d7454a8 - Unknown owner - C:\WINDOWS\system32\2d7454a8.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 12004 bytes

MalwareBytes anti malware log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/25/2010 9:29:57 PM
mbam-log-2010-05-25 (21-29-57).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 289776
Time elapsed: 1 hour(s), 25 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.167,93.188.161.171 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d7dd51b8-e95e-4c19-a41d-1324babe7775}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.165.167,93.188.161.171 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d7dd51b8-e95e-4c19-a41d-1324babe7775}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.167,93.188.161.171 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f5e3fd59-c290-41e1-aa77-af12eeda11e9}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.167,93.188.161.171 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\zgbhnghl.sys (Rootkit.Agent) -> No action taken.


I was getting some weird resident shield pop up when I ran AVG so I uninstalled AVG and it seems to have disappeared. I also had music randomly play for about 15 seconds, but that seems to have stopped too. Right now the biggest problem is that it seems to be blocking me from certain websites (couldn't access MalwareBytes website and forum) along with images randomly. It's really strange! Any help is much appreciated!
Thanks!

    Advertisements

Register to Remove

#2 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 26 May 2010 - 05:12 AM

Hi, welcome to the WTT Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:

  • Absence of symptoms does not always mean the computer is clean
  • Please do not run any scans or fixes without my direction.
  • Finally, stay with this topic until I give you the final 'All clear' post.

Download Combofix to your desktop from any of the links below.

Link 1
Link 2


==================================

Disable your antivirus/antimalware software, then double click on ComboFix.exe & follow the prompts.
When asked about the Recovery Console, please click Yes to install it.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#3 veronica1010

veronica1010

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 26 May 2010 - 08:58 AM

Here's my Combofix log:

ComboFix 10-05-25.05 - Veronica 05/26/2010 10:08:06.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1521 [GMT -4:00]
Running from: c:\documents and settings\Veronica\Desktop\ComboFix.exe
.
PEV Error: ProgramsFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ernel32.dll
.
---- Previous Run -------
.
c:\documents and settings\Veronica\Application Data\0200000019d63067922C.manifest
c:\documents and settings\Veronica\Application Data\0200000019d63067922O.manifest
c:\documents and settings\Veronica\Application Data\0200000019d63067922P.manifest
c:\documents and settings\Veronica\Application Data\0200000019d63067922S.manifest
c:\windows\system32\driVERs\zgbhnghl.sys
c:\windows\system32\ernel32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_zgbhnghl
-------\Service_zgbhnghl


((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-26 13:53 . 2010-05-26 13:53 -------- d-----w- c:\windows\LastGood
2010-05-26 13:49 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\IQ555.dll
2010-05-26 13:45 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9e17kUOCE.dll
2010-05-26 12:45 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5c555.dll
2010-05-26 02:22 . 2010-05-26 02:22 388096 ----a-r- c:\documents and settings\Veronica\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-26 02:22 . 2010-05-26 02:22 -------- d-----w- c:\program files\Trend Micro
2010-05-26 01:35 . 2010-05-26 01:35 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-05-26 01:33 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\K555w.dll
2010-05-25 23:32 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\Q1wSK17g.dll
2010-05-25 23:14 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\s93s79s.dll
2010-05-25 21:01 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\q5w5u.dll
2010-05-24 22:01 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9w17y31oC.dll
2010-05-24 19:52 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mYW931g9.dll
2010-05-24 19:44 . 2010-05-24 19:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-24 19:38 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\cE555.dll
2010-05-24 18:14 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\93179i179.dll
2010-05-24 17:57 . 2010-05-24 19:30 -------- d-----w- c:\documents and settings\Veronica\Local Settings\Application Data\ekvjtdldf
2010-05-24 17:57 . 2010-05-24 17:57 -------- d-----w- c:\documents and settings\Veronica\Application Data\7116BFF9999E6A32DF7A077908C4D824
2010-05-24 17:57 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1q9w17.dll
2010-05-24 17:57 . 2010-05-24 17:57 75776 ----a-w- c:\windows\system32\2d7454a8.exe
2010-05-24 17:50 . 2010-05-24 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-04 21:42 . 2010-01-27 23:07 1078504 ----a-w- c:\windows\system32\FontInstaller2.dll
2010-05-04 21:42 . 2010-05-04 22:32 -------- d-----w- c:\documents and settings\Veronica\Application Data\FontCreator
2010-05-04 21:42 . 2010-05-04 21:42 -------- d-----w- c:\program files\High-Logic FontCreator
2010-04-29 00:34 . 2010-05-11 21:18 -------- d-----w- c:\documents and settings\Veronica\Application Data\dvdcss
2010-04-26 23:44 . 2010-04-26 23:44 -------- d-----w- C:\lj564

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 14:49 . 2010-01-29 15:37 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-25 19:24 . 2010-04-16 21:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 15:39 . 2010-04-24 19:31 -------- d-----w- c:\documents and settings\Veronica\Application Data\vlc
2010-05-24 17:52 . 2007-07-17 04:20 105764 ----a-w- c:\windows\system32\nvModes.dat
2010-05-08 19:12 . 2010-01-27 22:01 -------- d-----w- c:\program files\Google
2010-05-06 20:59 . 2010-01-28 00:29 223152 ----a-w- c:\documents and settings\Veronica\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 19:39 . 2010-04-16 21:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-04-16 21:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 19:31 . 2010-01-28 00:28 -------- d-----w- c:\documents and settings\Veronica\Application Data\Apple Computer
2010-04-24 19:30 . 2010-04-24 19:30 -------- d-----w- c:\program files\VideoLAN
2010-04-21 15:52 . 2010-04-21 15:52 -------- d-----w- c:\program files\ESET
2010-04-19 14:52 . 2010-01-29 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-04-17 02:28 . 2010-04-17 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-17 01:56 . 2010-04-17 01:56 -------- d-----w- c:\program files\TrendMicro
2010-04-17 01:09 . 2010-04-17 00:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-16 21:12 . 2010-04-16 21:12 -------- d-----w- c:\documents and settings\Veronica\Application Data\Malwarebytes
2010-04-16 21:12 . 2010-04-16 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-28 13:47 . 2010-03-07 23:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-28 18:41 . 2010-02-28 18:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 18:41 . 2010-02-28 18:41 152576 ----a-w- c:\documents and settings\Veronica\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-07-10 20:29 . 2010-01-27 21:53 47472416 ----a-w- c:\program files\AiO_071_000_201_000_CDA_DriverOnly_Network_enu.exe
2009-07-10 00:18 . 2010-01-27 21:53 2051355 ----a-w- c:\program files\BloggerForWordSetup.exe
2009-07-09 23:55 . 2010-01-27 21:53 21935408 ----a-w- c:\program files\QuickTimeInstaller.exe
2009-06-28 19:19 . 2010-01-27 21:53 1274767 ----a-w- c:\program files\fsSetup122.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-19_14.02.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-26 13:49 . 2010-05-26 13:49 16384 c:\windows\Temp\Perflib_Perfdata_a78.dat
+ 2010-05-26 13:49 . 2010-05-26 13:49 16384 c:\windows\Temp\Perflib_Perfdata_848.dat
+ 2004-08-07 13:14 . 2010-05-24 22:07 75264 c:\windows\system32\perfc009.dat
- 2004-08-07 13:14 . 2010-04-19 13:34 75264 c:\windows\system32\perfc009.dat
+ 2004-08-04 08:00 . 2008-04-14 10:42 13824 c:\windows\system32\dllcache\wscntfy.exe
+ 2010-05-08 19:12 . 2010-05-08 19:12 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2010-05-08 19:12 . 2010-05-08 19:12 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-08 19:12 . 2010-05-08 19:12 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-05-08 19:12 . 2010-05-08 19:12 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-05-08 19:12 . 2010-05-08 19:12 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-08 19:12 . 2010-05-08 19:12 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-08 19:12 . 2010-05-08 19:12 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ARPPRODUCTICON.exe
+ 2010-04-26 23:48 . 2001-08-18 02:34 8192 c:\windows\system32\spool\drivers\w32x86\3\hpcstr.dll
+ 2010-04-26 23:48 . 2001-08-18 02:34 136192 c:\windows\system32\spool\drivers\w32x86\3\hpcfont.dll
- 2004-08-07 13:14 . 2010-04-19 13:34 455316 c:\windows\system32\perfh009.dat
+ 2004-08-07 13:14 . 2010-05-24 22:07 455316 c:\windows\system32\perfh009.dat
+ 2004-08-07 13:07 . 2010-05-09 20:02 2552256 c:\windows\system32\FNTCACHE.DAT
+ 2010-05-26 02:22 . 2010-05-26 02:22 1094656 c:\windows\Installer\2def9e.msi
+ 2010-05-08 19:12 . 2010-05-08 19:12 1235968 c:\windows\Installer\12e4b14b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-25 8429568]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-06-08 611712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-28 149280]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-12-24 1280272]
"BbPrintMonitor"="c:\program files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe" [2009-09-24 173216]
"BbInstallUser"="c:\program files\Bluebeam Software\Pushbutton PDF\Bluebeam Admin User.exe" [2010-02-08 38560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\Veronica\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2010-1-29 53346]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 15:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccelerometerSysTrayApplet]
2007-01-24 19:28 124928 ----a-w- c:\windows\system32\accelerometerST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CognizanceTS]
2003-12-22 17:12 17920 ----a-r- c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2007-05-03 15:52 57344 ----a-w- c:\program files\Hewlett-Packard\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-03-01 20:18 472776 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 13:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 00:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 20:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2008-04-14 10:41 177152 ----a-w- c:\windows\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 13:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-05-25 12:07 8429568 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-05-25 12:07 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-05-25 12:07 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Complete]
2007-05-08 15:38 331552 ----a-w- c:\program files\PDF Complete\pdfsty.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
2007-01-09 22:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-05-02 23:17 163840 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-12-20 23:51 1187840 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-03-10 00:38 806912 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scheduler]
2006-10-09 18:23 697976 ----a-w- c:\windows\SMINST\Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 14:12 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 16:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-17 05:20 77824 ----a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-01-12 13:36 827392 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2007-05-23 16:00 192512 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"1130:TCP"= 1130:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [4/26/2007 10:23 PM 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 4:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [3/29/2007 7:54 PM 13696]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [4/26/2007 10:23 PM 5808]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 4:00 AM 14336]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [4/27/2007 1:58 PM 221184]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [3/9/2010 2:11 PM 311568]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [7/17/2007 12:50 AM 540448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 4:13 PM 36608]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [7/17/2007 12:12 AM 47616]
S0 pcamhzy;pcamhzy; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/17/2010 7:55 PM 135664]
S2 MSWA-2d7454a8;MSWA-2d7454a8;c:\windows\system32\2d7454a8.exe [5/24/2010 1:57 PM 75776]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [4/23/2007 4:13 PM 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [4/30/2007 11:28 AM 172131]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 23:54]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 23:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Veronica\Application Data\Mozilla\Firefox\Profiles\rz0xv13t.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.ca.yahoo.com/
FF - plugin: c:\documents and settings\Veronica\Local Settings\Application Data\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 10:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\SbHpNp.DLL
c:\windows\system32\DeviceNP.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll

- - - - - - - > 'lsass.exe'(1032)
c:\windows\SbHpNp.dll
.
Completion time: 2010-05-26 10:56:37
ComboFix-quarantined-files.txt 2010-05-26 14:56
ComboFix2.txt 2010-04-19 14:03

Pre-Run: 86,971,985,920 bytes free
Post-Run: 86,935,625,728 bytes free

- - End Of File - - BC0B2F1232126CB499059A789EB3AE35

It took a couple of times to get it to run properly and give me a log at the end. Thanks for your help!

#4 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 26 May 2010 - 09:19 AM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\Spool\prtprocs\w32x86\IQ555.dll
c:\windows\system32\Spool\prtprocs\w32x86\9e17kUOCE.dll
c:\windows\system32\Spool\prtprocs\w32x86\5c555.dll
c:\windows\system32\Spool\prtprocs\w32x86\K555w.dll
c:\windows\system32\Spool\prtprocs\w32x86\Q1wSK17g.dll
c:\windows\system32\Spool\prtprocs\w32x86\s93s79s.dll
c:\windows\system32\Spool\prtprocs\w32x86\q5w5u.dll
c:\windows\system32\Spool\prtprocs\w32x86\9w17y31oC.dll
c:\windows\system32\Spool\prtprocs\w32x86\mYW931g9.dll
c:\windows\system32\Spool\prtprocs\w32x86\cE555.dll
c:\windows\system32\Spool\prtprocs\w32x86\93179i179.dll
c:\windows\system32\Spool\prtprocs\w32x86\1q9w17.dll
c:\windows\system32\2d7454a8.exe

Driver::
pcamhzy

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#5 veronica1010

veronica1010

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 26 May 2010 - 09:38 AM

Here's the log this time:

ComboFix 10-05-25.05 - Veronica 05/26/2010 11:24:48.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1450 [GMT -4:00]
Running from: c:\documents and settings\Veronica\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Veronica\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\2d7454a8.exe"
"c:\windows\system32\Spool\prtprocs\w32x86\1q9w17.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\5c555.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\93179i179.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\9e17kUOCE.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\9w17y31oC.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\cE555.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\IQ555.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\K555w.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\mYW931g9.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\Q1wSK17g.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\q5w5u.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\s93s79s.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\2d7454a8.exe
c:\windows\system32\Spool\prtprocs\w32x86\1q9w17.dll
c:\windows\system32\Spool\prtprocs\w32x86\5c555.dll
c:\windows\system32\Spool\prtprocs\w32x86\93179i179.dll
c:\windows\system32\Spool\prtprocs\w32x86\9e17kUOCE.dll
c:\windows\system32\Spool\prtprocs\w32x86\9w17y31oC.dll
c:\windows\system32\Spool\prtprocs\w32x86\cE555.dll
c:\windows\system32\Spool\prtprocs\w32x86\IQ555.dll
c:\windows\system32\Spool\prtprocs\w32x86\K555w.dll
c:\windows\system32\Spool\prtprocs\w32x86\mYW931g9.dll
c:\windows\system32\Spool\prtprocs\w32x86\Q1wSK17g.dll
c:\windows\system32\Spool\prtprocs\w32x86\q5w5u.dll
c:\windows\system32\Spool\prtprocs\w32x86\s93s79s.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_pcamhzy
-------\Legacy_MSWA-2d7454a8
-------\Service_MSWA-2d7454a8


((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-26 13:53 . 2010-05-26 13:53 -------- d-----w- c:\windows\LastGood.Tmp
2010-05-26 02:22 . 2010-05-26 02:22 388096 ----a-r- c:\documents and settings\Veronica\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-26 02:22 . 2010-05-26 02:22 -------- d-----w- c:\program files\Trend Micro
2010-05-26 01:35 . 2010-05-26 01:35 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-05-24 19:44 . 2010-05-24 19:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-24 17:57 . 2010-05-24 19:30 -------- d-----w- c:\documents and settings\Veronica\Local Settings\Application Data\ekvjtdldf
2010-05-24 17:57 . 2010-05-24 17:57 -------- d-----w- c:\documents and settings\Veronica\Application Data\7116BFF9999E6A32DF7A077908C4D824
2010-05-24 17:50 . 2010-05-24 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-04 21:42 . 2010-01-27 23:07 1078504 ----a-w- c:\windows\system32\FontInstaller2.dll
2010-05-04 21:42 . 2010-05-04 22:32 -------- d-----w- c:\documents and settings\Veronica\Application Data\FontCreator
2010-05-04 21:42 . 2010-05-04 21:42 -------- d-----w- c:\program files\High-Logic FontCreator
2010-04-29 00:34 . 2010-05-11 21:18 -------- d-----w- c:\documents and settings\Veronica\Application Data\dvdcss
2010-04-26 23:44 . 2010-04-26 23:44 -------- d-----w- C:\lj564

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 15:30 . 2010-01-29 15:37 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-25 19:24 . 2010-04-16 21:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 15:39 . 2010-04-24 19:31 -------- d-----w- c:\documents and settings\Veronica\Application Data\vlc
2010-05-24 17:52 . 2007-07-17 04:20 105764 ----a-w- c:\windows\system32\nvModes.dat
2010-05-08 19:12 . 2010-01-27 22:01 -------- d-----w- c:\program files\Google
2010-05-06 20:59 . 2010-01-28 00:29 223152 ----a-w- c:\documents and settings\Veronica\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 19:39 . 2010-04-16 21:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-04-16 21:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 19:31 . 2010-01-28 00:28 -------- d-----w- c:\documents and settings\Veronica\Application Data\Apple Computer
2010-04-24 19:30 . 2010-04-24 19:30 -------- d-----w- c:\program files\VideoLAN
2010-04-21 15:52 . 2010-04-21 15:52 -------- d-----w- c:\program files\ESET
2010-04-19 14:52 . 2010-01-29 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-04-17 02:28 . 2010-04-17 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-17 01:56 . 2010-04-17 01:56 -------- d-----w- c:\program files\TrendMicro
2010-04-17 01:09 . 2010-04-17 00:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-16 21:12 . 2010-04-16 21:12 -------- d-----w- c:\documents and settings\Veronica\Application Data\Malwarebytes
2010-04-16 21:12 . 2010-04-16 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-28 13:47 . 2010-03-07 23:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-28 18:41 . 2010-02-28 18:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 18:41 . 2010-02-28 18:41 152576 ----a-w- c:\documents and settings\Veronica\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-07-10 20:29 . 2010-01-27 21:53 47472416 ----a-w- c:\program files\AiO_071_000_201_000_CDA_DriverOnly_Network_enu.exe
2009-07-10 00:18 . 2010-01-27 21:53 2051355 ----a-w- c:\program files\BloggerForWordSetup.exe
2009-07-09 23:55 . 2010-01-27 21:53 21935408 ----a-w- c:\program files\QuickTimeInstaller.exe
2009-06-28 19:19 . 2010-01-27 21:53 1274767 ----a-w- c:\program files\fsSetup122.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-25 8429568]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-06-08 611712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-28 149280]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-12-24 1280272]
"BbPrintMonitor"="c:\program files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe" [2009-09-24 173216]
"BbInstallUser"="c:\program files\Bluebeam Software\Pushbutton PDF\Bluebeam Admin User.exe" [2010-02-08 38560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\Veronica\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2010-1-29 53346]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 15:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccelerometerSysTrayApplet]
2007-01-24 19:28 124928 ----a-w- c:\windows\system32\accelerometerST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CognizanceTS]
2003-12-22 17:12 17920 ----a-r- c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2007-05-03 15:52 57344 ----a-w- c:\program files\Hewlett-Packard\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-03-01 20:18 472776 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 13:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 00:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 20:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2008-04-14 10:41 177152 ----a-w- c:\windows\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 13:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-05-25 12:07 8429568 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-05-25 12:07 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-05-25 12:07 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Complete]
2007-05-08 15:38 331552 ----a-w- c:\program files\PDF Complete\pdfsty.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
2007-01-09 22:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-05-02 23:17 163840 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-12-20 23:51 1187840 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-03-10 00:38 806912 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scheduler]
2006-10-09 18:23 697976 ----a-w- c:\windows\SMINST\Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 14:12 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 16:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-17 05:20 77824 ----a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-01-12 13:36 827392 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2007-05-23 16:00 192512 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"1042:TCP"= 1042:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [4/26/2007 10:23 PM 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 4:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [3/29/2007 7:54 PM 13696]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [4/26/2007 10:23 PM 5808]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 4:00 AM 14336]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [4/27/2007 1:58 PM 221184]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [7/17/2007 12:50 AM 540448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 4:13 PM 36608]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [7/17/2007 12:12 AM 47616]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/17/2010 7:55 PM 135664]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [3/9/2010 2:11 PM 311568]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [4/23/2007 4:13 PM 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [4/30/2007 11:28 AM 172131]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 23:54]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 23:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Veronica\Application Data\Mozilla\Firefox\Profiles\rz0xv13t.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.ca.yahoo.com/
FF - plugin: c:\documents and settings\Veronica\Local Settings\Application Data\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 11:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\SbHpNp.DLL
c:\windows\system32\DeviceNP.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll

- - - - - - - > 'lsass.exe'(1028)
c:\windows\SbHpNp.dll

- - - - - - - > 'explorer.exe'(780)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-05-26 11:37:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-26 15:37
ComboFix2.txt 2010-05-26 14:56
ComboFix3.txt 2010-04-19 14:03

Pre-Run: 86,933,839,872 bytes free
Post-Run: 86,725,419,008 bytes free

- - End Of File - - 3B89A28452DDC580945F7F2D037607DC


Thanks again for your help!

#6 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 26 May 2010 - 08:00 PM

1) MBAM
Please open Malwarebytes' Anti-Malware.
  • Once the program has loaded, update the definitions, then select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

2) ESET
You can use either Internet Explorer or Mozilla FireFox for this scan.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

3) What You Will Need To Post:
  • MBAM log
  • ESET log

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#7 veronica1010

veronica1010

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 27 May 2010 - 07:21 AM

MBAM log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4147 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 5/27/2010 2:07:38 AM mbam-log-2010-05-27 (02-07-38).txt Scan type: Quick scan Objects scanned: 133310 Time elapsed: 6 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ESET Log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=6b3368af95d5e64ca5987874d02e9430 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=false # utc_time=2010-04-21 06:10:44 # local_time=2010-04-21 02:10:44 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=1024 16777191 100 0 7150049 7150049 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=163721 # found=1 # cleaned=1 # scan_time=7928 C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\disk.sys.vir Win32/Olmarik.XG trojan (cleaned - quarantined) 147B401EB250AB61D1E9BD3DE08CADE2 C ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=6b3368af95d5e64ca5987874d02e9430 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-05-27 10:05:04 # local_time=2010-05-27 06:05:04 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=1024 16777215 100 0 10225205 10225205 0 0 # compatibility_mode=8192 67108863 100 0 2153896 2153896 0 0 # scanned=168922 # found=27 # cleaned=0 # scan_time=14032 C:\Documents and Settings\Veronica\Application Data\Sun\Java\Deployment\cache\6.0\43\7fe5a66b-3b2a27e4 a variant of Java/Exploit.Agent.F trojan 00000000000000000000000000000000 I C:\Qoobox\Quarantine\[4]-Submit_2010-05-26_11.24.35.zip a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\WINDOWS\system32\ernel32.dll.vir a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\atapi.sys.vir_ Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\zgbhnghl.sys.vir Win32/Bubnix.AO trojan 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\_zgbhnghl_.sys.zip Win32/Bubnix.AO trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1\A0000027.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1\A0000079.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1\A0000095.exe a variant of Win32/Kryptik.EOL trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP1\A0000104.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP3\A0000211.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP3\A0000225.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0000343.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0000360.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0000459.sys Win32/Bubnix.AO trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0001690.exe a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0001691.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0001692.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0001693.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0001694.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0001695.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0001696.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0001697.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0001698.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0001699.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0001700.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4\A0001701.dll a variant of Win32/Kryptik.EHM trojan 00000000000000000000000000000000 I

#8 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 28 May 2010 - 07:22 AM

Sorry for the delay. :blush:

Looking all clean. :)

The following will implement some cleanup procedures as well as reset System Restore points:

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

You can remove any other tools and resulting logs that we have used. Keep Malwarebytes and update/scan with that weekly.

How to reduce your chances of infection in the future

Web Browsers
Internet Explorer does come pre-installed with all Windows machines - but this doesn't necessarily mean you have to use it! Because it is the most widely used browser, it is targeted by more malware writers, making you more susceptible to infection. There are many other free alternatives out there that offer better security, take one of these for a spin and see if it takes your fancy.
Mozilla Firefox
Google Chrome
Opera

WOT - Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Green to go
Yellow for caution
Red to stop
WOT has an addon available for Firefox, Google Chrome and Internet Explorer.

If you would prefer to keep using Internet Explorer, follow these additional steps to make the browser more secure.
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Additional Security Measures
Keep your software up-to-date - You should be manually performing updates of your software once a week to ensure that you are current with anti-virus definitions and patched for any security vulnerabilities. This does not just apply to your anti-virus/anti-malware software; malware authors rely on exploiting commonly used software such as Java and Adobe Reader, which need to be kept up to date as well.

Keep Windows up-to-date - Use Windows Update regularly to stay current with security patches and service packs.

MVPS Hosts File - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

Firewalls - Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient - but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly.

What Not To Do
The Perils of P2P File Sharing - Even if a P2P application is on the 'safe' list, malware can still be downloaded through infected files - executables, zip files and even MP3s. It is just not worth the risk.

Fake Security/Optimization Software - Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Additional Reading
How to prevent Malware - I strongly recommend that you read Miekiemoses' good advice

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#9 veronica1010

veronica1010

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 28 May 2010 - 01:39 PM

Thank you so much for your help! Both times I've gotten a fake anti-malware virus it's been from using Ninja Video streaming tv episodes. Needless to say I won't be using their site any more. I really appreciate you taking the time to help. You've saved my laptop and all my wedding info!!!! :wub:

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·