Christine

Members
  • Content count

    14
  • Joined

  • Last visited

About Christine

  • Rank
    New Member

Contact Methods

  • ICQ
    0
  1. Hi Maurice - I ran the Full Scan on Symantec and the only 3 files it found and quarantined were in the SmitFraudFix folder which was still on my desktop (IEDFix.exe, IEDFix.C.exe or 404Fix.exe) and there is no need to worry about them as stated in your previous email. Is there an export or a report that you want to see from the Full Scan? I am not sure where to look. And I rebooted with no RUNDLL popup or anything else that looked odd. Thanks, Christine
  2. Thanks Maurice! Here is the result of the rapport.txt file - SmitfraudFix worked just fine. I'll now continue with the Symantec scan. SmitFraudFix v2.380 Scan done at 10:06:16.31, Tue 12/02/2008 Run from C:\Documents and Settings\CMC\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode
  3. Maurice - SmitfraudFix didn't work exactly as you wrote it should. It downloaded an exe file instead of a zip file. The siri.geekstogo.com website instructions said to clcik the exe file, which brought up a red screen (as well as 2 Symantec warnings). The screen said: SmitFraudFiix v2.380 IEDFix.exe file missing ! Unzip all the archive in a folder. Press any key to continue.... It did create a folder on the desktop which had several files but not the IEDFix.exe one. I deleted the files & folder but now fear I may have done something wrong. Christine
  4. Well what do you know - SDFIX worked this time! I feel like we are making progress. Here are the contents of the Report.txt file. Next I shall run the SmitfraudFix. SDFix: Version 1.240 Run by CMC on Mon 12/01/2008 at 08:45 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-01 20:58:54 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files : Files with Hidden Attributes : Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll" Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll" Thu 27 Nov 2008 2,713 ..SH. --- "C:\WINDOWS\system32\fohuzizu.exe" Sat 29 Nov 2008 2,713 ..SH. --- "C:\WINDOWS\system32\tagerako.exe" Tue 5 Sep 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sun 17 Aug 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Sun 8 Oct 2006 19,456 ...H. --- "C:\Documents and Settings\CMC\Application Data\Microsoft\Word\~WRL0003.tmp" Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\CMC\Application Data\U3\temp\Launchpad Removal.exe" Finished!
  5. And here are the results from Viruscan.org for tagerako.exe and fohuzizu.exe. Again, they had already been uploaded and scanned by others but I had the site rescan them. I will try running SDFIX next and report back! File information File Name : tagerako.exe File Size : 2713 byte File Type : UTF-8 Unicode HTML document text, with CRLF line terminators MD5 : 4bcfe9f8db04948cddb5e31fe6a7f984 SHA1 : 42464c70fc16f3f361c2419751acd57d51613cdf Scanner results Scanner results : All Scanners reported not find malware! Time : 2008/12/01 20:31:45 (PST) Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time a-squared 4.0.0.27 20081202013306 2008-12-02 - 4.713 AhnLab V3 2008.12.02.01 2008.12.02 2008-12-02 - 1.090 AntiVir 7.9.0.36 7.1.0.170 2008-12-01 - 1.577 Antiy 2.0.18 20081201.1772504 2008-12-01 - 0.120 Arcavir 1.0.5 200811291125 2008-11-29 - 1.185 Authentium 5.1.1 200812012220 2008-12-01 - 1.053 AVAST! 3.0.1 081201-0 2008-12-01 - 0.735 AVG 7.5.52.442 270.9.12/1823 2008-12-01 - 1.729 BitDefender 7.81008.2319319 7.22233 2008-12-02 - 2.114 CA (VET) 9.0.0.143 31.6.6236 2008-12-01 - 5.386 ClamAV 0.94.1 8706 2008-12-02 - 0.004 Comodo 3.0 662 2008-12-01 - 0.795 CP Secure 1.1.0.715 2008.12.01 2008-12-01 - 5.939 Dr.Web 4.44.0.9170 2008.12.02 2008-12-02 - 3.752 ewido 4.0.0.2 2008.12.01 2008-12-01 - 3.020 F-Prot 4.4.4.56 20081201 2008-12-01 - 1.052 F-Secure 5.51.6100 2008.12.02.01 2008-12-02 - 3.762 Fortinet 2.81-3.117 9.767 2008-12-01 - 0.155 GData 19.1763/19.131 20081201 2008-12-01 - 2.726 Ikarus T3.1.01.45 2008.12.01.71942 2008-12-01 - 3.675 JiangMin 11.0.706 2008.12.01 2008-12-01 - 1.343 Kaspersky 5.5.10 2008.12.01 2008-12-01 - 0.019 KingSoft 2008.9.8.18 2008.12.2.11 2008-12-02 - 0.705 McAfee 5.3.00 5451 2008-12-01 - 2.506 Microsoft 1.4104 2008.12.01 2008-12-01 - 3.979 mks_vir 2.01 2008.12.01 2008-12-01 - 2.537 Norman 5.93.01 5.93.00 2008-12-01 - 5.421 nProtect 2008-12-01.00 2632093 2008-12-01 - 3.082 Panda 9.05.01 2008.12.01 2008-12-01 - 2.329 Quick Heal 10.00 2008.12.02 2008-12-02 - 0.838 Rising 20.0 21.06.02.00 2008-12-01 - 0.249 Sophos 2.81.2 4.36 2008-12-02 - 1.891 Sunbelt 4674 4674 2008-11-04 - 0.498 Symantec 1.3.0.24 20081201.006 2008-12-01 - 0.045 The Hacker 6.3.1.2 v00171 2008-12-01 - 0.430 Trend Micro 8.700-1004 5.684.14 2008-12-01 - 0.024 VBA32 3.12.8.10 20081201.1108 2008-12-01 - 1.353 ViRobot 20081201 2008.12.01 2008-12-01 - 0.398 VirusBuster 4.5.11.10 10.94.12/729518 2008-12-01 - 0.923 File information File Name : fohuzizu.exe File Size : 2713 byte File Type : UTF-8 Unicode HTML document text, with CRLF line terminators MD5 : 4bcfe9f8db04948cddb5e31fe6a7f984 SHA1 : 42464c70fc16f3f361c2419751acd57d51613cdf Scanner results Scanner results : All Scanners reported not find malware! Time : 2008/12/01 20:33:40 (PST) Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time a-squared 4.0.0.27 20081202013306 2008-12-02 - 3.067 AhnLab V3 2008.12.02.01 2008.12.02 2008-12-02 - 1.042 AntiVir 7.9.0.36 7.1.0.170 2008-12-01 - 1.564 Antiy 2.0.18 20081201.1772504 2008-12-01 - 0.119 Arcavir 1.0.5 200811291125 2008-11-29 - 1.181 Authentium 5.1.1 200812012220 2008-12-01 - 1.064 AVAST! 3.0.1 081201-0 2008-12-01 - 0.740 AVG 7.5.52.442 270.9.12/1823 2008-12-01 - 1.732 BitDefender 7.81008.2319319 7.22233 2008-12-02 - 2.144 CA (VET) 9.0.0.143 31.6.6236 2008-12-01 - 5.185 ClamAV 0.94.1 8706 2008-12-02 - 0.004 Comodo 3.0 662 2008-12-01 - 0.781 CP Secure 1.1.0.715 2008.12.01 2008-12-01 - 5.867 Dr.Web 4.44.0.9170 2008.12.02 2008-12-02 - 3.600 ewido 4.0.0.2 2008.12.01 2008-12-01 - 3.014 F-Prot 4.4.4.56 20081201 2008-12-01 - 1.021 F-Secure 5.51.6100 2008.12.02.01 2008-12-02 - 3.777 Fortinet 2.81-3.117 9.767 2008-12-01 - 0.144 GData 19.1763/19.131 20081201 2008-12-01 - 2.751 Ikarus T3.1.01.45 2008.12.01.71942 2008-12-01 - 3.710 JiangMin 11.0.706 2008.12.01 2008-12-01 - 1.334 Kaspersky 5.5.10 2008.12.01 2008-12-01 - 0.020 KingSoft 2008.9.8.18 2008.12.2.11 2008-12-02 - 0.696 McAfee 5.3.00 5451 2008-12-01 - 2.514 Microsoft 1.4104 2008.12.01 2008-12-01 - 4.728 mks_vir 2.01 2008.12.01 2008-12-01 - 2.616 Norman 5.93.01 5.93.00 2008-12-01 - 5.481 nProtect 2008-12-01.00 2632093 2008-12-01 - 3.100 Panda 9.05.01 2008.12.01 2008-12-01 - 2.317 Quick Heal 10.00 2008.12.02 2008-12-02 - 0.867 Rising 20.0 21.06.02.00 2008-12-01 - 0.280 Sophos 2.81.2 4.36 2008-12-02 - 1.884 Sunbelt 4674 4674 2008-11-04 - 0.501 Symantec 1.3.0.24 20081201.006 2008-12-01 - 0.046 The Hacker 6.3.1.2 v00171 2008-12-01 - 0.427 Trend Micro 8.700-1004 5.684.14 2008-12-01 - 0.024 VBA32 3.12.8.10 20081201.1108 2008-12-01 - 1.345 ViRobot 20081201 2008.12.01 2008-12-01 - 0.399 VirusBuster 4.5.11.10 10.94.12/729518 2008-12-01 - 0.908
  6. Hello Maurice - Both files has already been analyzed by Virustotal but here are the results when I clicked to have them reanalyzed. tagerako.exe first, then fohuzizu.exe. Also, the RUNDLL pop up has not re-appeared! File tagerako.exe received on 12.02.2008 05:19:41 (CET) Antivirus Version Last Update Result AhnLab-V3 2008.12.2.0 2008.12.02 - AntiVir 7.9.0.36 2008.12.01 - Authentium 5.1.0.4 2008.12.02 - Avast 4.8.1281.0 2008.12.01 - AVG 8.0.0.199 2008.12.02 - BitDefender 7.2 2008.12.02 - CAT-QuickHeal 10.00 2008.12.02 - ClamAV 0.94.1 2008.12.02 - DrWeb 4.44.0.09170 2008.12.02 - eSafe 7.0.17.0 2008.11.30 - eTrust-Vet 31.6.6236 2008.12.01 - Ewido 4.0 2008.12.01 - F-Prot 4.4.4.56 2008.12.01 - F-Secure 8.0.14332.0 2008.12.02 - Fortinet 3.117.0.0 2008.12.02 - GData 19 2008.12.02 - Ikarus T3.1.1.45.0 2008.12.01 - K7AntiVirus 7.10.539 2008.12.01 - Kaspersky 7.0.0.125 2008.12.02 - McAfee 5451 2008.12.01 - McAfee+Artemis 5451 2008.12.01 - Microsoft 1.4104 2008.12.02 - NOD32 3656 2008.12.02 - Norman 5.80.02 2008.12.01 - Panda 9.0.0.4 2008.12.02 - PCTools 4.4.2.0 2008.12.01 - Rising 21.06.02.00 2008.12.01 - SecureWeb-Gateway 6.7.6 2008.12.01 - Sophos 4.36.0 2008.12.02 - Sunbelt 3.1.1832.2 2008.12.01 - Symantec 10 2008.12.02 - TheHacker 6.3.1.2.171 2008.12.02 - TrendMicro 8.700.0.1004 2008.12.01 - VBA32 3.12.8.9 2008.12.01 - ViRobot 2008.12.2.1495 2008.12.02 - VirusBuster 4.5.11.0 2008.12.01 - Additional information File size: 2713 bytes MD5...: 4bcfe9f8db04948cddb5e31fe6a7f984 SHA1..: 42464c70fc16f3f361c2419751acd57d51613cdf SHA256: bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228 SHA512: bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585 160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e ssdeep: 24:r3avxU5hzsIVmVMeLmVMyHf63lboxMCLxvriN6LOAPAnQay78eLx5Tb87nVkE hML:upU0GVeLVGBXvrp4n/1a5TI7Ve/G79KX PEiD..: - TrID..: File type identification Text - UTF-8 encoded (100.0%) PEInfo: - packers (F-Prot): UTF-8 File fohuzizu.exe received on 12.02.2008 05:17:47 (CET) Antivirus Version Last Update Result AhnLab-V3 2008.12.2.0 2008.12.02 - AntiVir 7.9.0.36 2008.12.01 - Authentium 5.1.0.4 2008.12.02 - Avast 4.8.1281.0 2008.12.01 - AVG 8.0.0.199 2008.12.02 - BitDefender 7.2 2008.12.02 - CAT-QuickHeal 10.00 2008.12.02 - ClamAV 0.94.1 2008.12.02 - DrWeb 4.44.0.09170 2008.12.02 - eSafe 7.0.17.0 2008.11.30 - eTrust-Vet 31.6.6236 2008.12.01 - Ewido 4.0 2008.12.01 - F-Prot 4.4.4.56 2008.12.01 - F-Secure 8.0.14332.0 2008.12.02 - Fortinet 3.117.0.0 2008.12.02 - GData 19 2008.12.02 - Ikarus T3.1.1.45.0 2008.12.01 - K7AntiVirus 7.10.539 2008.12.01 - Kaspersky 7.0.0.125 2008.12.02 - McAfee 5451 2008.12.01 - McAfee+Artemis 5451 2008.12.01 - Microsoft 1.4104 2008.12.02 - NOD32 3656 2008.12.02 - Norman 5.80.02 2008.12.01 - Panda 9.0.0.4 2008.12.02 - PCTools 4.4.2.0 2008.12.01 - Prevx1 V2 2008.12.02 - Rising 21.06.02.00 2008.12.01 - SecureWeb-Gateway 6.7.6 2008.12.01 - Sophos 4.36.0 2008.12.02 - Sunbelt 3.1.1832.2 2008.12.01 - Symantec 10 2008.12.02 - TheHacker 6.3.1.2.171 2008.12.02 - TrendMicro 8.700.0.1004 2008.12.01 - VBA32 3.12.8.9 2008.12.01 - ViRobot 2008.12.2.1495 2008.12.02 - VirusBuster 4.5.11.0 2008.12.01 - Additional information File size: 2713 bytes MD5...: 4bcfe9f8db04948cddb5e31fe6a7f984 SHA1..: 42464c70fc16f3f361c2419751acd57d51613cdf SHA256: bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228 SHA512: bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585 160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e ssdeep: 24:r3avxU5hzsIVmVMeLmVMyHf63lboxMCLxvriN6LOAPAnQay78eLx5Tb87nVkE hML:upU0GVeLVGBXvrp4n/1a5TI7Ve/G79KX PEiD..: - TrID..: File type identification Text - UTF-8 encoded (100.0%) PEInfo: - packers (F-Prot): UTF-8
  7. Hi Maurice, Here is the last log from HiJackThis. I will reboot after this and see if that other pop-up is still happening. +++HiJackThis+++ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:20:35 PM, on 11/30/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 11773 bytes
  8. Hi Maurice, The ComboFix logs are listed below. I will now run another HiJackThis scan and report back with final logs and how my system is doing. Thank you so much! Christine +++ComboFix+++ ComboFix 08-11-30.01 - CMC 2008-11-30 14:02:52.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.452 [GMT -8:00] Running from: c:\documents and settings\CMC\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\_000111_.tmp.dll c:\windows\system32\mdm.exe D:\Autorun.inf ----- BITS: Possible infected sites ----- hxxp://77.74.48.101 . ((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 ))))))))))))))))))))))))))))))) . 2008-11-29 22:29 . 2005-12-28 08:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit 2008-11-29 22:29 . 2008-11-29 22:29 <DIR> d-------- c:\documents and settings\Administrator 2008-11-29 22:05 . 2008-11-29 22:05 <DIR> d-------- c:\windows\ERUNT 2008-11-29 22:01 . 2008-11-29 22:30 <DIR> d-------- C:\SDFix 2008-11-29 21:57 . 2008-11-29 21:57 <DIR> d-------- C:\_OTMoveIt 2008-11-29 21:44 . 2008-11-29 21:44 754 --a------ c:\windows\WORDPAD.INI 2008-11-29 21:07 . 2008-11-29 21:07 2,713 ---hs---- c:\windows\system32\tagerako.exe 2008-11-27 22:34 . 2008-11-27 22:34 <DIR> d-------- c:\program files\Trend Micro 2008-11-27 16:20 . 2008-11-27 16:20 <DIR> d-------- c:\program files\Panda Security 2008-11-27 16:20 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys 2008-11-27 10:56 . 2008-11-27 10:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-27 10:56 . 2008-11-27 10:56 <DIR> d-------- c:\documents and settings\CMC\Application Data\Malwarebytes 2008-11-27 10:56 . 2008-11-27 10:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-27 10:56 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-27 10:56 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-27 10:33 . 2008-11-27 10:33 2,713 ---hs---- c:\windows\system32\fohuzizu.exe 2008-11-27 00:10 . 2008-11-27 00:12 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-27 00:10 . 2008-11-27 10:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-27 00:04 . 2008-11-30 13:56 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-11-27 00:03 . 2008-11-27 00:04 <DIR> d-------- c:\program files\SpywareBlaster 2008-11-16 23:49 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-14 19:03 . 2008-09-04 09:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll 2008-11-01 14:07 . 2008-11-01 14:07 <DIR> d-------- c:\program files\iTunes 2008-11-01 14:07 . 2008-11-01 14:07 <DIR> d-------- c:\program files\iPod 2008-11-01 14:07 . 2008-11-01 14:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-01 14:05 . 2008-11-01 14:05 <DIR> d-------- c:\program files\Bonjour 2008-11-01 14:03 . 2008-11-01 14:04 <DIR> d-------- c:\program files\QuickTime 2008-10-27 18:12 . 2008-10-15 08:34 337,408 --a------ c:\windows\system32\SET8E.tmp 2008-10-27 18:12 . 2008-10-15 08:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll 2008-10-14 10:58 . 2008-08-14 02:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-14 10:58 . 2008-08-14 02:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-14 10:58 . 2008-08-14 01:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-14 10:58 . 2008-08-14 01:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-14 10:58 . 2008-09-15 04:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys 2008-10-14 10:58 . 2008-09-08 02:41 333,824 --------- c:\windows\system32\dllcache\srv.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-30 22:11 --------- d-----w c:\program files\Symantec AntiVirus 2008-11-30 22:09 --------- d-----w c:\documents and settings\CMC\Application Data\Skype 2008-11-30 22:05 60,212 --sha-w c:\windows\system32\drivers\fidbox.idx 2008-11-30 22:05 5,056,544 --sha-w c:\windows\system32\drivers\fidbox.dat 2008-11-01 22:03 --------- d-----w c:\program files\Common Files\Apple 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-19 05:24 --------- d--h--w c:\documents and settings\CMC\Application Data\Move Networks 2008-10-07 13:56 --------- d-----w c:\documents and settings\CMC\Application Data\webex 2008-10-07 13:56 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll 2008-10-07 13:56 125,848 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll 2008-10-07 13:56 46,408 ----a-w c:\program files\mozilla firefox\plugins\atmccli.dll 2008-10-07 13:56 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-12-18 25365032] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784] "DetectorApp"="c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe" [2005-10-20 102400] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-05-18 233534] "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-20 185896] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-11-22 c:\windows\system32\CHDAudPropShortcut.exe] c:\documents and settings\CMC\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-08-09 122880] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-27 28544] R3 dsNcAdpt;Juniper Network Connect Adapter;c:\windows\system32\DRIVERS\dsNcAdpt.sys [2005-07-27 23552] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af351ff7-f460-11db-aa27-001636373562}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42] . - - - - ORPHANS REMOVED - - - - BHO-{c2cede86-1453-4e0e-91ff-c818d2caba50} - c:\windows\system32\fijadizo.dll . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\CMC\Application Data\Mozilla\Firefox\Profiles\r37p3l73.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?source=geaw FF -: plugin - c:\documents and settings\CMC\Application Data\Mozilla\Firefox\Profiles\r37p3l73.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npatgpc.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-30 14:07:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????f?P??|?????? ???B?????????????hLC? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ZoneLabs\vsmon.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Juniper Networks\Common Files\dsNcService.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\HPQ\Shared\HPQTOA~1.EXE c:\program files\HP\Digital Imaging\bin\hpqimzone.exe c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************** . Completion time: 2008-11-30 14:14:31 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-30 22:14:27 Pre-Run: 45,959,823,360 bytes free Post-Run: 45,898,612,736 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 196 --- E O F --- 2008-11-19 06:44:25
  9. Well Good Afternoon Maurice It's afternoon here now. I ran the MBam "full-scan" and it doesn't look like quarantine is an option. It found one trogan. I have pasted the log-file in below for advice. Should I remove this trogan? Thank you in advance! Christine +++MBam+++ Malwarebytes' Anti-Malware 1.30 Database version: 1439 Windows 5.1.2600 Service Pack 3 11/30/2008 1:10:32 PM mbam-log-2008-11-30 (13-10-25).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 141093 Time elapsed: 1 hour(s), 5 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yiwobisige (Trojan.Agent) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  10. Good Morning Maurice, I ran the FixPolicies first and then the Avenger.exe. On the reboot for the Avenger I am still receiving the ruhisaba.dll is missing error. I have attached a screen shot, in case that may help. Now I'm off to work through the rest of your list. Thanks again! Christine Here is the logs from Avenger.exe: Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\system32\volapego.dll" deleted successfully. Error: file "C:\WINDOWS\system32\ruhisaba.dll" not found! Deletion of file "C:\WINDOWS\system32\ruhisaba.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\yiwobisige" not found! Deletion of driver "yiwobisige" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|yiwobisige" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|yiwobisige" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate.
  11. Hi - one more post this evening. I have been trying to run SDfix in safe mode for over an hour and a half and it doesn't seem to be doing anything. I ran the .bat file file and the blue window just sits there with a blinking cursor after the line that reads "Checking Running Processes and Services". I stopped and started once but nothing. Not sure what to do now. Thank you, Christine
  12. Hi Maurice, Here are the results from the OTMoveIt3 app: ========== FILES ========== File/Folder C:\WINDOWS\system32\ruhisaba.dll not found. ========== SERVICES/DRIVERS ========== Unable to stop service yiwobisige . OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11292008_215731
  13. Hi Maurice, Thanks for responding so quickly. First, a comment: the ruhisaba.dll file is missing from my windows/system32/ folder. We did a full search of the computer and were unable to find it. Funny thing - yesterday when I was creating my first post to you, I restarted my laptop after doing a Quick Scan using the Malwarebytes Anti-Malware app. I got a RUNDLL error saying the the ruhisaba.dll module could not be found. I just clicked OK, two command prompt windows opened quickly and disappeared and that was all. OK - here are the two logs for the volapego.dll file. And then the third one is for HijackThis. Thank you - I'll move on to the OTMoveIt3 step next! +++ Virustotal: +++ File volapego.dll received on 11.30.2008 02:47:15 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 9/37 (24.33%) Loading server information... Your file is queued in position: ___. Estimated start time is between ___ and ___ . Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Compact Print results Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result AhnLab-V3 2008.11.28.2 2008.11.29 - AntiVir 7.9.0.36 2008.11.29 TR/Vundo.MY Authentium 5.1.0.4 2008.11.30 - Avast 4.8.1281.0 2008.11.29 - AVG 8.0.0.199 2008.11.29 Generic12.QGX BitDefender 7.2 2008.11.30 - CAT-QuickHeal 10.00 2008.11.29 - ClamAV 0.94.1 2008.11.29 - DrWeb 4.44.0.09170 2008.11.29 - eSafe 7.0.17.0 2008.11.27 Suspicious File eTrust-Vet 31.6.6234 2008.11.28 - Ewido 4.0 2008.11.29 - F-Prot 4.4.4.56 2008.11.29 - F-Secure 8.0.14332.0 2008.11.29 Trojan:W32/Vundo.BU Fortinet 3.117.0.0 2008.11.29 - GData 19 2008.11.30 - Ikarus T3.1.1.45.0 2008.11.29 - K7AntiVirus 7.10.538 2008.11.29 - Kaspersky 7.0.0.125 2008.11.30 - McAfee 5449 2008.11.29 - McAfee+Artemis 5449 2008.11.29 - Microsoft 1.4104 2008.11.30 Trojan:Win32/Vundo.JD.dll NOD32 3650 2008.11.28 a variant of Win32/Adware.Virtumonde.NDI Norman 5.80.02 2008.11.28 - Panda 9.0.0.4 2008.11.29 - PCTools 4.4.2.0 2008.11.29 - Prevx1 V2 2008.11.30 - Rising 21.05.52.00 2008.11.29 Trojan.Win32.VUNDO.bus SecureWeb-Gateway 6.7.6 2008.11.29 Trojan.Vundo.MY Sophos 4.36.0 2008.11.29 Troj/Virtum-Gen Sunbelt 3.1.1832.2 2008.11.27 - Symantec 10 2008.11.30 - TheHacker 6.3.1.1.169 2008.11.29 - TrendMicro 8.700.0.1004 2008.11.28 - VBA32 3.12.8.9 2008.11.29 - ViRobot 2008.11.29.1492 2008.11.29 - VirusBuster 4.5.11.0 2008.11.29 - Additional information File size: 60416 bytes MD5...: 4e5a570ad074635b7d0a3583e7f9c573 SHA1..: 60f5b09dab30d45eb3524f9f98ccfe0b7e4d2769 SHA256: 4cb4d71789a11bbea414a27d9b3f8d694a6bc84244f2fb7d297c17bb96e59854 SHA512: 8518e00e07415f3de52cc308fbf5a5e3b1e86245476b576e69551f107eb21b32 d6f3369b46c7d393049f11c4549fae3791bf10b49fc8de0db52703234ae4be76 ssdeep: 1536:ZGu1IBBurzsU/nqnpXbdug6alqy+h4THjwwsIWqF5:Te8mpXbdu1b6THia5 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x100010e7 timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970) machinetype.......: 0x14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 text 0x1000 0x49f3 0x4a00 7.90 140559c7567a4de2487e77b71812642c .rdata 0x6000 0x2dbb 0x2e00 7.82 887077c51deecb5b1562f406895bf66a .data 0x9000 0x5fa3 0x6000 7.99 c6f0fb9657f075fd9aec96a93706e470 .idata 0xf000 0x399 0x400 0.00 0f343b0931126a20f133d67c2b018a3b .rsrc 0x10000 0x400 0x400 3.40 8f0949d8ab1f0156905e439a59cf8a00 .reloc 0x11000 0xcfa4 0x800 0.89 763668ab21173171287c58dee84e9612 ( 4 imports ) > user32.dll: ToAscii, EndPaint, EndDeferWindowPos, DestroyWindow, DestroyMenu, DestroyCursor, CreatePopupMenu, CreateDesktopW, CloseWindow > KERNEL32.dll: GetProcessHeap, HeapValidate, HeapDestroy, GetACP, ExitProcess, EnterCriticalSection, TerminateProcess, WriteFile, SetStdHandle > advapi32.dll: RegOpenKeyExA, RegEnumValueA, RegCloseKey > comdlg32.dll: GetOpenFileNameW, GetFileTitleW ( 0 exports ) ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. +++ Viruscan.org: +++ File information File Name : volapego.dll File Size : 60416 byte File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi MD5 : 4e5a570ad074635b7d0a3583e7f9c573 SHA1 : 60f5b09dab30d45eb3524f9f98ccfe0b7e4d2769 Scanner results Scanner results : 15% Scanner(6/39) found malware! Time : 2008/11/29 21:12:36 (PST) Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time a-squared 4.0.0.26 20081127213325 2008-11-27 - 12.251 AhnLab V3 2008.11.30.00 2008.11.30 2008-11-30 - 4.302 AntiVir 7.9.0.36 7.1.0.159 2008-11-29 TR/Vundo.MY 1.608 Antiy 2.0.18 20081129.1772504 2008-11-29 - 0.122 Arcavir 1.0.5 200811291125 2008-11-29 Trojan.Inject.Kkw 1.255 Authentium 5.1.1 200811292253 2008-11-29 - 1.160 AVAST! 3.0.1 081129-0 2008-11-29 - 0.009 AVG 7.5.52.442 270.9.11/1820 2008-11-29 Generic12.QGX 1.777 BitDefender 7.81008.2289375 7.22188 2008-11-30 - 2.104 CA (VET) 9.0.0.143 31.6.6234 2008-11-28 - 11.348 ClamAV 0.94.1 8697 2008-11-30 - 0.017 Comodo 2.11 2.0.0.712 2008-11-20 - 4.064 CP Secure 1.1.0.715 2008.11.30 2008-11-30 - 8.104 Dr.Web 4.44.0.9170 2008.11.29 2008-11-29 - 3.793 ewido 4.0.0.2 2008.11.29 2008-11-29 - 7.364 F-Prot 4.4.4.56 20081129 2008-11-29 - 1.323 F-Secure 5.51.6100 2008.11.29.01 2008-11-29 - 2.936 Fortinet 2.81-3.117 9.758 2008-11-29 - 0.757 GData 19.1733/19.128 20081130 2008-11-30 - 6.870 Ikarus T3.1.01.45 2008.11.30.71933 2008-11-30 - 5.344 JiangMin 11.0.706 2008.11.29 2008-11-29 - 2.554 Kaspersky 5.5.10 2008.11.30 2008-11-30 - 0.041 KingSoft 2008.9.8.18 2008.11.29.22 2008-11-29 - 7.981 McAfee 5.3.00 5449 2008-11-29 - 2.520 Microsoft 1.4104 2008.11.29 2008-11-29 Trojan:Win32/Vundo.JD.dll 12.626 mks_vir 2.01 2008.11.30 2008-11-30 - 2.677 Norman 5.93.01 5.93.00 2008-11-28 - 5.700 nProtect 2008-11-28.00 2630992 2008-11-28 - 6.181 Panda 9.05.01 2008.11.29 2008-11-29 - 2.614 Quick Heal 10.00 2008.11.29 2008-11-29 - 1.010 Rising 20.0 21.05.52.00 2008-11-29 Trojan.Win32.VUNDO.bus 1.036 Sophos 2.81.2 4.36 2008-11-30 Troj/Virtum-Gen 1.931 Sunbelt 4674 4674 2008-11-04 - 8.659 Symantec 1.3.0.24 20081129.002 2008-11-29 - 0.152 The Hacker 6.3.1.1 v00169 2008-11-29 - 0.551 Trend Micro 8.700-1004 5.682.30 2008-11-29 - 0.037 VBA32 3.12.8.9 20081129.1054 2008-11-29 - 1.565 ViRobot 20081129 2008.11.29 2008-11-29 - 0.828 VirusBuster 4.5.11.10 10.94.10/729492 2008-11-29 - 1.003 +++ HijackThis +++ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:24:55 PM, on 11/29/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\Internet Explorer\iexplore.exe c:\program files\common files\installshield\updateservice\isuspm.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Windows NT\Accessories\wordpad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O2 - BHO: (no name) - {c2cede86-1453-4e0e-91ff-c818d2caba50} - C:\WINDOWS\system32\fijadizo.dll (file missing) O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [yiwobisige] Rundll32.exe "C:\WINDOWS\system32\ruhisaba.dll",s O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [yiwobisige] Rundll32.exe "C:\WINDOWS\system32\ruhisaba.dll",s (User 'LOCAL SERVICE') O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\volapego.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 12572 bytes
  14. Good Evening, I have ran the three programs requested. Here are the 3 log files in order as requested: Malwarebytes-Anti-Malware Scan: Malwarebytes' Anti-Malware 1.30 Database version: 1430 Windows 5.1.2600 Service Pack 3 11/27/2008 3:41:50 PM mbam-log-2008-11-27 (15-41-50).txt Scan type: Quick Scan Objects scanned: 50282 Time elapsed: 4 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 1 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2cede86-1453-4e0e-91ff-c818d2caba50} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c2cede86-1453-4e0e-91ff-c818d2caba50} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yiwobisige (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\fijadizo.dll (Trojan.BHO.H) -> Delete on reboot. PandaActive Scan: ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-11-27 22:32:47 PROTECTIONS: 2 MALWARE: 31 SUSPECTS: 2 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== Symantec Antivirus Corporate Edition 10.1 No Yes Zone Alarm Security Suite 7.0.483.000 No No ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.trafficmp.com/] 00139061 Cookie/Doubleclick TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.doubleclick.net/] 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\CMC\Application Data\Netscape\NSB\Profiles\c4cy50x4.default\cookies.txt[.doubleclick.net/] 00139064 Cookie/Atlas DMT TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.atdmt.com/] 00145453 Cookie/Bfast TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.bfast.com/] 00145731 Cookie/Tribalfusion TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.tribalfusion.com/] 00145731 Cookie/Tribalfusion TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.tribalfusion.com/] 00145738 Cookie/Mediaplex TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.mediaplex.com/] 00145738 Cookie/Mediaplex TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.mediaplex.com/] 00167642 Cookie/Com.com TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.com.com/] 00167656 Cookie/Hitbox TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.ehg-idg.hitbox.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.statcounter.com/] 00168048 Cookie/Overture TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.perf.overture.com/] 00168061 Cookie/Apmebf TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.apmebf.com/] 00168061 Cookie/Apmebf TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.apmebf.com/] 00168076 Cookie/BurstNet TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.burstnet.com/] 00168076 Cookie/BurstNet TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.burstnet.com/] 00168076 Cookie/BurstNet TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.burstnet.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.serving-sys.com/] 00168101 Cookie/Falkag TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.as-us.falkag.net/] 00169190 Cookie/Advertising TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\CMC\Application Data\Netscape\NSB\Profiles\c4cy50x4.default\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\CMC\Application Data\Netscape\NSB\Profiles\c4cy50x4.default\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\CMC\Application Data\Netscape\NSB\Profiles\c4cy50x4.default\cookies.txt[.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.advertising.com/] 00169190 Cookie/Advertising TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.advertising.com/] 00170304 Cookie/WebtrendsLive TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][statse.webtrendslive.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.ads.pointroll.com/] 00170495 Cookie/PointRoll TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.ads.pointroll.com/] 00170554 Cookie/Overture TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.overture.com/] 00170554 Cookie/Overture TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.overture.com/] 00170556 Cookie/RealMedia TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.realmedia.com/] 00171982 Cookie/QuestionMarket TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.questionmarket.com/] 00171982 Cookie/QuestionMarket TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.questionmarket.com/] 00171982 Cookie/QuestionMarket TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.questionmarket.com/] 00172221 Cookie/Zedo TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.zedo.com/] 00172221 Cookie/Zedo TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.zedo.com/] 00172221 Cookie/Zedo TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.zedo.com/] 00184846 Cookie/Adrevolver TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.adrevolver.com/] 00187950 Cookie/bravenetA TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.bravenet.com/] 00187950 Cookie/bravenetA TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.bravenet.com/] 00187950 Cookie/bravenetA TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.bravenet.com/] 00187950 Cookie/bravenetA TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.bravenet.com/] 00194327 Cookie/Go TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.go.com/] 00194327 Cookie/Go TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.go.com/] 00194327 Cookie/Go TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.go.com/] 00194327 Cookie/Go TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.go.com/] 00194327 Cookie/Go TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.go.com/] 00207862 Cookie/did-it TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.did-it.com/] 00207862 Cookie/did-it TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.did-it.com/] 00207862 Cookie/did-it TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.did-it.com/] 00262020 Cookie/Atwola TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.atwola.com/] 00286739 Cookie/Hitbox TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.ehg-dig.hitbox.com/] 00286739 Cookie/Hitbox TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.ehg-dig.hitbox.com/] 00286739 Cookie/Hitbox TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][.ehg-dig.hitbox.com/] 00325830 Cookie/Bridgetrack TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][citi.bridgetrack.com/] 00325830 Cookie/Bridgetrack TrackingCookie No 0 No No C:\Program Files\support.com\backup\co\cookies.txt\47718_5b912b86b_[cookies.txt][citi.bridgetrack.com/] 00377802 Spyware/PeoplePC Spyware No 0 Yes No C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL 00450614 Adware/2Search Adware No 0 No No C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe[PPCToolbar.dll] 03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP629\A0041813.sys ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location JJ ;=============================================================================== ================================================================================ = =================== No C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP629\A0041804.dll JJ No C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP629\A0041805.dll JJ ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description JJ ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== And finally HiJackThis scan: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:35:13 PM, on 11/27/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\Internet Explorer\iexplore.exe c:\program files\common files\installshield\updateservice\isuspm.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O2 - BHO: (no name) - {c2cede86-1453-4e0e-91ff-c818d2caba50} - C:\WINDOWS\system32\fijadizo.dll (file missing) O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [yiwobisige] Rundll32.exe "C:\WINDOWS\system32\ruhisaba.dll",s O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [yiwobisige] Rundll32.exe "C:\WINDOWS\system32\ruhisaba.dll",s (User 'LOCAL SERVICE') O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\volapego.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 12514 bytes