1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Mom's PC Infected by MalWare

Discussion in 'Malware and Virus Removal Archive' started by Michael7, 2010/04/22.

Thread Status:
Not open for further replies.
Page 2 of 2
  1. 2010/04/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Go ahead and run Combofix anyway.
     
    broni,
    #21
  2. 2010/05/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Are you still out there?
     
    broni,
    #22


  3. to hide this advert.

  4. 2010/05/07
    Michael7

    Michael7 Inactive Thread Starter

    Joined:
    2010/04/22
    Messages:
    15
    Likes Received:
    0
    Very sorry, Broni! In the middle of things happening on my end I ended up once again taking a long time to reply. I did run and create the logs though that same night you mentioned to go for it, though. Thanks so much for the help, Broni, I cannot express how much I appreciate it!!
    Here's ComboFix log:
    ComboFix 10-04-29.04 - ReveNEspoir 04/29/2010 22:46:16.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.546 [GMT -5:00]
    Running from: c:\documents and settings\ReveNEspoir\Desktop\ComboFix.exe
    AV: AOL Antivirus *On-access scanning enabled* (Outdated) {164FF91F-F5BD-4B74-A9DC-932CECB1603B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Kent.REVE-N-ESPOIR\Application Data\alot
    c:\documents and settings\ReveNEspoir\Application Data\alot
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_0\Button_0.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_0\Button_0.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_1\Button_1.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_1\Button_1.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_2\Button_2.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_2\Button_2.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_3\Button_3.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_3\Button_3.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_4\Button_4.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_4\Button_4.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_5\Button_5.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_5\Button_5.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_6\Button_6.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_6\Button_6.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_7\Button_7.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_7\Button_7.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_8\Button_8.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\Button_8\Button_8.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\configurator\configurator.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\configurator\configurator.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\contextMenu\contextMenu.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\contextMenu\contextMenu.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\postInstallLayout\postInstallLayout.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\products\products.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\products\products.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_1\images\alot_image_search.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_1\images\alot_image_search.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_1\images\alot_news_search.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_1\images\alot_news_search.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_1\images\alot_search_button.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_1\images\alot_shop_search.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_1\images\alot_shop_search.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_1\images\alot_videos_search.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_1\images\alot_videos_search.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_1\images\alot_web_search.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_1\images\alot_web_search.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_2\images\alot_configure.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_2\images\alot_configure.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_3\images\1462_icon.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_3\images\1462_icon.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_3\images\default_1462_www.bhg.com_button.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_3\images\default_1462_www.bhg.com_button.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_4\images\2252_icon.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_4\images\2252_icon.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_4\images\default_1923_default_1910_default_1510_www.bhg.com_button.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_4\images\default_1923_default_1910_default_1510_www.bhg.com_button.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_5\images\2128_icon.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_5\images\2128_icon.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_5\images\default_2113_default_1682_www.bhg.com_button.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_5\images\default_2113_default_1682_www.bhg.com_button.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_6\images\default_1105_alot_recipe_videos.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_6\images\default_1105_alot_recipe_videos.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_7\images\2065_icon.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_7\images\2065_icon.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Button_8\images\2827_icon.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\contextMenu\images\alot_icon.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\domains.dat
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\alot_brand.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\alot_splitter.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\discover.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\intro_popup.png
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\spinner.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\widget_btnconfig0.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\widget_btnconfig1.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\widget_btnrefresh0.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\widget_btnrefresh1.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\widget_caption.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
    c:\documents and settings\ReveNEspoir\Application Data\alot\TimerManager\TimerManager.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\TimerManager\TimerManager.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\toolbar.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\toolbar.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup
    c:\documents and settings\ReveNEspoir\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\Updater\Updater.xml
    c:\documents and settings\ReveNEspoir\Application Data\alot\Updater\Updater.xml.backup
    c:\program files\alot
    c:\program files\alot\alotUninst.exe
    c:\program files\alot\bin\alot.dll
    c:\program files\alot\bin\BHO\alotBHO.dll
    c:\recycler\NPROTECT
    c:\recycler\S-1-5-21-1644491937-839522115-854245398-1003
    c:\recycler\S-1-5-21-1644491937-839522115-854245398-1004

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-30 )))))))))))))))))))))))))))))))
    .

    2010-04-27 06:59 . 2010-04-27 06:59 388096 ----a-r- c:\documents and settings\ReveNEspoir\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-04-27 06:59 . 2010-04-27 06:59 -------- d-----w- c:\program files\Trend Micro
    2010-04-27 04:33 . 2010-04-27 04:33 -------- d-----w- c:\documents and settings\ReveNEspoir\Application Data\Malwarebytes
    2010-04-27 04:33 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-27 04:33 . 2010-04-27 04:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-27 04:33 . 2010-04-27 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-04-27 04:33 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-27 02:14 . 2010-04-27 02:14 -------- d-----w- C:\_OTL
    2010-04-21 12:06 . 2010-04-27 02:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\xibhuqotg
    2010-04-09 14:52 . 2010-04-09 14:52 -------- d-----w- c:\documents and settings\Kent.REVE-N-ESPOIR\Local Settings\Application Data\AOL Toolbar
    2010-04-09 14:45 . 2010-04-09 14:45 -------- d-----w- c:\windows\system32\wbem\Repository

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-18 13:13 . 2009-08-25 23:34 -------- d-----w- c:\documents and settings\ReveNEspoir\Application Data\HpUpdate
    2010-04-17 00:05 . 2008-10-08 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-04-14 18:27 . 2010-03-30 12:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-04-11 11:18 . 2007-01-08 15:28 -------- d-----w- c:\program files\Hewlett-Packard
    2010-04-09 14:44 . 2009-04-17 21:54 -------- d-----w- c:\documents and settings\ReveNEspoir\Application Data\IObit
    2010-03-30 12:31 . 2010-03-30 12:31 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-03-26 17:22 . 2006-03-15 23:41 -------- d-----w- c:\program files\Jewelry Designer Manager
    2010-03-26 12:58 . 2010-03-26 12:58 10134 ----a-r- c:\documents and settings\ReveNEspoir\Application Data\Microsoft\Installer\{939E2189-9B65-41FC-A842-1BBC1588BFD1}\ARPPRODUCTICON.exe
    2010-03-26 12:58 . 2007-12-29 01:50 -------- d-----w- c:\program files\HP
    2010-03-25 19:42 . 2010-03-25 17:37 -------- d-----w- c:\program files\AOL 9.5
    2010-03-25 17:41 . 2006-03-15 22:42 -------- d-----w- c:\documents and settings\ReveNEspoir\Application Data\AOL
    2010-03-25 17:41 . 2006-03-15 22:38 -------- d-----w- c:\program files\Common Files\aolshare
    2010-03-25 17:40 . 2006-03-15 22:37 -------- d-----w- c:\program files\Common Files\AOL
    2010-03-25 17:39 . 2006-03-15 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
    2010-03-25 17:39 . 2010-03-25 17:39 -------- d-----w- c:\program files\AOL Toolbar
    2010-03-25 17:39 . 2010-03-25 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Toolbar
    2010-03-25 17:39 . 2010-03-25 17:39 -------- d-----w- c:\program files\Common Files\Software Update Utility
    2010-03-25 17:36 . 2010-03-25 17:35 48307080 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.185.2.1\setup.exe
    2010-03-25 17:35 . 2010-03-25 17:35 43496 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.185.2.1\noneCodesignFilesBundle.exe
    2010-03-25 17:35 . 2006-03-15 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
    2010-03-25 11:48 . 2006-03-15 20:25 100400 ----a-w- c:\documents and settings\ReveNEspoir\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-24 20:54 . 2010-03-24 20:54 -------- d-----w- c:\program files\Snapshot Viewer
    2010-03-22 13:26 . 2006-03-16 01:55 100400 ----a-w- c:\documents and settings\Kent.REVE-N-ESPOIR\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-10 06:15 . 2003-03-31 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-02 01:03 . 2010-02-06 00:30 203040 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-02-27 11:24 . 2010-02-27 11:24 152576 ----a-w- c:\documents and settings\ReveNEspoir\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2010-02-27 11:23 . 2009-11-15 00:19 79488 ----a-w- c:\documents and settings\ReveNEspoir\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-02-25 06:24 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 15:16 . 2010-03-10 19:48 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-24 13:11 . 2003-03-31 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-18 11:04 . 2003-02-21 10:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-02-18 11:04 . 2003-03-19 04:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-02-17 14:10 . 2003-03-31 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-12 04:33 . 2003-03-31 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-12 01:22 . 2010-02-12 01:22 103752 ----a-w- c:\windows\system32\AOLDial.dll
    2010-02-12 01:22 . 2010-02-12 01:22 33400 ----a-w- c:\windows\system32\drivers\atwpkt264.sys
    2010-02-12 01:22 . 2010-02-12 01:22 24904 ----a-w- c:\windows\system32\drivers\atwpkt2.sys
    2010-02-11 12:02 . 2003-03-31 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VTTimer "= "VTTimer.exe" [2005-03-07 53248]
    "VTTrayp "= "VTtrayp.exe" [2005-03-11 147456]
    "HostManager "= "c:\program files\Common Files\AOL\1142462297\ee\AOLSoftware.exe" [2010-02-10 41800]
    "sscRun "= "c:\program files\Common Files\AOL\1142462297\ee\SSCRun.exe" [2007-01-25 153168]
    "OASClnt "= "c:\program files\mcafee.com\antivirus\oasclnt.exe" [2006-07-28 116272]
    "EmailScan "= "c:\program files\mcafee.com\antivirus\mcvsescn.exe" [2006-07-28 460336]
    "HP Software Update "= "c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
    "PS121v2 "= "c:\program files\NETGEAR\PS121v2\PS121v2.exe" [2007-05-23 696320]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2006-03-15 98304]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
    "DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Forget Me Not.lnk - c:\program files\Broderbund\AG CreataCard\AGRemind.exe [2009-12-14 323584]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
    backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
    backup=c:\windows\pss\officejet 6100.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2005-06-07 04:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
    2005-07-12 11:17 50776 ----a-w- c:\program files\America Online 9.0b\aol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
    2007-01-25 21:34 8784 ----a-w- c:\program files\Common Files\AOL\1142462297\EE\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
    2005-03-04 06:20 512000 ----a-w- c:\program files\VIAudioi\SBADeck\ADeck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2006-10-14 10:03 190464 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2010-02-10 13:19 14664 ----a-w- c:\program files\Common Files\AOL\1142462297\EE\AOLHostManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
    2003-08-18 23:46 53248 ----a-w- c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
    2002-11-09 16:33 172032 ----a-w- c:\program files\Canon\MultiPASS4\mptbox.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
    2005-02-26 00:28 212992 ----a-w- c:\progra~1\Nero\data\Xtras\mssysmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
    2004-04-05 21:33 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2006-03-15 22:40 98304 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2008-11-05 16:56 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2005-11-10 19:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2007-05-31 11:41 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2008-11-05 16:56 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)
    "DisableNotifications "= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
    "c:\\Program Files\\America Online 9.0\\waol.exe "=
    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe "=
    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe "=
    "c:\\Program Files\\Common Files\\AOL\\1142462297\\EE\\AOLServiceHost.exe "=
    "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
    "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe "=
    "c:\\Program Files\\America Online 9.0b\\waol.exe "=
    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "=
    "c:\\Program Files\\America Online 9.0b\\aol.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Program Files\\Common Files\\AOL\\1142462297\\EE\\aolsoftware.exe "=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe "=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe "=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe "=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe "=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe "=
    "c:\\Program Files\\Common Files\\AOL\\1142462297\\EE\\AOLDesktop.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\NETGEAR\\PS121v2\\PS121v2.exe "=
    "c:\\Program Files\\AOL 9.5\\waol.exe "=

    R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [9/12/2003 3:19 PM 132899]
    R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [9/12/2003 3:48 PM 46810]
    R3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\drivers\NETGEARUHOST.sys [9/8/2009 4:28 PM 12032]
    R3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\drivers\NETGEARUHUB.sys [9/8/2009 4:28 PM 39424]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 8:34 AM 135664]
    S3 NETGEARUCOMP;NETGEAR Network USB Composite Device;c:\windows\system32\drivers\NETGEARUCOMP.sys [9/8/2009 4:28 PM 12672]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2008-05-23 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p officejet 6100 series272A572217594EBCF1CEE215E352B92AD073FDE4168270247.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 23:56]

    2010-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 13:34]

    2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 13:34]

    2009-12-21 c:\windows\Tasks\SmartDefrag.job
    - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-07-18 14:22]

    2010-04-30 c:\windows\Tasks\User_Feed_Synchronization-{EE9C1704-2B61-4C30-B115-A8BCC521AB94}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultUrl =
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Compare Prices with &Dealio - c:\documents and settings\ReveNEspoir\Application Data\Dealio\kb124\res\DealioSearch.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    DPF: {FFFDF6F2-F7BC-4B90-B789-CB7BBDA13AD6} - hxxp://photosmart.hpphoto.com/Download/HPeServicesLocalPrint.CAB
    FF - ProfilePath - c:\documents and settings\ReveNEspoir\Application Data\Mozilla\Firefox\Profiles\irbj0n9v.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolTB50CL-chromesbox-en-us
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&invocationType=tb50-ff-aolTB50CL-ab-en-us&query=
    FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false.
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    MSConfigStartUp-sscRun - c:\program files\Common Files\AOL\1142462297\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
    AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe
    AddRemove-{1EB321CB-3D1D-4cf2-ACB5-9F20874B8E69} - c:\program files\Hewlett-Packard\Digital Imaging\{1EB321CB-3D1D-4cf2-ACB5-9F20874B8E69}\setup\hpzscr01.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-29 22:51
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-04-29 22:53:52
    ComboFix-quarantined-files.txt 2010-04-30 03:53

    Pre-Run: 4,968,091,648 bytes free
    Post-Run: 5,279,735,808 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    - - End Of File - - F8740786CF5D08B44BCF1849E041F175
     
    Last edited: 2010/05/07
    Michael7,
    #23
  5. 2010/05/07
    Michael7

    Michael7 Inactive Thread Starter

    Joined:
    2010/04/22
    Messages:
    15
    Likes Received:
    0
    And here's the new HackThis log:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:14:11 PM, on 4/29/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Common Files\AOL\1142462297\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\Program Files\Common Files\AOL\1142462297\ee\AOLSoftware.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\AOL\1142462297\EE\aolsoftware.exe
    c:\program files\common files\aol\1142462297\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll
    R3 - URLSearchHook: AOL Radio Toolbar Search Class - {69224684-5682-419b-9fe4-ef7946ee3319} - C:\Program Files\AOL Radio Toolbar\aolradiotb.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AOL Radio Toolbar Loader - {2abdb2f7-4cbf-4939-ba12-fddc827b6a2d} - C:\Program Files\AOL Radio Toolbar\aolradiotb.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: AOL Toolbar Loader - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: AOL Radio Toolbar - {9167da98-6f9b-46f1-991d-826cae46cab6} - C:\Program Files\AOL Radio Toolbar\aolradiotb.dll
    O3 - Toolbar: AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142462297\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1142462297\ee\SSCRun.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
    O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [PS121v2] "C:\Program Files\NETGEAR\PS121v2\PS121v2.exe" /hide
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
    O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
    O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
    O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\ReveNEspoir\Application Data\Dealio\kb124\res\DealioSearch.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) - https://eformrs.com/RSLoginModule.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
    O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
    O16 - DPF: {FFFDF6F2-F7BC-4B90-B789-CB7BBDA13AD6} (CLaunchPrint Object) - http://photosmart.hpphoto.com/Download/HPeServicesLocalPrint.CAB
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1142462297\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

    --
    End of file - 9565 bytes
     
    Michael7,
    #24
  6. 2010/05/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    What is your current AV program?


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::

Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\xibhuqotg


Driver::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
 "AntiVirusOverride "=-
 "FirewallOverride "=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
 "EnableFirewall "=dword:00000001
 "DisableNotifications "=dword:00000000


RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
    broni,
    #25
Page 2 of 2
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...