Jump to content

jouster Computer 2 - Log 01

jouster
jouster
in Resolved Logs

Featured Replies

Posted

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:02:43 AM, on 7/19/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\James Larsen\Desktop\Download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qwest.live.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Qwest

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.206.201.8 private.microsoft.com

O1 - Hosts: 91.206.201.8 avir-guardian.com

O1 - Hosts: 91.206.201.8 www.avir-guardian.com

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2

O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Qwest Live - {6370284D-00DB-470F-B689-7CEF8CFB8A3A} - http://qwest.live.com (file missing) (HKCU)

O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - https://ra.qwest.com/sdccommon/download/tgctlins.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

--

End of file - 8539 bytes

  • Administrator

You may want to switch from Windows Live OneCare to avast. I'd highly recommend uninstalling any/all toolbars too.

It appears you're still infected. Please post your last Malwarebytes logfile.

Generated by Tarun of Lunarsoft's HijackThis Converter v0.53 Beta.

Default-color items are optional, red are known to be malicious.

Created registry value

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qwest.live.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

Changed registry value

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

Created registry value

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Qwest

Malware added these

O1 - Hosts: 91.206.201.8 private.microsoft.com

O1 - Hosts: 91.206.201.8 avir-guardian.com

O1 - Hosts: 91.206.201.8 www.avir-guardian.com

Enumeration of existing IE's BHO's

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Javaâ„¢ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

Enumeration of existing IE's toolbars

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

Extra IE context menu items

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx

Extra "Tools" menu items and buttons

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Qwest Live - {6370284D-00DB-470F-B689-7CEF8CFB8A3A} - http://qwest.live.com (file missing) (HKCU)

Downloaded Program Files item

O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - https://ra.qwest.com...ad/tgctlins.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab

  • Author

Here is the last Malwarebytes log-

Malwarebytes' Anti-Malware 1.39

Database version: 2462

Windows 5.1.2600 Service Pack 3

7/18/2009 10:00:18 PM

mbam-log-2009-07-18 (22-00-18).txt

Scan type: Quick Scan

Objects scanned: 105413

Time elapsed: 14 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\james larsen\Desktop\ZwinkySetup2.3.50.45.ZJfox000.exe (Adware.MyWeb) -> Quarantined and deleted successfully.

  • Author

Here is the combofix log for comp 2, this was run without the CFScript:

ComboFix 09-07-19.04 - James Larsen 07/19/2009 21:43.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.109 [GMT -7:00]

Running from: c:\documents and settings\James Larsen\My Documents\Downloads\ComboFix.exe

AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

.

((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))

.

2009-07-19 06:16 . 2009-07-19 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-07-19 06:16 . 2009-07-19 06:21 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-07-19 05:12 . 2009-07-19 05:13 117760 ----a-w- c:\documents and settings\James Larsen\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-19 05:12 . 2009-07-19 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-07-19 05:12 . 2009-07-19 05:12 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-19 05:12 . 2009-07-19 05:12 -------- d-----w- c:\documents and settings\James Larsen\Application Data\SUPERAntiSpyware.com

2009-07-19 04:40 . 2009-07-19 04:40 -------- d-----w- c:\documents and settings\James Larsen\Application Data\Malwarebytes

2009-07-19 04:40 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-19 04:40 . 2009-07-19 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-19 04:40 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-19 04:40 . 2009-07-19 04:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-19 04:21 . 2009-07-19 04:34 -------- d-----w- c:\program files\CCleaner

2009-07-19 04:16 . 2009-07-19 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-19 04:15 . 2005-08-26 02:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL

2009-07-19 04:14 . 2009-07-19 04:18 -------- d-----w- c:\program files\SpywareBlaster

2009-07-19 04:02 . 2009-07-19 04:02 -------- d-----w- c:\documents and settings\James Larsen\Local Settings\Application Data\Lunarsoft

2009-07-19 04:02 . 2009-07-19 04:02 -------- d-----w- c:\program files\Lunarsoft

2009-07-19 01:56 . 2009-07-19 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles

2009-07-18 23:43 . 2009-07-18 23:44 -------- d-----w- c:\documents and settings\James Larsen\Local Settings\Application Data\Qwest

2009-07-18 23:43 . 2009-07-18 23:43 -------- d-----w- c:\program files\Qwest Personal Digital Vault

2009-07-18 22:47 . 2009-07-18 22:47 -------- d-sh--w- c:\documents and settings\James Larsen\PrivacIE

2009-07-17 16:27 . 2009-07-17 16:27 -------- d-sh--w- c:\documents and settings\Jaedyn\IETldCache

2009-07-16 19:42 . 2009-07-16 19:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-07-16 19:39 . 2009-07-16 19:39 -------- d-sh--w- c:\documents and settings\James Larsen\IETldCache

2009-07-16 19:11 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-07-16 19:10 . 2009-07-16 19:11 -------- d-----w- c:\windows\ie8updates

2009-07-16 19:09 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-07-16 19:09 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-07-16 19:05 . 2009-07-16 19:08 -------- dc-h--w- c:\windows\ie8

2009-07-02 17:36 . 2009-07-02 17:42 -------- d-----w- c:\documents and settings\James Larsen\Local Settings\Application Data\Thunderbird

2009-07-02 17:36 . 2009-07-02 17:37 -------- d-----w- c:\documents and settings\James Larsen\Application Data\Thunderbird

2009-07-02 17:36 . 2009-07-19 21:49 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-07-02 14:00 . 2009-07-02 13:58 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-07-02 13:53 . 2009-07-02 13:53 152576 ----a-w- c:\documents and settings\James Larsen\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-06-25 13:40 . 2009-06-25 13:40 -------- d-----w- c:\documents and settings\James Larsen\.GalleryRemote

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-20 04:38 . 2009-01-15 01:55 -------- d-----w- c:\program files\Microsoft Windows OneCare Live

2009-07-20 04:33 . 2008-05-09 01:32 -------- d-----w- c:\program files\Google

2009-07-19 21:59 . 2008-03-12 02:18 -------- d-----w- c:\program files\Valu-Soft

2009-07-19 21:54 . 2008-05-04 04:39 -------- d-----w- c:\program files\Yahoo!

2009-07-19 05:10 . 2008-02-21 07:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-19 04:31 . 2008-02-06 20:15 -------- d-----w- c:\documents and settings\James Larsen\Application Data\Azureus

2009-07-18 22:39 . 2008-02-21 05:41 -------- d-----w- c:\documents and settings\James Larsen\Application Data\Hamachi

2009-07-18 22:25 . 2009-01-15 01:10 -------- d-----w- c:\program files\Qwest

2009-07-16 18:59 . 2009-01-17 23:36 -------- d-----w- c:\documents and settings\James Larsen\Application Data\HPAppData

2009-07-03 17:33 . 2008-05-03 16:04 -------- d-----w- c:\documents and settings\James Larsen\Application Data\LimeWire

2009-07-02 13:58 . 2008-01-25 05:20 -------- d-----w- c:\program files\Java

2009-06-29 18:22 . 2009-02-20 16:22 1 ----a-w- c:\documents and settings\James Larsen\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-02 01:45 . 2008-03-05 21:38 2404 ----a-w- c:\windows\system32\d3d9caps.dat

2009-05-31 04:57 . 2008-01-24 05:36 2180 ----a-w- c:\windows\system32\d3d8caps.dat

2009-05-28 04:09 . 2009-05-28 03:49 -------- d-----w- c:\program files\Sony Online Entertainment

2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-07 00:24 . 2009-01-24 15:30 69352 ----a-w- c:\documents and settings\Jaedyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-30 15:05 . 2009-07-16 18:43 69352 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-30 15:05 . 2009-01-24 03:08 69352 ----a-w- c:\documents and settings\Default User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-20 04:38 . 2009-01-23 16:05 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-07-20_02.31.51 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-20 04:34 . 2009-07-20 04:34 16384 c:\windows\Temp\Perflib_Perfdata_9c.dat

+ 2009-07-20 04:37 . 2009-07-20 04:37 16384 c:\windows\Temp\Perflib_Perfdata_61c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-25 5898240]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-02 148888]

"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]

"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-25 86016]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-25 1519616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2009-03-04 181624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^James Larsen^Start Menu^Programs^Startup^hamachi.lnk]

path=c:\documents and settings\James Larsen\Start Menu\Programs\Startup\hamachi.lnk

backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James Larsen^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]

path=c:\documents and settings\James Larsen\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk

backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Warcraft III\\War3.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"57352:TCP"= 57352:TCP:Pando Media Booster

"57352:UDP"= 57352:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [4/11/2009 1:28 PM 55152]

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [3/22/2009 10:59 AM 24936]

R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [8/12/2008 2:53 PM 1213728]

R3 PCnetHL;AMD PCnet-Home Adapter Driver;c:\windows\system32\drivers\pcntn5hl.sys [2/20/2008 1:53 PM 30282]

R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [7/11/2001 12:06 PM 23153]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

S3 Gcr432;Gcr432;c:\windows\system32\drivers\gcr432.sys [10/4/2001 4:18 PM 53701]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-07-20 c:\windows\Tasks\NSSstub.job

- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-03-04 04:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab

FF - ProfilePath - c:\documents and settings\James Larsen\Application Data\Mozilla\Firefox\Profiles\8xo1ljg5.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - plugin: c:\progra~1\SONYON~1\npsoe.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-19 21:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2356)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-07-20 22:01

ComboFix-quarantined-files.txt 2009-07-20 05:01

ComboFix2.txt 2009-07-20 02:45

Pre-Run: 2,890,584,064 bytes free

Post-Run: 2,846,138,368 bytes free

252 --- E O F --- 2009-07-16 18:22

  • Author

Here is the Combofix log file using the CFScript:

ComboFix 09-07-19.04 - James Larsen 07/19/2009 22:11.3.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.166 [GMT -7:00]

Running from: c:\documents and settings\James Larsen\My Documents\Downloads\ComboFix.exe

Command switches used :: c:\documents and settings\James Larsen\Desktop\CFScript.txt

AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}

FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

.

((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))

.

2009-07-19 06:16 . 2009-07-19 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-07-19 06:16 . 2009-07-19 06:21 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-07-19 05:12 . 2009-07-19 05:13 117760 ----a-w- c:\documents and settings\James Larsen\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-19 05:12 . 2009-07-19 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-07-19 05:12 . 2009-07-19 05:12 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-19 05:12 . 2009-07-19 05:12 -------- d-----w- c:\documents and settings\James Larsen\Application Data\SUPERAntiSpyware.com

2009-07-19 04:40 . 2009-07-19 04:40 -------- d-----w- c:\documents and settings\James Larsen\Application Data\Malwarebytes

2009-07-19 04:40 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-19 04:40 . 2009-07-19 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-19 04:40 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-19 04:40 . 2009-07-19 04:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-19 04:21 . 2009-07-19 04:34 -------- d-----w- c:\program files\CCleaner

2009-07-19 04:16 . 2009-07-19 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-19 04:15 . 2005-08-26 02:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL

2009-07-19 04:14 . 2009-07-19 04:18 -------- d-----w- c:\program files\SpywareBlaster

2009-07-19 04:02 . 2009-07-19 04:02 -------- d-----w- c:\documents and settings\James Larsen\Local Settings\Application Data\Lunarsoft

2009-07-19 04:02 . 2009-07-19 04:02 -------- d-----w- c:\program files\Lunarsoft

2009-07-19 01:56 . 2009-07-19 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles

2009-07-18 23:43 . 2009-07-18 23:44 -------- d-----w- c:\documents and settings\James Larsen\Local Settings\Application Data\Qwest

2009-07-18 23:43 . 2009-07-18 23:43 -------- d-----w- c:\program files\Qwest Personal Digital Vault

2009-07-18 22:47 . 2009-07-18 22:47 -------- d-sh--w- c:\documents and settings\James Larsen\PrivacIE

2009-07-17 16:27 . 2009-07-17 16:27 -------- d-sh--w- c:\documents and settings\Jaedyn\IETldCache

2009-07-16 19:42 . 2009-07-16 19:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-07-16 19:39 . 2009-07-16 19:39 -------- d-sh--w- c:\documents and settings\James Larsen\IETldCache

2009-07-16 19:11 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-07-16 19:10 . 2009-07-16 19:11 -------- d-----w- c:\windows\ie8updates

2009-07-16 19:09 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-07-16 19:09 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-07-16 19:05 . 2009-07-16 19:08 -------- dc-h--w- c:\windows\ie8

2009-07-02 17:36 . 2009-07-02 17:42 -------- d-----w- c:\documents and settings\James Larsen\Local Settings\Application Data\Thunderbird

2009-07-02 17:36 . 2009-07-02 17:37 -------- d-----w- c:\documents and settings\James Larsen\Application Data\Thunderbird

2009-07-02 17:36 . 2009-07-19 21:49 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-07-02 14:00 . 2009-07-02 13:58 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-07-02 13:53 . 2009-07-02 13:53 152576 ----a-w- c:\documents and settings\James Larsen\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-06-25 13:40 . 2009-06-25 13:40 -------- d-----w- c:\documents and settings\James Larsen\.GalleryRemote

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-20 04:38 . 2009-01-15 01:55 -------- d-----w- c:\program files\Microsoft Windows OneCare Live

2009-07-20 04:33 . 2008-05-09 01:32 -------- d-----w- c:\program files\Google

2009-07-19 21:59 . 2008-03-12 02:18 -------- d-----w- c:\program files\Valu-Soft

2009-07-19 21:54 . 2008-05-04 04:39 -------- d-----w- c:\program files\Yahoo!

2009-07-19 05:10 . 2008-02-21 07:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-19 04:31 . 2008-02-06 20:15 -------- d-----w- c:\documents and settings\James Larsen\Application Data\Azureus

2009-07-18 22:39 . 2008-02-21 05:41 -------- d-----w- c:\documents and settings\James Larsen\Application Data\Hamachi

2009-07-18 22:25 . 2009-01-15 01:10 -------- d-----w- c:\program files\Qwest

2009-07-16 18:59 . 2009-01-17 23:36 -------- d-----w- c:\documents and settings\James Larsen\Application Data\HPAppData

2009-07-03 17:33 . 2008-05-03 16:04 -------- d-----w- c:\documents and settings\James Larsen\Application Data\LimeWire

2009-07-02 13:58 . 2008-01-25 05:20 -------- d-----w- c:\program files\Java

2009-06-29 18:22 . 2009-02-20 16:22 1 ----a-w- c:\documents and settings\James Larsen\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-02 01:45 . 2008-03-05 21:38 2404 ----a-w- c:\windows\system32\d3d9caps.dat

2009-05-31 04:57 . 2008-01-24 05:36 2180 ----a-w- c:\windows\system32\d3d8caps.dat

2009-05-28 04:09 . 2009-05-28 03:49 -------- d-----w- c:\program files\Sony Online Entertainment

2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-07 00:24 . 2009-01-24 15:30 69352 ----a-w- c:\documents and settings\Jaedyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-30 15:05 . 2009-07-16 18:43 69352 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-30 15:05 . 2009-01-24 03:08 69352 ----a-w- c:\documents and settings\Default User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-20 04:38 . 2009-01-23 16:05 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-07-20_02.31.51 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-20 05:25 . 2009-07-20 05:25 16384 c:\windows\Temp\Perflib_Perfdata_5f0.dat

+ 2009-07-20 05:28 . 2009-07-20 05:28 16384 c:\windows\Temp\Perflib_Perfdata_164.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-25 5898240]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-02 148888]

"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]

"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-25 86016]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-25 1519616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2009-03-04 181624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^James Larsen^Start Menu^Programs^Startup^hamachi.lnk]

path=c:\documents and settings\James Larsen\Start Menu\Programs\Startup\hamachi.lnk

backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James Larsen^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]

path=c:\documents and settings\James Larsen\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk

backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Warcraft III\\War3.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"57352:TCP"= 57352:TCP:Pando Media Booster

"57352:UDP"= 57352:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [4/11/2009 1:28 PM 55152]

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [3/22/2009 10:59 AM 24936]

R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [8/12/2008 2:53 PM 1213728]

R3 PCnetHL;AMD PCnet-Home Adapter Driver;c:\windows\system32\drivers\pcntn5hl.sys [2/20/2008 1:53 PM 30282]

R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [7/11/2001 12:06 PM 23153]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

S3 Gcr432;Gcr432;c:\windows\system32\drivers\gcr432.sys [10/4/2001 4:18 PM 53701]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-07-20 c:\windows\Tasks\NSSstub.job

- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-03-04 04:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab

FF - ProfilePath - c:\documents and settings\James Larsen\Application Data\Mozilla\Firefox\Profiles\8xo1ljg5.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - plugin: c:\progra~1\SONYON~1\npsoe.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-19 22:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2028)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

c:\program files\Microsoft Windows OneCare Live\winss.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-07-20 22:34 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-20 05:34

ComboFix2.txt 2009-07-20 05:01

ComboFix3.txt 2009-07-20 02:45

Pre-Run: 2,887,442,432 bytes free

Post-Run: 2,866,663,424 bytes free

268 --- E O F --- 2009-07-16 18:22

  • Author

I also ran full scans with MBAM and SuperAntiSpyware on this comp. Here are the logs from those:

Malwarebytes' Anti-Malware 1.39

Database version: 2464

Windows 5.1.2600 Service Pack 3

7/20/2009 1:09:06 AM

mbam-log-2009-07-20 (01-09-06).txt

Scan type: Full Scan (C:\|)

Objects scanned: 192911

Time elapsed: 2 hour(s), 6 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\DivX\divx converter\pS2Xx.ddc (Backdoor.Bot) -> Quarantined and deleted successfully.

c:\program files\DivX\divx player\pS2Xx.ddc (Backdoor.Bot) -> Quarantined and deleted successfully.

_____________________________________________________________________________________________________

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 07/20/2009 at 09:02 AM

Application Version : 4.26.1006

Core Rules Database Version : 3952

Trace Rules Database Version: 1943

Scan type : Complete Scan

Total Scan Time : 01:35:30

Memory items scanned : 461

Memory threats detected : 0

Registry items scanned : 5031

Registry threats detected : 0

File items scanned : 21939

File threats detected : 2

Adware.Tracking Cookie

C:\Documents and Settings\James Larsen\Cookies\james_larsen@atdmt[2].txt

C:\Documents and Settings\LocalService\Cookies\system@atdmt[2].txt

__________________________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:32:40 AM, on 7/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\James Larsen\Desktop\Download\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickCare2.2] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2

O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Qwest Live - {6370284D-00DB-470F-B689-7CEF8CFB8A3A} - http://qwest.live.com (file missing) (HKCU)

O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - https://ra.qwest.com/sdccommon/download/tgctlins.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

--

End of file - 7616 bytes

___________________________________________________________________________________________________________________

Also OneCare is finding a trojan. Here is the OneCare log for the last 24 hrs:

7/20/2009 8:11 AM

Windows Live OneCare found potentially harmful or unwanted software on your computer

Threat Name: Trojan:Win32/FakeSpypro

Detection Date and Time: 7/20/2009 8:07 AM

File Name: C:\System Volume Information\_restore{D9169744-9BED-4586-8250-6269661F2E09}\RP301\A0155579.exe

Threat Severity: High

Threat Category: Trojan

Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS)

Threat Status: Removed

7/20/2009 8:11 AM

Windows Live OneCare found potentially harmful or unwanted software on your computer

Threat Name: Trojan:Win32/FakeSpypro

Detection Date and Time: 7/20/2009 8:07 AM

File Name: C:\System Volume Information\_restore{D9169744-9BED-4586-8250-6269661F2E09}\RP301\A0155580.exe

Threat Severity: High

Threat Category: Trojan

Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS)

Threat Status: Removed

7/20/2009 8:06 AM

Windows Live OneCare found potentially harmful or unwanted software on your computer

Threat Name: Trojan:Win32/FakeSpypro

Detection Date and Time: 7/20/2009 8:06 AM

File Name: C:\System Volume Information\_restore{D9169744-9BED-4586-8250-6269661F2E09}\RP301\A0155580.exe

Threat Severity: High

Threat Category: Trojan

Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS_INFECTED)

Threat Status: Detected

7/20/2009 8:06 AM

Windows Live OneCare found potentially harmful or unwanted software on your computer

Threat Name: Trojan:Win32/FakeSpypro

Detection Date and Time: 7/20/2009 8:06 AM

File Name: C:\System Volume Information\_restore{D9169744-9BED-4586-8250-6269661F2E09}\RP301\A0155579.exe

Threat Severity: High

Threat Category: Trojan

Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS_INFECTED)

Threat Status: Detected

7/20/2009 2:05 AM

Virus and spyware scan was completed

Scanned Items: -

Scan Type: Custom Scan

Scan StartTime: 7/20/2009 1:24 AM

Scan EndTime: 7/20/2009 2:05 AM

Total Number of Files Scanned: 95470

Total Number of Files Not Scanned: 0

Total Number of Threats Found: 0

Total Number of Threats Cleaned: 0

Total Number of Threats Removed: 0

Total Number of Threats Quarantined: 0

Total Number of Threats Still Present But Suspended: 0

7/20/2009 12:08 AM

Windows Live OneCare found potentially harmful or unwanted software on your computer

Threat Name: Trojan:Win32/FakeSpypro

Detection Date and Time: 7/20/2009 12:08 AM

File Name: C:\System Volume Information\_restore{D9169744-9BED-4586-8250-6269661F2E09}\RP301\A0155580.exe

Threat Severity: High

Threat Category: Trojan

Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS_INFECTED)

Threat Status: Detected

7/20/2009 12:08 AM

Windows Live OneCare found potentially harmful or unwanted software on your computer

Threat Name: Trojan:Win32/FakeSpypro

Detection Date and Time: 7/20/2009 12:08 AM

File Name: C:\System Volume Information\_restore{D9169744-9BED-4586-8250-6269661F2E09}\RP301\A0155579.exe

Threat Severity: High

Threat Category: Trojan

Virus and spyware monitoring found potentially unwanted software: (ANTIVIRUS_ONACCESS_INFECTED)

Threat Status: Detected

7/19/2009 10:52 PM

Virus and spyware monitoring was turned on

7/19/2009 9:38 PM

Successfully updated signatures

from: AV Delta:(1.61.1867.0), AV Base:(1.61.0.0), AS Delta:(1.61.1867.0), AS Base:(1.61.0.0), AM Engine:(1.1.4803.0)

to: AV Delta:(1.61.1908.0), AV Base:(1.61.0.0), AS Delta:(1.61.1908.0), AS Base:(1.61.0.0), AM Engine:(1.1.4803.0)

7/19/2009 9:38 PM

7/19/2009 6:53 PM

Virus and spyware monitoring was turned off

7/18/2009 9:36 PM

Virus and spyware monitoring was turned on

7/18/2009 3:44 PM

Successfully updated signatures

from: AV Delta:(1.61.1700.0), AV Base:(1.61.0.0), AS Delta:(1.61.1700.0), AS Base:(1.61.0.0), AM Engine:(1.1.4803.0)

to: AV Delta:(1.61.1867.0), AV Base:(1.61.0.0), AS Delta:(1.61.1867.0), AS Base:(1.61.0.0), AM Engine:(1.1.4803.0)

7/18/2009 3:44 PM

  • Administrator

For the virus in your System Restore, go ahead and create a new system restore point and then remove the old points using Disk Cleanup.

Your log looks clean, are you still experiencing any symptoms?

These lines should be removed with HJT:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

  • Author

System seems to be operating much better, thanks again for all your help! I think the only problem left is the age of the comp (Compaq 5000 series 750MHz AMD Duron originally loaded with ME)

Again you were awesome to work with and probly saved me from formatting

Guest
This topic is now closed to further replies.
Go to topic listing

Recently Browsing 0

  • No registered users viewing this page.