Received an email from facebook and now have some virus on my computer. Downloaded HijackThis v2.0.2 and really dont understand what to do next. Here is the log: Can anyone help me. Thanks. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:37:35 PM, on 12/3/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\WebMediaViewer\hpmon.exe C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\System32\igfxpers.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe C:\Windows\tsnpstd3.exe C:\Windows\vsnpstd3.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\system32\ctfmon.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Users\Amy Jarvis\AppData\Local\Google\Update\GoogleUpdate.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\McAfee\MSC\mcshell.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\Program Files\Internet Explorer\IEUser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll O2 - BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll (file missing) O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe O4 - HKLM\..\Run: [FixCamera] C:\Windows\FixCamera.exe O4 - HKLM\..\Run: [tsnpstd3] C:\Windows\tsnpstd3.exe O4 - HKLM\..\Run: [snpstd3] C:\Windows\vsnpstd3.exe O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [Google Update] "C:\Users\Amy Jarvis\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe O4 - HKLM\..\Policies\Explorer\Run: [VMware hptray] C:\Program Files\WebMediaViewer\hpmon.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing) O9 - Extra 'Tools' menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing) O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O13 - Gopher Prefix: O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://70.90.47.90:86/activex/AMC.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (file missing) O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe -- End of file - 9666 bytes
Hi ayostos What symptons does your computuer have? Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required. Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop. Configuring Malwarebytes • Click on the tab Settings. • Make sure only these boxes are checked: Code: Terminate Internet Explorer Automatically save and display logfile after removal Always scan memory objects Always scan registry objects Always scan filesystem Always scan extra and heuristics objects Updating Malwarebytes • Click on the tab Update. • Press the button Check for Updates • Wait for Malwarebytes to be fully updated. Scanning Time • Click on the tab Scanner. • Check Perform full scan and click on Scan • Wait for the scan to complete, and then click on Show Results. • Make sure all items are checked, then click on Remove Selected. **If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately. Post A Log • A text box will pop up after the removal process is over. Post the contents of the text here. • If no text box pops up, launch Malwarebytes, and click on the tab Logs. • The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open. • Post the log here. Best Regards
The security warning keeps popping up saying trojan has my personal information. Also this security page that looks like some sort of windows manager (the symbol is the same block coloring but different shape) pops up saying security manager and there is an error on my hard drive and the cd drive at the bottom there is a box saying security warning listing nation: city: ip address: and Isp:. I ran the malwarebytes scan and it couldn't remove some files it told me to restart I did that below is the log that pops up after the scan, I'm not sure where to go from here? Thanks for the help you've provided and any additional help. Malwarebytes' Anti-Malware 1.31 Database version: 1460 Windows 6.0.6001 Service Pack 1 12/4/2008 12:30:12 PM mbam-log-2008-12-04 (12-30-12).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 222277 Time elapsed: 3 hour(s), 55 minute(s), 25 second(s) Memory Processes Infected: 1 Memory Modules Infected: 1 Registry Keys Infected: 9 Registry Values Infected: 5 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 25 Memory Processes Infected: C:\Program Files\WebMediaViewer\hpmon.exe (Trojan.Zlob) -> Unloaded process successfully. Memory Modules Infected: C:\Windows\System32\55FF85742B4AF666\55FF85742B4AF666.x86 (Rootkit.Zlob) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64466b8e-20a7-4a4a-aff4-aad9ca68b52c} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\webmedia.chl (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Alert Manager (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer add-on (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Toolbar (Trojan.Zlob) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vmware hptray (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\quicktime task (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\WebMediaViewer (Trojan.Zlob) -> Quarantined and deleted successfully. Files Infected: C:\Windows\System32\55FF85742B4AF666\55FF85742B4AF666.x86 (Rootkit.Zlob) -> Delete on reboot. C:\Users\Amy Jarvis\AppData\Local\Temp\qpgiqmsi2.exe (Zlob.Agent) -> Quarantined and deleted successfully. C:\Users\Amy Jarvis\AppData\Local\Temp\qpgiqmsi3.exe (Rootkit.Zlob) -> Quarantined and deleted successfully. C:\Windows\System32\55FF85742B4AF666\55FF85742B4AF666 (Rootkit.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\browseu.exe (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\hpmom.exe (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\hpmon.exe (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\hpmun.exe (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\myc.ico (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\qttask.exe (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\qttaskm.exe (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\qttasku.exe (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\WebMediaViewer\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Users\Amy Jarvis\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Users\Amy Jarvis\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Users\Amy Jarvis\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Users\Amy Jarvis\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Users\Amy Jarvis\Favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully. C:\ProgramData\Microsoft\Windows\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\ProgramData\Microsoft\Windows\Start Menu\Online Antispyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.
Hey ayostos Now, please download ComboFix. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop. Please disable all security programs, such as antiviruses, antispywares, and firewalls. • Run Combo-Fix.exe and follow the prompts. • Accept the End-User License Agreement. (If the Recovery Console has been installed on your computer, ComboFix will skip the next three steps.) • Allow the Recovery Console to be installed. • When you see the window below, click on Yes. • When the Recovery Console has been installed, click on Yes to start the scan. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. • Wait for the scan to be fully completed. • If it requires a reboot, please do so. • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt) Do not click on the ComoboFix window, as it may cause it to stall. Best Regards
thanks for the help. It is greatly appreciated. Hopefully this does it. Please let me know. Thanks. AJ ComboFix 08-12-06.06 - Amy Jarvis 2008-12-07 11:55:46.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.280 [GMT -7:00] Running from: c:\users\Amy Jarvis\Desktop\ComboFix.exe * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Downloaded Program Files\setup.inf c:\windows\system32\AutoRun.inf c:\windows\system32\hpowiax4.dll c:\windows\system32\x64 . ((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 ))))))))))))))))))))))))))))))) . 2008-12-07 11:53 . 2008-12-07 11:54 <DIR> d-------- C:\32788R22FWJFW 2008-12-04 08:26 . 2008-12-04 08:26 <DIR> d-------- c:\users\Amy Jarvis\AppData\Roaming\Malwarebytes 2008-12-04 08:26 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys 2008-12-04 08:25 . 2008-12-04 08:25 <DIR> d-------- c:\users\All Users\Malwarebytes 2008-12-04 08:25 . 2008-12-04 08:25 <DIR> d-------- c:\programdata\Malwarebytes 2008-12-04 08:25 . 2008-12-04 08:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-04 08:25 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys 2008-12-03 19:39 . 2008-12-03 19:39 <DIR> d-------- c:\program files\Lavasoft 2008-12-03 19:38 . 2008-12-03 19:46 <DIR> d-------- c:\users\All Users\Lavasoft 2008-12-03 19:38 . 2008-12-03 19:46 <DIR> d-------- c:\programdata\Lavasoft 2008-12-03 19:36 . 2008-12-03 19:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-03 18:35 . 2008-12-03 18:35 <DIR> d-------- c:\program files\Trend Micro 2008-12-03 09:13 . 2008-12-04 12:34 <DIR> d--hs---- c:\windows\System32\55FF85742B4AF666 2008-12-02 09:40 . 2008-12-02 09:40 <DIR> d-------- c:\program files\Axis Communications 2008-12-01 06:32 . 2008-12-01 06:32 <DIR> d-------- c:\program files\MSECache 2008-11-29 08:07 . 2008-10-16 14:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll 2008-11-29 08:07 . 2008-10-16 13:56 1,524,736 --a------ c:\windows\System32\wucltux.dll 2008-11-29 08:07 . 2008-10-16 14:09 51,224 --a------ c:\windows\System32\wuauclt.exe 2008-11-29 08:07 . 2008-10-16 14:09 43,544 --a------ c:\windows\System32\wups2.dll 2008-11-29 08:06 . 2008-10-16 14:12 561,688 --a------ c:\windows\System32\wuapi.dll 2008-11-29 08:06 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll 2008-11-29 08:06 . 2008-10-16 13:55 83,456 --a------ c:\windows\System32\wudriver.dll 2008-11-29 08:06 . 2008-10-16 14:08 34,328 --a------ c:\windows\System32\wups.dll 2008-11-29 08:06 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe 2008-11-27 18:17 . 2007-03-10 14:43 270,336 --a------ c:\windows\tsnpstd3.exe 2008-11-27 18:17 . 2006-07-03 10:31 94,208 --a------ c:\windows\amcap.exe 2008-11-27 18:16 . 2008-11-27 18:17 <DIR> d-------- c:\program files\Common Files\snpstd3 2008-11-27 18:16 . 2007-02-09 14:13 172,032 --a------ c:\windows\System32\rsnpstd3.dll 2008-11-27 18:16 . 2005-11-23 13:55 53,248 --a------ c:\windows\csnpstd3.dll 2008-11-26 07:29 . 2008-11-26 07:29 <DIR> d-------- c:\users\Amy Jarvis\AppData\Roaming\Yahoo! 2008-11-26 07:28 . 2008-11-26 07:35 <DIR> d-------- c:\users\All Users\Yahoo! 2008-11-26 07:28 . 2008-11-26 07:35 <DIR> d-------- c:\programdata\Yahoo! 2008-11-26 07:28 . 2008-12-04 08:11 <DIR> d-------- c:\program files\Yahoo! 2008-11-26 01:39 . 2008-10-20 22:25 1,645,568 --a------ c:\windows\System32\connect.dll 2008-11-26 01:39 . 2008-08-27 20:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll 2008-11-26 01:39 . 2008-08-27 20:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll 2008-11-26 01:39 . 2008-08-27 20:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll 2008-11-26 01:39 . 2008-10-21 20:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll 2008-11-24 10:33 . 2008-11-24 10:33 <DIR> d-------- c:\program files\Microsoft Silverlight 2008-11-15 12:38 . 2007-09-13 14:45 4,947,968 --a------ c:\windows\System32\stacgui.cpl 2008-11-15 12:38 . 2007-04-10 17:02 1,601,536 --a------ c:\windows\System32\stlang.dll 2008-11-15 12:38 . 2007-09-20 14:31 647,168 --a------ c:\windows\System32\aestecap.dll 2008-11-15 12:38 . 2007-09-20 14:31 131,072 --a------ c:\windows\System32\aestacap.dll 2008-11-15 12:38 . 2007-09-13 14:45 102,400 --a------ c:\windows\System32\stacsv.exe 2008-11-15 12:38 . 2007-09-20 14:31 73,728 --a------ c:\windows\System32\AEstSrv.exe 2008-11-15 12:38 . 2007-09-20 14:31 53,248 --a------ c:\windows\System32\aestaren.dll 2008-11-15 12:35 . 2007-09-13 14:46 330,240 --a------ c:\windows\System32\drivers\stwrt.sys 2008-11-15 12:34 . 2008-11-15 12:34 <DIR> d-------- c:\program files\Common Files\InstallShield 2008-11-15 12:34 . 2007-09-13 14:45 595,456 --a------ c:\windows\System32\stapo.dll 2008-11-15 12:34 . 2007-03-05 13:05 492,544 --a------ c:\windows\System32\ctapo32.dll 2008-11-15 12:34 . 2007-09-13 14:45 328,704 --a------ c:\windows\System32\stcplx.dll 2008-11-15 12:34 . 2007-09-13 14:44 299,520 --a------ c:\windows\System32\stapi32.dll 2008-11-15 12:34 . 2007-09-13 14:45 146,944 --a------ c:\windows\System32\st325614.dll 2008-11-15 12:34 . 2007-03-05 13:05 45,568 --a------ c:\windows\System32\ctppld.dll 2008-11-11 15:29 . 2008-08-26 18:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys 2008-11-11 15:28 . 2008-09-09 20:40 1,334,272 --a------ c:\windows\System32\msxml6.dll 2008-11-11 15:28 . 2008-09-04 22:14 1,191,936 --a------ c:\windows\System32\msxml3.dll 2008-11-11 07:54 . 2008-11-11 07:54 1,593 --a------ c:\windows\VPNInstall.MIF 2008-11-11 07:52 . 2008-03-29 17:36 125,328 --a------ c:\windows\System32\drivers\dne2000.sys 2008-11-11 07:52 . 2008-03-29 17:36 106,768 --a------ c:\windows\System32\dneinobj.dll 2008-11-11 07:50 . 2008-11-11 07:50 <DIR> d-------- c:\program files\Common Files\Deterministic Networks 2008-11-11 07:50 . 2008-11-11 07:50 <DIR> d-------- c:\program files\Cisco Systems . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-04 19:34 --------- d-----w c:\program files\McAfee 2008-11-28 01:16 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-24 17:33 --------- d-----w c:\program files\Microsoft Works 2008-11-02 15:59 --------- d-----w c:\programdata\HP 2008-11-02 15:57 --------- d-----w c:\programdata\WEBREG 2008-11-02 15:55 --------- d-----w c:\users\Amy Jarvis\AppData\Roaming\HPAppData 2008-11-02 15:55 --------- d-----w c:\programdata\HPSSUPPLY 2008-11-02 15:55 --------- d-----w c:\program files\HP 2008-11-02 15:52 --------- d-----w c:\programdata\HP Product Assistant 2008-11-02 15:52 --------- d-----w c:\program files\Common Files\HP 2008-11-02 15:51 --------- d-----w c:\program files\Hewlett-Packard 2008-11-02 15:51 --------- d-----w c:\program files\Common Files\Hewlett-Packard 2008-11-02 15:49 --------- d-----w c:\programdata\Hewlett-Packard 2008-11-02 15:33 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf 2008-10-26 21:14 --------- d-----w c:\programdata\NOS 2008-10-26 21:14 --------- d-----w c:\program files\NOS 2008-10-26 21:02 --------- d-----w c:\programdata\SiteAdvisor 2008-10-26 21:02 --------- d-----w c:\programdata\McAfee 2008-10-26 20:41 --------- d-----w c:\users\Amy Jarvis\AppData\Roaming\McAfee 2008-10-26 15:18 --------- d-----w c:\program files\Microsoft ActiveSync 2008-10-26 15:17 --------- d-----w c:\program files\Microsoft.NET 2008-10-26 15:03 --------- d-----w c:\program files\Common Files\Adobe AIR 2008-10-26 15:02 --------- d-----w c:\program files\Common Files\Adobe 2008-10-26 02:45 174 --sha-w c:\program files\desktop.ini 2008-10-26 02:33 --------- d-----w c:\program files\Windows Sidebar 2008-10-26 02:33 --------- d-----w c:\program files\Windows Calendar 2008-10-26 02:32 --------- d-----w c:\program files\Windows Photo Gallery 2008-10-26 02:32 --------- d-----w c:\program files\Windows Mail 2008-10-26 02:32 --------- d-----w c:\program files\Windows Journal 2008-10-26 02:32 --------- d-----w c:\program files\Windows Defender 2008-10-26 02:32 --------- d-----w c:\program files\Windows Collaboration 2008-10-25 21:56 82,432 ----a-w c:\windows\System32\axaltocm.dll 2008-10-25 21:56 101,888 ----a-w c:\windows\System32\ifxcardm.dll 2008-10-11 16:49 --------- d-----w c:\program files\SigmaTel 2008-10-11 16:36 --------- d-----w c:\program files\Dell 2008-10-11 16:04 --------- d-----w c:\program files\Intel 2008-10-11 15:51 --------- d-----w c:\program files\Broadcom 2008-10-11 15:46 --------- d-----w c:\programdata\Citrix 2008-10-11 15:45 61,224 ----a-w c:\users\Amy Jarvis\GoToAssistDownloadHelper.exe 2008-10-11 15:45 --------- d-----w c:\program files\Citrix 2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll 2008-09-30 23:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll 2008-09-25 10:03 269,312 ----a-w c:\windows\System32\es.dll 2008-09-23 05:54 61,440 ----a-w c:\windows\System32\winipsec.dll 2008-09-23 05:54 361,984 ----a-w c:\windows\System32\IPSECSVC.DLL 2008-09-23 05:54 28,672 ----a-w c:\windows\System32\FwRemoteSvr.dll 2008-09-23 05:54 272,896 ----a-w c:\windows\System32\polstore.dll 2008-09-23 05:51 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll 2008-09-23 05:51 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll 2008-09-23 05:51 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll 2008-09-23 05:51 28,160 ----a-w c:\windows\System32\Apphlpdm.dll 2008-09-23 05:51 2,560 ----a-w c:\windows\AppPatch\AcRes.dll 2008-09-23 05:51 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll 2008-09-23 05:51 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll 2008-09-23 05:51 1,695,744 ----a-w c:\windows\System32\gameux.dll 2008-09-23 05:40 2,048 ----a-w c:\windows\System32\tzres.dll 2008-09-23 05:34 303,616 ----a-w c:\windows\System32\wmpeffects.dll 2008-09-23 05:21 9,847,296 ----a-w c:\windows\System32\NlsData000a.dll 2008-09-23 05:18 181,760 ----a-w c:\windows\System32\fsquirt.exe 2008-09-23 05:16 988,216 ----a-w c:\windows\System32\winload.exe 2008-09-23 05:16 927,288 ----a-w c:\windows\System32\winresume.exe 2008-09-23 05:16 615,992 ----a-w c:\windows\System32\ci.dll 2008-09-23 05:16 6,656 ----a-w c:\windows\System32\kbd106n.dll 2008-09-23 05:16 46,592 ----a-w c:\windows\System32\setbcdlocale.dll 2008-09-23 05:16 40,960 ----a-w c:\windows\System32\srclient.dll 2008-09-23 05:16 378,368 ----a-w c:\windows\System32\srcore.dll 2008-09-23 05:16 318,464 ----a-w c:\windows\System32\rstrui.exe 2008-09-23 05:16 19,000 ----a-w c:\windows\System32\kd1394.dll 2008-09-23 05:16 14,848 ----a-w c:\windows\System32\srdelayed.exe 2008-09-23 05:13 295,936 ----a-w c:\windows\System32\gdi32.dll 2008-09-23 05:10 14,848 ----a-w c:\windows\System32\wshrm.dll 2008-09-23 05:07 84,480 ----a-w c:\windows\System32\INETRES.dll 2008-09-23 05:07 738,304 ----a-w c:\windows\System32\inetcomm.dll 2008-09-23 05:07 1,314,816 ----a-w c:\windows\System32\quartz.dll 2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe 2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe 2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll 2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll 2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-09-30 171448] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120] "Google Update"="c:\users\Amy Jarvis\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-27 133104] "WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 c:\windows\System32\oobefldr.dll] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152] "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504] "tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336] "snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520] VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2008-11-11 6144] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{E5495DBB-AD3D-4CD1-9D8B-7489846B7769}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema "{3E168AAF-2331-4D42-A610-34444C3A3CCD}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program "{AFECB509-49EF-4643-9399-814037B9C070}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine "{B046A0F0-4584-47A1-BA68-4E42A55FDD1A}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server "{8CAD2C21-4932-4761-9A3E-63A65C429FE8}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent "{531FF2CC-EEBA-4B0D-9EB6-96FE8A23EC35}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{E98D1339-3610-4394-9F00-51C1710590BA}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2008-11-15 73728] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-26 203280] R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-26 179712] S3 GoToAssist;GoToAssist;"c:\program files\Citrix\GoToAssist\514\g2aservice.exe" Start=service [2008-10-11 16680] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afe9ed4a-8b4d-11dd-894b-980e8620a72b}] \shell\AutoRun\command - f:\wd_windows_tools\setup.exe *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-12-05 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\users\Amy Jarvis\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-27 18:36] 2008-09-23 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2008-09-23 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] . - - - - ORPHANS REMOVED - - - - HKLM-Run-FixCamera - c:\windows\FixCamera.exe Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8 mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://70.90.47.90:86/activex/AMC.cab c:\windows\Downloaded Program Files\setup.inf . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-07 12:01:05 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-12-07 12:05:14 ComboFix-quarantined-files.txt 2008-12-07 19:05:10 Pre-Run: 81,412,227,072 bytes free Post-Run: 82,826,866,688 bytes free 253 --- E O F --- 2008-12-02 10:05:09
