• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
LJP

Malware, Virus(s), & Spyware

15 posts in this topic

Ihave been experiencing pop-ups(advertising), system sluggishness & sporadic behavior. I'm running WinXP sp3 w/ Verizon security suite. There were 3 virus(s) detected, Win32/FakeAV.A, JS/FakeAV.A, JS/Agent.FA; lots of spyware; Zlob.PornAdvertiser.Xplisit, Spyware.IEMonster.b, etc., & was alerted by the ANTIVIRUS 2008 Windows security look-alike but declined any assistance. I followed steps in the forum facts & have attached 2 seperate logs from Malware's Anti-Malware & HJT log. I need advice & specific direction from a professional on what to delete & how to effectively & completely rid my system of these nusances. Thanks.

 

Malwarebytes' Anti-Malware 1.23

Database version: 1006

Windows 5.1.2600 Service Pack 3

 

7:16:19 AM 7/29/2008

mbam-log-7-29-2008 (07-16-19).txt

 

Scan type: Full Scan (C:\|)

Objects scanned: 123374

Time elapsed: 2 hour(s), 13 minute(s), 44 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 4

Registry Keys Infected: 29

Registry Values Infected: 3

Registry Data Items Infected: 2

Folders Infected: 27

Files Infected: 74

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

C:\WINDOWS\system32\yaywwTlj.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\awtQKExY.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\fpwzws.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\nfavxwdbsxb.dll (Trojan.FakeAlert) -> Delete on reboot.

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37781f08-0bae-4492-ac8e-2e9de8373ea9} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{37781f08-0bae-4492-ac8e-2e9de8373ea9} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca0254dd-1948-4d52-9f2f-20fb7587d32e} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ca0254dd-1948-4d52-9f2f-20fb7587d32e} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{267212fe-b77a-4c83-bb75-3f84b52a3bee} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{267212fe-b77a-4c83-bb75-3f84b52a3bee} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqkexy (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{cf269089-ee76-400b-8f5b-e0191aff6051} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{5a945e54-93e0-4cf7-87e8-fae4cde5e075} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{b5f63f48-0e28-4b37-9536-6e5588cbcaee} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\edfqvrw.bdgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features\9ee2330ae5f4470cac801baac83818c9 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc7l6j0el7m (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\rhc7l6j0el7m (Rogue.Multiple) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\alotToolbar (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\seekmosa (Adware.Seekmo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{2a9805a1-fe72-4b17-98e7-958312ea56aa} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{951ccafd-23f9-4013-9a5d-96b970052291} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{ad730a0b-b21e-421b-abe3-1b6563d2cee7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{aefff7d6-917c-4d8d-a780-7c2d69f1b01a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aefff7d6-917c-4d8d-a780-7c2d69f1b01a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{267212fe-b77a-4c83-bb75-3f84b52a3bee} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wnslvxtf (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\yaywwtlj -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yaywwtlj -> Delete on reboot.

 

Folders Infected:

C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\systemerrorfixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

C:\GA6P1 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\GA6P1\Quar (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.

C:\Program Files\alot (Adware.BHO) -> Quarantined and deleted successfully.

C:\Program Files\alot\bin (Adware.BHO) -> Quarantined and deleted successfully.

C:\Program Files\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\alot (Adware.BHO) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

 

Files Infected:

C:\WINDOWS\system32\yaywwTlj.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\jlTwwyay.ini (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\jlTwwyay.ini2 (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\fpwzws.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\ricgmuox.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\xoumgcir.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\awtQKExY.dll (Trojan.Vundo) -> Delete on reboot.

C:\Program Files\alot\bin\alot.dll (Adware.BHO) -> Quarantined and deleted successfully.

C:\a (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\3.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\5.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\7.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\SpyShredder\SpyShredder1.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\SpyShredder\SpyShredder2.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\SpyShredder\SpyShredder3.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1067\A0164214.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1067\A0164215.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1067\A0164216.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1067\A0164217.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1067\A0164218.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1070\A0164411.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1070\A0164412.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1070\A0164413.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1070\A0164431.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1070\A0164432.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1070\A0164433.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\WINDOWS\eovp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Sys422.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Sys423.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Sys424.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Sys425.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Sys426.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nkpykmkj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\azrfih.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\E2.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pphc3l6j0el7m.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kvbuirjy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\txztss.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mnjknffr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qoMEWppm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\sex1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Program Files\PCHealthCenter\sex2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\em (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\oid (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\user (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

C:\Program Files\alot\alotUninst.exe (Adware.BHO) -> Quarantined and deleted successfully.

C:\Program Files\VAV\vav.cpl (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.

C:\Program Files\VAV\vav.ooo (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.

C:\Program Files\VAV\vav0.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.

C:\Program Files\VAV\vav1.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sex1.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sex2.ico (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vav.cpl (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.

C:\WINDOWS\grswptdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\nfavxwdbsxb.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\system32\blphc3l6j0el7m.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lphc3l6j0el7m.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\phc3l6j0el7m.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:07:58, on 11/17/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe

C:\Program Files\MSN\MSNCoreFiles\MSN.EXE

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"

O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab

O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {A2721B6E-0000-0000-0000-000000000000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe

O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe

O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

 

--

End of file - 10782 bytes

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:07:58, on 11/17/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe

C:\Program Files\MSN\MSNCoreFiles\MSN.EXE

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"

O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab

O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {A2721B6E-0000-0000-0000-000000000000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe

O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe

O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

 

--

End of file - 10782 bytes

Share this post


Link to post
Share on other sites

Hi LJP,

 

Welcome to the SWI forums. My name is SpotCheckBilly (SCB for short) and I will be happy to help you.

 

===Very Important===

The instructions in this thread have been specifically designed for THIS USER'S MACHINE ONLY . You should not use these instructions to clean your machine. Doing so could cause irreparable damage to your machine. If you need assistance, please start your own thread.

=================

 

A couple of important things to keep in mind during our fix.

  • Please >> DO NOT<< run any scans/tools or other fixes unless I ask you to.
  • Please DO NOT install any software while we are working.
  • While the fix is in progress Do not skip any steps. With some infections skipping a step can be disastrous.
  • If you are running P2P filesharing program(s). My recommendation is you uninstall it/them.
  • If you are running any cracked/pirated software, REMOVE it before proceeding. Many helpers -- myself included -- will not assist you if you are using such software.

Remember, we are in this process together. We must cooperate with each other or the fix will surely fail. If there is something you don't understand or or are unsure of -- please stop and take a moment to ask about it.

 

That being said, let's get started. :)

 

Part of the sluggishness problem comes from having more than one active anti-malware module running at a time. I see Verizon Internet Security Suite as well as Spybot S & D's Tea Timer. These programs will conflict with each other which will cause performance problems as well as reduced system security. You should disable Tea Timer (you can certainly keep Spybot S & D as an on-demand scanner should you choose).

 

Next, the build of your Malwarebytes Anti-Malware is quite outdated. The current build is 1.30 database version 1410. I would recommend that you update and rescan since the current version does a much better job of cleaning up the infection that you have.

 

Finally, let's download and run a scan with ComboFix as follows:

 

Download ComboFix from one of these locations:

A word of warning: Please DO NOT run ComboFix on your own. Used incorrectly, it can render your computer completely useless

 

>>>If you already have Combofix, delete previous copy(s) and download the latest version.<<<

 

Link 1

Link 2

Link 3

 

Save ComboFix.exe to your Desktop

 

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before continuing the scan. They can interfere with ComboFix and may cause unpredictable results. Note: Combofix will disconnect you from the Internet, then restore your connection as it finishes.

 

Double click on ComboFix.exe.

  • Follow the prompts. NOTE:
    ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
    The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
     
  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.

 

RcAuto1.gif

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

whatnext.png

 

***If you have an always on Internet connection, unplug from your DSL/cable modem before proceeding. Reconnect only after Combofix has finished its scan.***

  • Click on Yes, to allow Combofix to finish its scan.This can take a while, so please be patient.
  • When finished, it will produce a report for you at C:\ComboFix.txt.

***Do not mouseclick combofix's window while it's running. That may cause it to stall***

 

In your next post, please include

  • A new Hijackthis log.
  • C.:\Combofix.txt.
  • The results of the Malwarebytes Anti-Malware scan.

>>>use separate posts if necessary to ensure the logs don't get cut off!<<<

 

We'll take it from there. :wave: SCB

Share this post


Link to post
Share on other sites

The only reason I downloaded spy bot was because thats what the forum instructions said to do, I normally only have Verizon Security Suite as my active program. Also, my system was sluggish even before I downloaded spy bot. Should I completely remove it, if so should I do a recovery first? Finally I updated Malware to 1.30 & attached is the new log. Thanks

 

Malwarebytes' Anti-Malware 1.30

Database version: 1410

Windows 5.1.2600 Service Pack 3

 

11/19/2008 12:34:51 AM

malware log file.txt

 

Scan type: Full Scan (C:\|)

Objects scanned: 135885

Time elapsed: 2 hour(s), 52 minute(s), 0 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 13

Files Infected: 7

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7545d8c8-f53c-4e2f-8fa0-d248ef4a6e61} (Rogue.Installer) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76f30661-76c7-48cd-b18e-64f388ae030b} (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d573edd4-5dea-4df1-9d5a-329d6861edc8} (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{267212fe-b77a-4c83-bb75-3f84b52a3bee} (Trojan.Vundo) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhc7l6j0el7m (Rogue.AntivirusXP2008) -> No action taken.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus (Rogue.TrustedAntivirus) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs (Rogue.TrustedAntivirus) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKCU (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKLM (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\BrowserObjects (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Packages (Rogue.Multiple) -> No action taken.

 

Files Infected:

C:\Documents and Settings\Eric Dent\My Documents\My Videos\Saved\big cock threesome fucking sex\Setup.exe (Adware.Agent) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\avtasks.dat (Rogue.TrustedAntivirus) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs\av.log (Rogue.TrustedAntivirus) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs\ga6Support.log (Rogue.TrustedAntivirus) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs\update.log (Rogue.TrustedAntivirus) -> No action taken.

C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> No action taken.

Edited by LJP

Share this post


Link to post
Share on other sites

Hi LJP,

 

If you like Spybot S & D, you can certainly keep it as an on-demand scanner. Just disable Tea Timer. Otherwise, you can uninstall the whole program. You don't need to do a recovery first.

 

I notice that Malwarebytes Anti-Malware reports -> No action taken. on everything it found during the scan. Is there some reason you didn't have all of those entries fixed? If you're not sure on how to use the program, follow link for instructions on how to download, install and use Malwarebytes Anti-Malware.How to use Malwarebytes Anti-Malware to remove Spyware

 

Once you have done that, please continue on and follow instructions for using ComboFix. Then post the requested logs. Thank you very much. :wave: SCB

Share this post


Link to post
Share on other sites

Ok, got rid of spybot 4 now, all the spyware, malware, & virus(s) that were detected. Finally, I ran combofix, then HJT, & malwares anti-malware last. Attached are the updated logs 4 each. Thanks.

 

ComboFix 08-11-18.A2 - Lisa Dent 2008-11-19 17:36:38.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.163 [GMT -5:00]

Running from: c:\documents and settings\Lisa Dent\Desktop\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Eric Dent\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk

c:\documents and settings\Eric Dent\Application Data\rhc7l6j0el7m

c:\documents and settings\Eric Dent\ResErrors.log

c:\documents and settings\Lisa Dent\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

c:\recycler\hpothb07.dat

c:\recycler\hpothb07.tif

c:\recycler\RB118.tmp

c:\recycler\RB11E.tmp

c:\recycler\RB158.tmp

c:\recycler\RB188.tmp

c:\recycler\RB1C2.tmp

c:\recycler\RB1C4.tmp

c:\recycler\RB2.tmp

c:\recycler\RB21.tmp

c:\recycler\RB225.tmp

c:\recycler\RB2FD.tmp

c:\recycler\RB3.tmp

c:\recycler\RB31A.tmp

c:\recycler\RB34C.tmp

c:\recycler\RB4.tmp

c:\recycler\RB43A.tmp

c:\recycler\RB4D.tmp

c:\recycler\RB5.tmp

c:\recycler\RB5A.tmp

c:\recycler\RB6.tmp

c:\recycler\RB7.tmp

c:\recycler\RB74.tmp

c:\recycler\RB93.tmp

c:\recycler\RB94.tmp

c:\recycler\RBAB.tmp

c:\recycler\RBBF.tmp

c:\recycler\RBEE.tmp

c:\windows\system32\_000001_.tmp.dll

c:\windows\system32\AutoRun.inf

c:\windows\system32\mcrh.tmp

 

.

((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))

.

 

2008-11-16 02:42 . 2008-11-18 21:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-16 02:42 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-16 02:42 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-16 02:19 . 2008-11-19 16:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-16 02:19 . 2008-11-19 16:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-13 01:07 . 2008-11-13 01:07 <DIR> d-------- c:\program files\MSXML 4.0

2008-11-12 17:11 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-12 17:11 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-05 01:46 . 2008-11-05 01:46 280 --a------ c:\windows\system32\PDBootState

2008-11-01 21:27 . 2008-11-13 20:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-10-31 01:50 . 2008-10-31 01:50 <DIR> d-------- c:\program files\Trend Micro

2008-10-30 19:20 . 2008-11-19 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater

2008-10-28 18:23 . 2008-10-28 18:23 <DIR> d-------- c:\documents and settings\Lisa Dent\Application Data\Yahoo!

2008-10-28 15:59 . 2008-10-28 15:59 <DIR> d-------- c:\program files\Apple Software Update

2008-10-28 15:57 . 2008-11-13 20:11 <DIR> d-------- c:\program files\Common Files\Apple

2008-10-28 15:57 . 2008-10-28 15:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple

2008-10-28 15:47 . 2008-10-28 15:47 54,156 --ah----- c:\windows\QTFont.qfn

2008-10-28 15:47 . 2008-10-28 15:47 1,409 --a------ c:\windows\QTFont.for

2008-10-24 03:13 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

2008-10-23 23:39 . 2008-10-23 23:39 <DIR> d-------- c:\windows\Cache

2008-10-23 23:39 . 2008-11-01 21:15 <DIR> d-------- c:\program files\Coupons

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-19 22:33 --------- d-----w c:\documents and settings\Lisa Dent\Application Data\MSN6

2008-11-19 21:45 --------- d-----w c:\program files\LimeWire

2008-11-19 21:45 --------- d-----w c:\documents and settings\Eric Dent\Application Data\MSN6

2008-11-19 21:14 --------- d-----w c:\documents and settings\Eric Dent\Application Data\LimeWire

2008-11-16 05:50 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-11-15 09:03 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity

2008-11-14 01:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-11-14 01:14 --------- d-----w c:\program files\Bonjour

2008-11-02 02:54 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-02 02:53 --------- d-----w c:\program files\Google

2008-10-28 21:11 --------- d-----w c:\program files\QuickTime

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-16 13:08 --------- d-----w c:\program files\DivX

2008-10-16 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion

2008-10-16 13:07 --------- d-----w c:\program files\Yahoo!

2008-09-30 07:50 --------- d-----w c:\documents and settings\Lisa Dent\Application Data\MSNInstaller

2008-09-29 02:29 --------- d-----w c:\documents and settings\Lisa Dent\Application Data\InstallShield

2008-09-28 08:38 --------- d-----w c:\program files\Raxco

2008-09-28 08:30 53,192 ----a-w c:\windows\system32\drivers\rp_skt32.sys

2008-09-07 20:16 0 ---ha-w c:\documents and settings\All Users\hpothb07.dat

2008-09-06 00:32 0 ---ha-w c:\documents and settings\Lisa Dent\hpothb07.dat

2008-08-17 16:59 386 ---ha-w c:\documents and settings\Lisa Dent\Application Data\hpothb07.dat

2008-08-08 12:48 181 ---ha-w c:\documents and settings\Eric Dent\Application Data\hpothb07.dat

2008-08-08 12:48 1,022 ---ha-w c:\documents and settings\Eric Dent\hpothb07.dat

2008-07-27 12:25 336 ---ha-w c:\documents and settings\LocalService\hpothb07.dat

2008-07-12 15:42 3,537 ---ha-w c:\program files\hpothb07.tif

2008-07-12 15:42 2,109 ---ha-w c:\program files\hpothb07.dat

2008-04-04 05:32 17,408 -csha-w c:\program files\Thumbs.db

2008-01-14 06:14 185 ---ha-w c:\documents and settings\All Users\Application Data\hpothb07.dat

2008-01-14 06:14 0 ---ha-w c:\documents and settings\Default User\hpothb07.dat

2007-05-08 04:07 294,912 ----a-w c:\program files\Norton_Removal_Tool.exe

2007-05-04 00:42 114,688 -c--a-w c:\program files\Outlook.pst

2007-04-24 05:53 18,493 ----a-w c:\program files\filext_submission_output.txt

2007-04-24 05:51 507 ----a-w c:\program files\filext_filetype.bat

2007-04-24 05:49 58 ----atw c:\program files\current.downloadhost

2007-03-22 00:09 831,028 ----a-w c:\program files\regrunii.zip

2007-03-19 23:32 15,505,200 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe

2007-03-08 10:07 1,102,021 ----a-w c:\documents and settings\Eric Dent\AdvancedFontViewerSetup.exe

2007-03-08 10:03 1,395,846 ----a-w c:\documents and settings\Eric Dent\FontManagerSetup.exe

2006-11-29 03:07 128,048 ----a-w c:\documents and settings\Lisa Dent\Application Data\GDIPFONTCACHEV1.DAT

2006-11-25 07:39 3,346,320 ----a-w c:\program files\wbsamp5.exe

2006-11-04 22:21 12,754,672 ----a-w c:\program files\MP10Setup.exe

2000-11-07 21:52 15,182,560 -c--a-w c:\program files\out2kmst.msp

2000-11-07 20:26 670,620 -c--a-w c:\program files\pptmst.msp

2000-11-07 20:01 647,452 -c--a-w c:\program files\excelmst.msp

2000-11-02 22:05 59,904 -c--a-w c:\program files\readadm.doc

2000-10-27 21:40 30,120,448 -c--a-w c:\program files\sp2admin.msp

2008-06-05 04:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060520080606\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-24 68856]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"IndexCleaner"="c:\program files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 61168]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Verizon Internet Security Suite"="c:\program files\Verizon\Verizon Internet Security Suite\Rps.exe" [2008-02-26 318704]

"-FreedomNeedsReboot"="c:\program files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [2008-02-26 13552]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"IndexCleaner"="c:\program files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 61168]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"IndexCleaner"="c:\program files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 61168]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk

backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]

c:\docume~1\ERICDE~1\LOCALS~1\Temp\scksexde.exe/r [X]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2008-07-24 20:45 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]

--a------ 2007-03-11 16:37 936960 c:\program files\Verizon\McciTrayApp.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

 

R3 ati2mtaa;ati2mtaa;c:\windows\system32\DRIVERS\ati2mtaa.sys [2004-08-04 327040]

S3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys [2006-08-05 281856]

S3 DetectAC2000;DetectAC2000;\??\c:\windows\system32\FinePointLib\DetectAC2000.sys [2006-08-06 79029]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-17 31592]

S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\NPF.sys [2007-11-18 34064]

S3 Radialpoint Security Services;Verizon Internet Security Suite;"c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe" [2008-02-26 67824]

S4 hpt3xx;hpt3xx; []

.

Contents of the 'Scheduled Tasks' folder

 

2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

 

2008-11-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

 

2008-11-17 c:\windows\Tasks\Decoder Configuration Utility.job

- c:\progra~1\DivX\DIVXCO~1\config.exe [2008-09-15 19:11]

 

2008-09-29 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1212555998.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]

.

- - - - ORPHANS REMOVED - - - -

 

HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe

HKU-Default-Run-msnmsgr - c:\progra~1\MSNMES~1\msnmsgr.exe

MSConfigStartUp-aa6a0bef - c:\windows\system32\ricgmuox.dll

MSConfigStartUp-Antivirus - c:\program files\VAV\vav.exe

MSConfigStartUp-lphc3l6j0el7m - c:\windows\system32\lphc3l6j0el7m.exe

MSConfigStartUp-SMrhc7l6j0el7m - c:\program files\rhc7l6j0el7m\rhc7l6j0el7m.exe

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\Lisa Dent\Application Data\Mozilla\Firefox\Profiles\i2s6syt5.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-19 17:44:51

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Verizon\Verizon Internet Security Suite\Fws.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

c:\program files\CA\PPRT\bin\ITMRTSVC.exe

c:\program files\Raxco\PerfectDisk\PDAgent.exe

c:\windows\system32\snmp.exe

c:\program files\Raxco\PerfectDisk\PDEngine.exe

c:\program files\Verizon\VSP\VerizonServicepointComHandler.exe

c:\program files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2008-11-19 17:48:35 - machine was rebooted

ComboFix-quarantined-files.txt 2008-11-19 22:48:28

 

Pre-Run: 83,470,655,488 bytes free

Post-Run: 83,650,437,120 bytes free

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

 

241 --- E O F --- 2008-11-16 17:20:44

 

 

Malwarebytes' Anti-Malware 1.30

Database version: 1410

Windows 5.1.2600 Service Pack 3

 

11/19/2008 9:10:11 PM

malware log file.txt

 

Scan type: Full Scan (C:\|)

Objects scanned: 131403

Time elapsed: 1 hour(s), 33 minute(s), 49 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 5

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhc7l6j0el7m (Rogue.AntivirusXP2008) -> No action taken.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus (Rogue.TrustedAntivirus) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs (Rogue.TrustedAntivirus) -> No action taken.

 

Files Infected:

C:\Documents and Settings\Eric Dent\My Documents\My Videos\Saved\big cock threesome fucking sex\Setup.exe (Adware.Agent) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\avtasks.dat (Rogue.TrustedAntivirus) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs\av.log (Rogue.TrustedAntivirus) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs\ga6Support.log (Rogue.TrustedAntivirus) -> No action taken.

C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs\update.log (Rogue.TrustedAntivirus) -> No action taken.

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:23:52, on 11/19/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Verizon\VSP\VerizonServicepoint.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Verizon\Verizon Internet Security Suite\RPS.exe

C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe

C:\Program Files\MSN\MSNCoreFiles\MSN.EXE

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"

O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab

O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {A2721B6E-0000-0000-0000-000000000000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe

O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe

O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

 

--

End of file - 10081 bytes

Share this post


Link to post
Share on other sites

Hi LJP,

 

OK, looks like we still have a little work to do.

 

Please do the following:

 

>>>This is very important!<<<

You must disable Verizon Internet security before performing the following steps, as it may keep the fix from working.

  1. Close any open browsers.
  2. Open Notepad ( Not Word or WordPad) and copy/paste the text in the quotebox below into it:
    KillAll::
    
    File::
    c:\windows\Tasks\Decoder Configuration Utility.job
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]


     

  3. Save this as CFScript.txt, save it to your desktop. Save it as file type: all files.
    CFScriptB-4.gif
  4. Refering to the picture above, drag CFScript into ComboFix.exe
  5. When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

Once again, Malwarebytes Anti-Malware report shows -> No action taken. on everything that it found. This means that the malware is still on your machine. Please launch and update (if one is available) Malwarebytes Anti-Malware. Then:

  • Once the program has loaded, select Perform Quick Scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).
  • Click Scan.
  • When the scan is complete, click >>OK<<, then >>Show Results<< to view the results.
     
    >>>If Malware is found...<<<
  • Be sure that >>everything has a CHECKMARK in the box next to it<<, and click >>Remove Selected<<.
  • When completed, a log will open in Notepad.
  • Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

  • Launch Malwarebytes' Anti-Malware.
  • Click the Logs tab.
  • Double-click log-mm.dd.yyyy [xxxxxx].txt.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

Incidentally, this file in the MBAM report:

 

C:\Documents and Settings\Eric Dent\My Documents\My Videos\Saved\big cock threesome fucking sex\Setup.exe

 

Indicates that one of the users of your machine is visiting some very dangerous web sites and/or downloading some dangerous material via P2P. This is probably THE most common mode of infection today.

 

In your reply please include:

  • C.:\ComboFix.txt.
  • The results of the latest Malwarebytes Anti-Malware scan.

I didn't mention this before but, we really are making some good progress here. :wave: SCB

Share this post


Link to post
Share on other sites

Followed your instructions, updated malwares & deleted the video file. Heres the results:

 

Malwarebytes' Anti-Malware 1.30

Database version: 1414

Windows 5.1.2600 Service Pack 3

 

11/20/2008 6:59:34 PM

mbam-log-2008-11-20 (18-59-34).txt

 

Scan type: Quick Scan

Objects scanned: 41021

Time elapsed: 4 minute(s), 47 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhc7l6j0el7m (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

ComboFix 08-11-19.08 - Lisa Dent 2008-11-20 18:40:34.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.170 [GMT -5:00]

Running from: c:\documents and settings\Lisa Dent\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Lisa Dent\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

c:\windows\Tasks\Decoder Configuration Utility.job

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\Tasks\Decoder Configuration Utility.job

 

.

((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))

.

 

2008-11-16 02:42 . 2008-11-18 21:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-16 02:42 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-16 02:42 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-16 02:19 . 2008-11-19 16:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-16 02:19 . 2008-11-19 16:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-13 01:07 . 2008-11-13 01:07 <DIR> d-------- c:\program files\MSXML 4.0

2008-11-12 17:11 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-12 17:11 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-05 01:46 . 2008-11-20 08:46 280 --a------ c:\windows\system32\PDBootState

2008-11-01 21:27 . 2008-11-13 20:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-10-31 01:50 . 2008-10-31 01:50 <DIR> d-------- c:\program files\Trend Micro

2008-10-30 19:20 . 2008-11-20 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater

2008-10-28 18:23 . 2008-10-28 18:23 <DIR> d-------- c:\documents and settings\Lisa Dent\Application Data\Yahoo!

2008-10-28 15:59 . 2008-10-28 15:59 <DIR> d-------- c:\program files\Apple Software Update

2008-10-28 15:57 . 2008-11-13 20:11 <DIR> d-------- c:\program files\Common Files\Apple

2008-10-28 15:57 . 2008-10-28 15:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple

2008-10-28 15:47 . 2008-10-28 15:47 54,156 --ah----- c:\windows\QTFont.qfn

2008-10-28 15:47 . 2008-10-28 15:47 1,409 --a------ c:\windows\QTFont.for

2008-10-24 03:13 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

2008-10-23 23:39 . 2008-10-23 23:39 <DIR> d-------- c:\windows\Cache

2008-10-23 23:39 . 2008-11-01 21:15 <DIR> d-------- c:\program files\Coupons

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-20 23:39 --------- d-----w c:\documents and settings\Lisa Dent\Application Data\MSN6

2008-11-20 23:19 --------- d-----w c:\documents and settings\Eric Dent\Application Data\MSN6

2008-11-19 21:45 --------- d-----w c:\program files\LimeWire

2008-11-19 21:14 --------- d-----w c:\documents and settings\Eric Dent\Application Data\LimeWire

2008-11-16 05:50 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-11-15 09:03 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity

2008-11-14 01:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-11-14 01:14 --------- d-----w c:\program files\Bonjour

2008-11-02 02:54 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-02 02:53 --------- d-----w c:\program files\Google

2008-10-28 21:11 --------- d-----w c:\program files\QuickTime

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-16 13:08 --------- d-----w c:\program files\DivX

2008-10-16 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion

2008-10-16 13:07 --------- d-----w c:\program files\Yahoo!

2008-09-30 07:50 --------- d-----w c:\documents and settings\Lisa Dent\Application Data\MSNInstaller

2008-09-29 02:29 --------- d-----w c:\documents and settings\Lisa Dent\Application Data\InstallShield

2008-09-28 08:38 --------- d-----w c:\program files\Raxco

2008-09-28 08:30 53,192 ----a-w c:\windows\system32\drivers\rp_skt32.sys

2008-09-07 20:16 0 ---ha-w c:\documents and settings\All Users\hpothb07.dat

2008-09-06 00:32 0 ---ha-w c:\documents and settings\Lisa Dent\hpothb07.dat

2008-08-17 16:59 386 ---ha-w c:\documents and settings\Lisa Dent\Application Data\hpothb07.dat

2008-08-08 12:48 181 ---ha-w c:\documents and settings\Eric Dent\Application Data\hpothb07.dat

2008-08-08 12:48 1,022 ---ha-w c:\documents and settings\Eric Dent\hpothb07.dat

2008-07-27 12:25 336 ---ha-w c:\documents and settings\LocalService\hpothb07.dat

2008-07-12 15:42 3,537 ---ha-w c:\program files\hpothb07.tif

2008-07-12 15:42 2,109 ---ha-w c:\program files\hpothb07.dat

2008-04-04 05:32 17,408 -csha-w c:\program files\Thumbs.db

2008-01-14 06:14 185 ---ha-w c:\documents and settings\All Users\Application Data\hpothb07.dat

2008-01-14 06:14 0 ---ha-w c:\documents and settings\Default User\hpothb07.dat

2007-05-08 04:07 294,912 ----a-w c:\program files\Norton_Removal_Tool.exe

2007-05-04 00:42 114,688 -c--a-w c:\program files\Outlook.pst

2007-04-24 05:53 18,493 ----a-w c:\program files\filext_submission_output.txt

2007-04-24 05:51 507 ----a-w c:\program files\filext_filetype.bat

2007-04-24 05:49 58 ----atw c:\program files\current.downloadhost

2007-03-22 00:09 831,028 ----a-w c:\program files\regrunii.zip

2007-03-19 23:32 15,505,200 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe

2007-03-08 10:07 1,102,021 ----a-w c:\documents and settings\Eric Dent\AdvancedFontViewerSetup.exe

2007-03-08 10:03 1,395,846 ----a-w c:\documents and settings\Eric Dent\FontManagerSetup.exe

2006-11-29 03:07 128,048 ----a-w c:\documents and settings\Lisa Dent\Application Data\GDIPFONTCACHEV1.DAT

2006-11-25 07:39 3,346,320 ----a-w c:\program files\wbsamp5.exe

2006-11-04 22:21 12,754,672 ----a-w c:\program files\MP10Setup.exe

2000-11-07 21:52 15,182,560 -c--a-w c:\program files\out2kmst.msp

2000-11-07 20:26 670,620 -c--a-w c:\program files\pptmst.msp

2000-11-07 20:01 647,452 -c--a-w c:\program files\excelmst.msp

2000-11-02 22:05 59,904 -c--a-w c:\program files\readadm.doc

2000-10-27 21:40 30,120,448 -c--a-w c:\program files\sp2admin.msp

2008-06-05 04:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060520080606\index.dat

.

 

((((((((((((((((((((((((((((( snapshot@2008-11-19_17.47.30.70 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-11-20 23:44:28 16,384 ----atw c:\windows\temp\Perflib_Perfdata_654.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-24 68856]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"IndexCleaner"="c:\program files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 61168]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Verizon Internet Security Suite"="c:\program files\Verizon\Verizon Internet Security Suite\Rps.exe" [2008-02-26 318704]

"-FreedomNeedsReboot"="c:\program files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [2008-02-26 13552]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"IndexCleaner"="c:\program files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 61168]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"IndexCleaner"="c:\program files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 61168]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk

backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2008-07-24 20:45 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]

--a------ 2007-03-11 16:37 936960 c:\program files\Verizon\McciTrayApp.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

 

R3 ati2mtaa;ati2mtaa;c:\windows\system32\DRIVERS\ati2mtaa.sys [2004-08-04 327040]

S3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys [2006-08-05 281856]

S3 DetectAC2000;DetectAC2000;\??\c:\windows\system32\FinePointLib\DetectAC2000.sys [2006-08-06 79029]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-17 31592]

S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\NPF.sys [2007-11-18 34064]

S3 Radialpoint Security Services;Verizon Internet Security Suite;"c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe" [2008-02-26 67824]

S4 hpt3xx;hpt3xx; []

.

Contents of the 'Scheduled Tasks' folder

 

2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

 

2008-11-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

 

2008-09-29 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1212555998.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-20 18:45:02

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Verizon\Verizon Internet Security Suite\Fws.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

c:\program files\CA\PPRT\bin\ITMRTSVC.exe

c:\program files\Raxco\PerfectDisk\PDAgent.exe

c:\windows\system32\snmp.exe

c:\program files\Raxco\PerfectDisk\PDEngine.exe

c:\program files\Verizon\VSP\VerizonServicepointComHandler.exe

c:\program files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2008-11-20 18:48:49 - machine was rebooted

ComboFix-quarantined-files.txt 2008-11-20 23:48:43

ComboFix2.txt 2008-11-19 22:48:37

 

Pre-Run: 83,636,654,080 bytes free

Post-Run: 83,654,344,704 bytes free

 

183 --- E O F --- 2008-11-16 17:20:44

Share this post


Link to post
Share on other sites

Hi LJP,

 

Good news. Your logs are clean. Let's have a final HijackThis log to see if there are any leftovers that we need to take care of, then we can do some tidying up. :wave: SCB

Share this post


Link to post
Share on other sites

Ok, here it is:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:45:43, on 11/23/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe

C:\Program Files\MSN\MSNCoreFiles\MSN.EXE

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Verizon\McciBrowser.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"

O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab

O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {A2721B6E-0000-0000-0000-000000000000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe

O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe

O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

 

--

End of file - 10069 bytes

Share this post


Link to post
Share on other sites

Hi LJP,

 

Here are a couple of things that you can fix with HijackThis. They are just a couple of programs that launch with Windows, but it's not necessary that they do. Adobe will launch automatically when you open a .pdf file and QuickTime can be launched manually when you need it.

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

Otherwise......

 

Congratulations! Your log looks clean - good work!

 

Below is my standard Final Cleanup and All Clean speech. Included in it are tips on how to keep your computer from being reinfected. They are simple to set up and simple to maintain, and I HIGHLY recommend that you follow them.

 

 

Download and scan with CCleaner

NOTE: Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Slim version instead of the Standard Build.

 

Before first use:

  • Select Options=>Advanced.
  • UNcheck Only delete files in Windows Temp folder older than 48 hours

Select the items you wish to clean up.

  • A note regarding cookies: CCleaner allows you to keep the cookies from selected sites such as those which use cookies to save your login information.
  • From the main screen:Click Options=>Cookies.
  • Highlight the web sites you wish to keep.
  • Click the -> button.

Click the Cleaner button to return to the main screen.

  • In the Windows tab:
    • Select all items.

    [*]In the Applications tab:

    • Select all items. NOTE: UN-check Saved Form Information, where available. If you leave this box checked. You will lose all of your saved passwords.

Click the Run Cleaner button.

  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK.

CCleaner will scan and clean your system..

  • When cleaning is complete:
  • Close the CCleaner window

If everything is running ok, let's do the final cleanup...

 

1. Uninstall Combofix. (If Combofix was not used, proceed to step 2.)

  • Click START=>RUN
  • Type Combofix /u in the runbox (make sure you add the space in between the x in Combofix and /u)
  • Click OK
    COMBOrun.gif


2. Clear out any other special tools we've used to clean up your computer. They are very powerful and if used incorrectly, may cause irreparable damage to your computer.(If no other special tools were downloaded, proceed to step 3.) Download OTMoveIt by OldTimer to your Desktop.

  • Double click OTMoveIt.exe to launch it.
  • Click on the CleanUp! button.
  • OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTMoveIt
  • Now delete OTMoveIt.exe (if still present).

3. Disable, then reenable System Restore; with a reboot in-between. Then immediately create a new system restore point manually.

 

Here are some tips to reduce the potential for spyware infection in the future, I recommend the following applications:

To protect yourself further:

  • IE/Spyad => IE/Spyad (now known as ZonedOut ) places over 5000 websites and domains in the IE Restricted Sites list, and uses NO system resources..
  • Use a Firewall => I can not stress enough how important it is that you use a Firewall on your computer. See Computer Safety On line - Software Firewalls to learn why. I recommend any of these:

    [*]UPDATE!-UPDATE!-UPDATE! => This is, without a doubt, THE MOST IMPORTANT element in keeping your computer free of malware. Set Windows AND all of your anti-malware tools for Automatic Updates.

    [*]Delete temp files =>Clear the contents of your Temporary (Temp) folders, Temporary Internet Files (TIF), Cookies, and Recycle bin for all users of your machine. (do not delete the temp folders themselves). This can be done either manually or by using using a program such as CCleaner. IMPORTANT: clearing the contents of the temp/Internet/cookies/recycle bin should be done on a regular basis.

Also, please see: So how did I get infected in the first place?

****** STAND UP AND BE COUNTED ******

It is very rewarding to see that your computer is clean. Now we urge you to stand up and be counted! Document your experience, and by doing so, launch a complaint against the makers of malware. You can make a difference. Click on the Malware Complaints icon in my signature and support our cause.

 

If you are having any more problems, post back the description along with a fresh HijackThis log. :wave: SCB

Share this post


Link to post
Share on other sites
Hi LJP,

 

Here are a couple of things that you can fix with HijackThis. They are just a couple of programs that launch with Windows, but it's not necessary that they do. Adobe will launch automatically when you open a .pdf file and QuickTime can be launched manually when you need it.

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

Otherwise......

 

Congratulations! Your log looks clean - good work!

 

Below is my standard Final Cleanup and All Clean speech. Included in it are tips on how to keep your computer from being reinfected. They are simple to set up and simple to maintain, and I HIGHLY recommend that you follow them.

 

 

Download and scan with CCleaner

NOTE: Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Slim version instead of the Standard Build.

 

Before first use:

  • Select Options=>Advanced.
  • UNcheck Only delete files in Windows Temp folder older than 48 hours

Select the items you wish to clean up.

  • A note regarding cookies: CCleaner allows you to keep the cookies from selected sites such as those which use cookies to save your login information.
  • From the main screen:Click Options=>Cookies.
  • Highlight the web sites you wish to keep.
  • Click the -> button.

Click the Cleaner button to return to the main screen.

  • In the Windows tab:
    • Select all items.

    [*]In the Applications tab:

    • Select all items. NOTE: UN-check Saved Form Information, where available. If you leave this box checked. You will lose all of your saved passwords.

Click the Run Cleaner button.

  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK.

CCleaner will scan and clean your system..

  • When cleaning is complete:
  • Close the CCleaner window

If everything is running ok, let's do the final cleanup...

 

1. Uninstall Combofix. (If Combofix was not used, proceed to step 2.)

  • Click START=>RUN
  • Type Combofix /u in the runbox (make sure you add the space in between the x in Combofix and /u)
  • Click OK
    COMBOrun.gif


2. Clear out any other special tools we've used to clean up your computer. They are very powerful and if used incorrectly, may cause irreparable damage to your computer.(If no other special tools were downloaded, proceed to step 3.) Download OTMoveIt by OldTimer to your Desktop.

  • Double click OTMoveIt.exe to launch it.
  • Click on the CleanUp! button.
  • OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTMoveIt
  • Now delete OTMoveIt.exe (if still present).

3. Disable, then reenable System Restore; with a reboot in-between. Then immediately create a new system restore point manually.

 

Here are some tips to reduce the potential for spyware infection in the future, I recommend the following applications:

To protect yourself further:

  • IE/Spyad => IE/Spyad (now known as ZonedOut ) places over 5000 websites and domains in the IE Restricted Sites list, and uses NO system resources..
  • Use a Firewall => I can not stress enough how important it is that you use a Firewall on your computer. See Computer Safety On line - Software Firewalls to learn why. I recommend any of these:

    [*]UPDATE!-UPDATE!-UPDATE! => This is, without a doubt, THE MOST IMPORTANT element in keeping your computer free of malware. Set Windows AND all of your anti-malware tools for Automatic Updates.

    [*]Delete temp files =>Clear the contents of your Temporary (Temp) folders, Temporary Internet Files (TIF), Cookies, and Recycle bin for all users of your machine. (do not delete the temp folders themselves). This can be done either manually or by using using a program such as CCleaner. IMPORTANT: clearing the contents of the temp/Internet/cookies/recycle bin should be done on a regular basis.

Also, please see: So how did I get infected in the first place?

****** STAND UP AND BE COUNTED ******

It is very rewarding to see that your computer is clean. Now we urge you to stand up and be counted! Document your experience, and by doing so, launch a complaint against the makers of malware. You can make a difference. Click on the Malware Complaints icon in my signature and support our cause.

 

If you are having any more problems, post back the description along with a fresh HijackThis log. :wave: SCB

Share this post


Link to post
Share on other sites

OK, apparently OTMoveIt is now obsolete & the only one available was OTMoveit3 so I took a chance w/ my fingers tightly crossed; went ahead & downloaded it & followed your directions. It automatically asked to reboot when it was through & was automatically deleted. All seems well, so I think I may be done but I just have a couple questions; do u think there are remnants of the OTMoveIt download still linguring, if so how do I remove it & are the applications you suggest to reduce & protect me from future spyware problems compatable w/ Verizon Security Suite & Windows XP Security? Thanks again for all your help, it was most helpful!! Finally, I posted my complaint & the satisfying experience I had with your help.

Edited by LJP

Share this post


Link to post
Share on other sites

Hello :wave:

 

SpotCheckBilly cannot be here right now so I'll be looking in on his threads. :)

do u think there are remnants of the OTMoveIt
There shouldn't be, since it also deletes itself in the process. :thumbsup:
are the applications you suggest to reduce & protect me from future spyware problems compatable w/ Verizon Security Suite & Windows XP Security?
Unless you just overdo with the programs they should all play well together, yes. The only thing is IE Spyad is no longer. It hasn't been updated for a long time, and the owner says he won't be updating it. :( So, please disregard that particular suggestion.

 

If you have any further questions, please feel free to ask. :)

 

Take care!

tea

Share this post


Link to post
Share on other sites

Since the issue appears to be resolved this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0