Jump to content


Photo

Malware, Virus(s), & Spyware


  • This topic is locked This topic is locked
14 replies to this topic

#1 LJP

LJP

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 17 November 2008 - 06:16 PM

Ihave been experiencing pop-ups(advertising), system sluggishness & sporadic behavior. I'm running WinXP sp3 w/ Verizon security suite. There were 3 virus(s) detected, Win32/FakeAV.A, JS/FakeAV.A, JS/Agent.FA; lots of spyware; Zlob.PornAdvertiser.Xplisit, Spyware.IEMonster.b, etc., & was alerted by the ANTIVIRUS 2008 Windows security look-alike but declined any assistance. I followed steps in the forum facts & have attached 2 seperate logs from Malware's Anti-Malware & HJT log. I need advice & specific direction from a professional on what to delete & how to effectively & completely rid my system of these nusances. Thanks.

Malwarebytes' Anti-Malware 1.23
Database version: 1006
Windows 5.1.2600 Service Pack 3

7:16:19 AM 7/29/2008
mbam-log-7-29-2008 (07-16-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 123374
Time elapsed: 2 hour(s), 13 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 29
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 27
Files Infected: 74

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\yaywwTlj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awtQKExY.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fpwzws.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\nfavxwdbsxb.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37781f08-0bae-4492-ac8e-2e9de8373ea9} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{37781f08-0bae-4492-ac8e-2e9de8373ea9} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca0254dd-1948-4d52-9f2f-20fb7587d32e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca0254dd-1948-4d52-9f2f-20fb7587d32e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{267212fe-b77a-4c83-bb75-3f84b52a3bee} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{267212fe-b77a-4c83-bb75-3f84b52a3bee} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqkexy (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf269089-ee76-400b-8f5b-e0191aff6051} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5a945e54-93e0-4cf7-87e8-fae4cde5e075} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5f63f48-0e28-4b37-9536-6e5588cbcaee} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\edfqvrw.bdgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features\9ee2330ae5f4470cac801baac83818c9 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc7l6j0el7m (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc7l6j0el7m (Rogue.Multiple) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\alotToolbar (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\seekmosa (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{2a9805a1-fe72-4b17-98e7-958312ea56aa} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{951ccafd-23f9-4013-9a5d-96b970052291} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ad730a0b-b21e-421b-abe3-1b6563d2cee7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{aefff7d6-917c-4d8d-a780-7c2d69f1b01a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aefff7d6-917c-4d8d-a780-7c2d69f1b01a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{267212fe-b77a-4c83-bb75-3f84b52a3bee} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wnslvxtf (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\yaywwtlj -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yaywwtlj -> Delete on reboot.

Folders Infected:
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\GA6P1 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\GA6P1\Quar (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Program Files\alot (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\alot\bin (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\alot (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\rhc7l6j0el7m\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\yaywwTlj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jlTwwyay.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jlTwwyay.ini2 (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fpwzws.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ricgmuox.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xoumgcir.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtQKExY.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\alot\bin\alot.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\a (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\5.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\7.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\SpyShredder\SpyShredder1.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\SpyShredder\SpyShredder2.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\SpyShredder\SpyShredder3.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1067\A0164214.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1067\A0164215.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1067\A0164216.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1067\A0164217.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1067\A0164218.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1070\A0164411.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1070\A0164412.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1070\A0164413.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1070\A0164431.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1070\A0164432.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A1C0AC5A-9E4B-472F-B824-9705AF578B60}\RP1070\A0164433.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\eovp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Sys422.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Sys423.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Sys424.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Sys425.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Sys426.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nkpykmkj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\azrfih.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E2.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphc3l6j0el7m.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kvbuirjy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\txztss.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mnjknffr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMEWppm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sex1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sex2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\em (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\oid (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\user (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\alot\alotUninst.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav.cpl (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav.ooo (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav0.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav1.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lisa Dent\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sex1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sex2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vav.cpl (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\grswptdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\nfavxwdbsxb.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\blphc3l6j0el7m.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphc3l6j0el7m.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc3l6j0el7m.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:07:58, on 11/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec....ta/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...tallMgr_v01.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {A2721B6E-0000-0000-0000-000000000000} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

--
End of file - 10782 bytes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:07:58, on 11/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec....ta/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...tallMgr_v01.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {A2721B6E-0000-0000-0000-000000000000} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

--
End of file - 10782 bytes

#2 SpotCheckBilly

SpotCheckBilly

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 877 posts

Posted 18 November 2008 - 05:20 PM

Hi LJP,

Welcome to the SWI forums. My name is SpotCheckBilly (SCB for short) and I will be happy to help you.

===Very Important===

The instructions in this thread have been specifically designed for THIS USER'S MACHINE ONLY . You should not use these instructions to clean your machine. Doing so could cause irreparable damage to your machine. If you need assistance, please start your own thread.

=================


A couple of important things to keep in mind during our fix.
  • Please >> DO NOT<< run any scans/tools or other fixes unless I ask you to.
  • Please DO NOT install any software while we are working.
  • While the fix is in progress Do not skip any steps. With some infections skipping a step can be disastrous.
  • If you are running P2P filesharing program(s). My recommendation is you uninstall it/them.
  • If you are running any cracked/pirated software, REMOVE it before proceeding. Many helpers -- myself included -- will not assist you if you are using such software.
Remember, we are in this process together. We must cooperate with each other or the fix will surely fail. If there is something you don't understand or or are unsure of -- please stop and take a moment to ask about it.

That being said, let's get started. :)

Part of the sluggishness problem comes from having more than one active anti-malware module running at a time. I see Verizon Internet Security Suite as well as Spybot S & D's Tea Timer. These programs will conflict with each other which will cause performance problems as well as reduced system security. You should disable Tea Timer (you can certainly keep Spybot S & D as an on-demand scanner should you choose).

Next, the build of your Malwarebytes Anti-Malware is quite outdated. The current build is 1.30 database version 1410. I would recommend that you update and rescan since the current version does a much better job of cleaning up the infection that you have.

Finally, let's download and run a scan with ComboFix as follows:

Download ComboFix from one of these locations:
A word of warning: Please DO NOT run ComboFix on your own. Used incorrectly, it can render your computer completely useless

>>>If you already have Combofix, delete previous copy(s) and download the latest version.<<<

Link 1
Link 2
Link 3

Save ComboFix.exe to your Desktop

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before continuing the scan. They can interfere with ComboFix and may cause unpredictable results. Note: Combofix will disconnect you from the Internet, then restore your connection as it finishes.

Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
    ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
    The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

***If you have an always on Internet connection, unplug from your DSL/cable modem before proceeding. Reconnect only after Combofix has finished its scan.***
  • Click on Yes, to allow Combofix to finish its scan.This can take a while, so please be patient.
  • When finished, it will produce a report for you at C:\ComboFix.txt.
***Do not mouseclick combofix's window while it's running. That may cause it to stall***

In your next post, please include
  • A new Hijackthis log.
  • C.:\Combofix.txt.
  • The results of the Malwarebytes Anti-Malware scan.
>>>use separate posts if necessary to ensure the logs don't get cut off!<<<

We'll take it from there. :wave: SCB
IPB ImageIPB Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
IPB Image

#3 LJP

LJP

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 18 November 2008 - 11:58 PM

The only reason I downloaded spy bot was because thats what the forum instructions said to do, I normally only have Verizon Security Suite as my active program. Also, my system was sluggish even before I downloaded spy bot. Should I completely remove it, if so should I do a recovery first? Finally I updated Malware to 1.30 & attached is the new log. Thanks

Malwarebytes' Anti-Malware 1.30
Database version: 1410
Windows 5.1.2600 Service Pack 3

11/19/2008 12:34:51 AM
malware log file.txt

Scan type: Full Scan (C:\|)
Objects scanned: 135885
Time elapsed: 2 hour(s), 52 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 13
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7545d8c8-f53c-4e2f-8fa0-d248ef4a6e61} (Rogue.Installer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76f30661-76c7-48cd-b18e-64f388ae030b} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d573edd4-5dea-4df1-9d5a-329d6861edc8} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{267212fe-b77a-4c83-bb75-3f84b52a3bee} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhc7l6j0el7m (Rogue.AntivirusXP2008) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus (Rogue.TrustedAntivirus) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs (Rogue.TrustedAntivirus) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKCU (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKLM (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\BrowserObjects (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\rhc7l6j0el7m\Quarantine\Packages (Rogue.Multiple) -> No action taken.

Files Infected:
C:\Documents and Settings\Eric Dent\My Documents\My Videos\Saved\big cock threesome fucking sex\Setup.exe (Adware.Agent) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\avtasks.dat (Rogue.TrustedAntivirus) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs\av.log (Rogue.TrustedAntivirus) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs\ga6Support.log (Rogue.TrustedAntivirus) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs\update.log (Rogue.TrustedAntivirus) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> No action taken.

Edited by LJP, 19 November 2008 - 12:40 AM.


#4 SpotCheckBilly

SpotCheckBilly

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 877 posts

Posted 19 November 2008 - 04:18 PM

Hi LJP,

If you like Spybot S & D, you can certainly keep it as an on-demand scanner. Just disable Tea Timer. Otherwise, you can uninstall the whole program. You don't need to do a recovery first.

I notice that Malwarebytes Anti-Malware reports -> No action taken. on everything it found during the scan. Is there some reason you didn't have all of those entries fixed? If you're not sure on how to use the program, follow link for instructions on how to download, install and use Malwarebytes Anti-Malware.How to use Malwarebytes Anti-Malware to remove Spyware

Once you have done that, please continue on and follow instructions for using ComboFix. Then post the requested logs. Thank you very much. :wave: SCB
IPB ImageIPB Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
IPB Image

#5 LJP

LJP

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 19 November 2008 - 09:25 PM

Ok, got rid of spybot 4 now, all the spyware, malware, & virus(s) that were detected. Finally, I ran combofix, then HJT, & malwares anti-malware last. Attached are the updated logs 4 each. Thanks.

ComboFix 08-11-18.A2 - Lisa Dent 2008-11-19 17:36:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.163 [GMT -5:00]
Running from: c:\documents and settings\Lisa Dent\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eric Dent\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
c:\documents and settings\Eric Dent\Application Data\rhc7l6j0el7m
c:\documents and settings\Eric Dent\ResErrors.log
c:\documents and settings\Lisa Dent\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\recycler\hpothb07.dat
c:\recycler\hpothb07.tif
c:\recycler\RB118.tmp
c:\recycler\RB11E.tmp
c:\recycler\RB158.tmp
c:\recycler\RB188.tmp
c:\recycler\RB1C2.tmp
c:\recycler\RB1C4.tmp
c:\recycler\RB2.tmp
c:\recycler\RB21.tmp
c:\recycler\RB225.tmp
c:\recycler\RB2FD.tmp
c:\recycler\RB3.tmp
c:\recycler\RB31A.tmp
c:\recycler\RB34C.tmp
c:\recycler\RB4.tmp
c:\recycler\RB43A.tmp
c:\recycler\RB4D.tmp
c:\recycler\RB5.tmp
c:\recycler\RB5A.tmp
c:\recycler\RB6.tmp
c:\recycler\RB7.tmp
c:\recycler\RB74.tmp
c:\recycler\RB93.tmp
c:\recycler\RB94.tmp
c:\recycler\RBAB.tmp
c:\recycler\RBBF.tmp
c:\recycler\RBEE.tmp
c:\windows\system32\_000001_.tmp.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-16 02:42 . 2008-11-18 21:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-16 02:42 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-16 02:42 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-16 02:19 . 2008-11-19 16:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-16 02:19 . 2008-11-19 16:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-13 01:07 . 2008-11-13 01:07 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-12 17:11 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 17:11 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-05 01:46 . 2008-11-05 01:46 280 --a------ c:\windows\system32\PDBootState
2008-11-01 21:27 . 2008-11-13 20:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-31 01:50 . 2008-10-31 01:50 <DIR> d-------- c:\program files\Trend Micro
2008-10-30 19:20 . 2008-11-19 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-10-28 18:23 . 2008-10-28 18:23 <DIR> d-------- c:\documents and settings\Lisa Dent\Application Data\Yahoo!
2008-10-28 15:59 . 2008-10-28 15:59 <DIR> d-------- c:\program files\Apple Software Update
2008-10-28 15:57 . 2008-11-13 20:11 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-28 15:57 . 2008-10-28 15:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-10-28 15:47 . 2008-10-28 15:47 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-28 15:47 . 2008-10-28 15:47 1,409 --a------ c:\windows\QTFont.for
2008-10-24 03:13 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-23 23:39 . 2008-10-23 23:39 <DIR> d-------- c:\windows\Cache
2008-10-23 23:39 . 2008-11-01 21:15 <DIR> d-------- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-19 22:33 --------- d-----w c:\documents and settings\Lisa Dent\Application Data\MSN6
2008-11-19 21:45 --------- d-----w c:\program files\LimeWire
2008-11-19 21:45 --------- d-----w c:\documents and settings\Eric Dent\Application Data\MSN6
2008-11-19 21:14 --------- d-----w c:\documents and settings\Eric Dent\Application Data\LimeWire
2008-11-16 05:50 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-15 09:03 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2008-11-14 01:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-14 01:14 --------- d-----w c:\program files\Bonjour
2008-11-02 02:54 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-02 02:53 --------- d-----w c:\program files\Google
2008-10-28 21:11 --------- d-----w c:\program files\QuickTime
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 13:08 --------- d-----w c:\program files\DivX
2008-10-16 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-16 13:07 --------- d-----w c:\program files\Yahoo!
2008-09-30 07:50 --------- d-----w c:\documents and settings\Lisa Dent\Application Data\MSNInstaller
2008-09-29 02:29 --------- d-----w c:\documents and settings\Lisa Dent\Application Data\InstallShield
2008-09-28 08:38 --------- d-----w c:\program files\Raxco
2008-09-28 08:30 53,192 ----a-w c:\windows\system32\drivers\rp_skt32.sys
2008-09-07 20:16 0 ---ha-w c:\documents and settings\All Users\hpothb07.dat
2008-09-06 00:32 0 ---ha-w c:\documents and settings\Lisa Dent\hpothb07.dat
2008-08-17 16:59 386 ---ha-w c:\documents and settings\Lisa Dent\Application Data\hpothb07.dat
2008-08-08 12:48 181 ---ha-w c:\documents and settings\Eric Dent\Application Data\hpothb07.dat
2008-08-08 12:48 1,022 ---ha-w c:\documents and settings\Eric Dent\hpothb07.dat
2008-07-27 12:25 336 ---ha-w c:\documents and settings\LocalService\hpothb07.dat
2008-07-12 15:42 3,537 ---ha-w c:\program files\hpothb07.tif
2008-07-12 15:42 2,109 ---ha-w c:\program files\hpothb07.dat
2008-04-04 05:32 17,408 -csha-w c:\program files\Thumbs.db
2008-01-14 06:14 185 ---ha-w c:\documents and settings\All Users\Application Data\hpothb07.dat
2008-01-14 06:14 0 ---ha-w c:\documents and settings\Default User\hpothb07.dat
2007-05-08 04:07 294,912 ----a-w c:\program files\Norton_Removal_Tool.exe
2007-05-04 00:42 114,688 -c--a-w c:\program files\Outlook.pst
2007-04-24 05:53 18,493 ----a-w c:\program files\filext_submission_output.txt
2007-04-24 05:51 507 ----a-w c:\program files\filext_filetype.bat
2007-04-24 05:49 58 ----atw c:\program files\current.downloadhost
2007-03-22 00:09 831,028 ----a-w c:\program files\regrunii.zip
2007-03-19 23:32 15,505,200 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe
2007-03-08 10:07 1,102,021 ----a-w c:\documents and settings\Eric Dent\AdvancedFontViewerSetup.exe
2007-03-08 10:03 1,395,846 ----a-w c:\documents and settings\Eric Dent\FontManagerSetup.exe
2006-11-29 03:07 128,048 ----a-w c:\documents and settings\Lisa Dent\Application Data\GDIPFONTCACHEV1.DAT
2006-11-25 07:39 3,346,320 ----a-w c:\program files\wbsamp5.exe
2006-11-04 22:21 12,754,672 ----a-w c:\program files\MP10Setup.exe
2000-11-07 21:52 15,182,560 -c--a-w c:\program files\out2kmst.msp
2000-11-07 20:26 670,620 -c--a-w c:\program files\pptmst.msp
2000-11-07 20:01 647,452 -c--a-w c:\program files\excelmst.msp
2000-11-02 22:05 59,904 -c--a-w c:\program files\readadm.doc
2000-10-27 21:40 30,120,448 -c--a-w c:\program files\sp2admin.msp
2008-06-05 04:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060520080606\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-24 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="c:\program files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon Internet Security Suite"="c:\program files\Verizon\Verizon Internet Security Suite\Rps.exe" [2008-02-26 318704]
"-FreedomNeedsReboot"="c:\program files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [2008-02-26 13552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="c:\program files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 61168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="c:\program files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 61168]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
c:\docume~1\ERICDE~1\LOCALS~1\Temp\scksexde.exe/r [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-24 20:45 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a------ 2007-03-11 16:37 936960 c:\program files\Verizon\McciTrayApp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 ati2mtaa;ati2mtaa;c:\windows\system32\DRIVERS\ati2mtaa.sys [2004-08-04 327040]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys [2006-08-05 281856]
S3 DetectAC2000;DetectAC2000;\??\c:\windows\system32\FinePointLib\DetectAC2000.sys [2006-08-06 79029]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-17 31592]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\NPF.sys [2007-11-18 34064]
S3 Radialpoint Security Services;Verizon Internet Security Suite;"c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe" [2008-02-26 67824]
S4 hpt3xx;hpt3xx; []
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2008-11-17 c:\windows\Tasks\Decoder Configuration Utility.job
- c:\progra~1\DivX\DIVXCO~1\config.exe [2008-09-15 19:11]

2008-09-29 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1212555998.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
HKU-Default-Run-msnmsgr - c:\progra~1\MSNMES~1\msnmsgr.exe
MSConfigStartUp-aa6a0bef - c:\windows\system32\ricgmuox.dll
MSConfigStartUp-Antivirus - c:\program files\VAV\vav.exe
MSConfigStartUp-lphc3l6j0el7m - c:\windows\system32\lphc3l6j0el7m.exe
MSConfigStartUp-SMrhc7l6j0el7m - c:\program files\rhc7l6j0el7m\rhc7l6j0el7m.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Lisa Dent\Application Data\Mozilla\Firefox\Profiles\i2s6syt5.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 17:44:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Verizon\Verizon Internet Security Suite\Fws.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\windows\system32\snmp.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\program files\Verizon\VSP\VerizonServicepointComHandler.exe
c:\program files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-19 17:48:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-19 22:48:28

Pre-Run: 83,470,655,488 bytes free
Post-Run: 83,650,437,120 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

241 --- E O F --- 2008-11-16 17:20:44


Malwarebytes' Anti-Malware 1.30
Database version: 1410
Windows 5.1.2600 Service Pack 3

11/19/2008 9:10:11 PM
malware log file.txt

Scan type: Full Scan (C:\|)
Objects scanned: 131403
Time elapsed: 1 hour(s), 33 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhc7l6j0el7m (Rogue.AntivirusXP2008) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus (Rogue.TrustedAntivirus) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs (Rogue.TrustedAntivirus) -> No action taken.

Files Infected:
C:\Documents and Settings\Eric Dent\My Documents\My Videos\Saved\big cock threesome fucking sex\Setup.exe (Adware.Agent) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\avtasks.dat (Rogue.TrustedAntivirus) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs\av.log (Rogue.TrustedAntivirus) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs\ga6Support.log (Rogue.TrustedAntivirus) -> No action taken.
C:\Documents and Settings\Eric Dent\Application Data\TrustedAntivirus\Logs\update.log (Rogue.TrustedAntivirus) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:23:52, on 11/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\RPS.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec....ta/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...tallMgr_v01.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {A2721B6E-0000-0000-0000-000000000000} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

--
End of file - 10081 bytes

#6 SpotCheckBilly

SpotCheckBilly

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 877 posts

Posted 20 November 2008 - 05:15 PM

Hi LJP,

OK, looks like we still have a little work to do.

Please do the following:

>>>This is very important!<<<

You must disable Verizon Internet security before performing the following steps, as it may keep the fix from working.
  • Close any open browsers.
  • Open Notepad ( Not Word or WordPad) and copy/paste the text in the quotebox below into it:
    KillAll::
    
    File::
    c:\windows\Tasks\Decoder Configuration Utility.job
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
  • Save this as CFScript.txt, save it to your desktop. Save it as file type: all files.
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Once again, Malwarebytes Anti-Malware report shows -> No action taken. on everything that it found. This means that the malware is still on your machine. Please launch and update (if one is available) Malwarebytes Anti-Malware. Then:
  • Once the program has loaded, select Perform Quick Scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).
  • Click Scan.
  • When the scan is complete, click >>OK<<, then >>Show Results<< to view the results.

    >>>If Malware is found...<<<
  • Be sure that >>everything has a CHECKMARK in the box next to it<<, and click >>Remove Selected<<.
  • When completed, a log will open in Notepad.
  • Please save it to your desktop.
NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:
  • Launch Malwarebytes' Anti-Malware.
  • Click the Logs tab.
  • Double-click log-mm.dd.yyyy [xxxxxx].txt.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Incidentally, this file in the MBAM report:

C:\Documents and Settings\Eric Dent\My Documents\My Videos\Saved\big cock threesome fucking sex\Setup.exe

Indicates that one of the users of your machine is visiting some very dangerous web sites and/or downloading some dangerous material via P2P. This is probably THE most common mode of infection today.

In your reply please include:
  • C.:\ComboFix.txt.
  • The results of the latest Malwarebytes Anti-Malware scan.
I didn't mention this before but, we really are making some good progress here. :wave: SCB
IPB ImageIPB Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
IPB Image

#7 LJP

LJP

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 20 November 2008 - 07:53 PM

Followed your instructions, updated malwares & deleted the video file. Heres the results:

Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 5.1.2600 Service Pack 3

11/20/2008 6:59:34 PM
mbam-log-2008-11-20 (18-59-34).txt

Scan type: Quick Scan
Objects scanned: 41021
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhc7l6j0el7m (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix 08-11-19.08 - Lisa Dent 2008-11-20 18:40:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.170 [GMT -5:00]
Running from: c:\documents and settings\Lisa Dent\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lisa Dent\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Tasks\Decoder Configuration Utility.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\Decoder Configuration Utility.job

.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-16 02:42 . 2008-11-18 21:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-16 02:42 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-16 02:42 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-16 02:19 . 2008-11-19 16:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-16 02:19 . 2008-11-19 16:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-13 01:07 . 2008-11-13 01:07 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-12 17:11 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 17:11 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-05 01:46 . 2008-11-20 08:46 280 --a------ c:\windows\system32\PDBootState
2008-11-01 21:27 . 2008-11-13 20:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-31 01:50 . 2008-10-31 01:50 <DIR> d-------- c:\program files\Trend Micro
2008-10-30 19:20 . 2008-11-20 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-10-28 18:23 . 2008-10-28 18:23 <DIR> d-------- c:\documents and settings\Lisa Dent\Application Data\Yahoo!
2008-10-28 15:59 . 2008-10-28 15:59 <DIR> d-------- c:\program files\Apple Software Update
2008-10-28 15:57 . 2008-11-13 20:11 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-28 15:57 . 2008-10-28 15:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-10-28 15:47 . 2008-10-28 15:47 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-28 15:47 . 2008-10-28 15:47 1,409 --a------ c:\windows\QTFont.for
2008-10-24 03:13 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-23 23:39 . 2008-10-23 23:39 <DIR> d-------- c:\windows\Cache
2008-10-23 23:39 . 2008-11-01 21:15 <DIR> d-------- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 23:39 --------- d-----w c:\documents and settings\Lisa Dent\Application Data\MSN6
2008-11-20 23:19 --------- d-----w c:\documents and settings\Eric Dent\Application Data\MSN6
2008-11-19 21:45 --------- d-----w c:\program files\LimeWire
2008-11-19 21:14 --------- d-----w c:\documents and settings\Eric Dent\Application Data\LimeWire
2008-11-16 05:50 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-15 09:03 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2008-11-14 01:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-14 01:14 --------- d-----w c:\program files\Bonjour
2008-11-02 02:54 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-02 02:53 --------- d-----w c:\program files\Google
2008-10-28 21:11 --------- d-----w c:\program files\QuickTime
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 13:08 --------- d-----w c:\program files\DivX
2008-10-16 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-16 13:07 --------- d-----w c:\program files\Yahoo!
2008-09-30 07:50 --------- d-----w c:\documents and settings\Lisa Dent\Application Data\MSNInstaller
2008-09-29 02:29 --------- d-----w c:\documents and settings\Lisa Dent\Application Data\InstallShield
2008-09-28 08:38 --------- d-----w c:\program files\Raxco
2008-09-28 08:30 53,192 ----a-w c:\windows\system32\drivers\rp_skt32.sys
2008-09-07 20:16 0 ---ha-w c:\documents and settings\All Users\hpothb07.dat
2008-09-06 00:32 0 ---ha-w c:\documents and settings\Lisa Dent\hpothb07.dat
2008-08-17 16:59 386 ---ha-w c:\documents and settings\Lisa Dent\Application Data\hpothb07.dat
2008-08-08 12:48 181 ---ha-w c:\documents and settings\Eric Dent\Application Data\hpothb07.dat
2008-08-08 12:48 1,022 ---ha-w c:\documents and settings\Eric Dent\hpothb07.dat
2008-07-27 12:25 336 ---ha-w c:\documents and settings\LocalService\hpothb07.dat
2008-07-12 15:42 3,537 ---ha-w c:\program files\hpothb07.tif
2008-07-12 15:42 2,109 ---ha-w c:\program files\hpothb07.dat
2008-04-04 05:32 17,408 -csha-w c:\program files\Thumbs.db
2008-01-14 06:14 185 ---ha-w c:\documents and settings\All Users\Application Data\hpothb07.dat
2008-01-14 06:14 0 ---ha-w c:\documents and settings\Default User\hpothb07.dat
2007-05-08 04:07 294,912 ----a-w c:\program files\Norton_Removal_Tool.exe
2007-05-04 00:42 114,688 -c--a-w c:\program files\Outlook.pst
2007-04-24 05:53 18,493 ----a-w c:\program files\filext_submission_output.txt
2007-04-24 05:51 507 ----a-w c:\program files\filext_filetype.bat
2007-04-24 05:49 58 ----atw c:\program files\current.downloadhost
2007-03-22 00:09 831,028 ----a-w c:\program files\regrunii.zip
2007-03-19 23:32 15,505,200 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe
2007-03-08 10:07 1,102,021 ----a-w c:\documents and settings\Eric Dent\AdvancedFontViewerSetup.exe
2007-03-08 10:03 1,395,846 ----a-w c:\documents and settings\Eric Dent\FontManagerSetup.exe
2006-11-29 03:07 128,048 ----a-w c:\documents and settings\Lisa Dent\Application Data\GDIPFONTCACHEV1.DAT
2006-11-25 07:39 3,346,320 ----a-w c:\program files\wbsamp5.exe
2006-11-04 22:21 12,754,672 ----a-w c:\program files\MP10Setup.exe
2000-11-07 21:52 15,182,560 -c--a-w c:\program files\out2kmst.msp
2000-11-07 20:26 670,620 -c--a-w c:\program files\pptmst.msp
2000-11-07 20:01 647,452 -c--a-w c:\program files\excelmst.msp
2000-11-02 22:05 59,904 -c--a-w c:\program files\readadm.doc
2000-10-27 21:40 30,120,448 -c--a-w c:\program files\sp2admin.msp
2008-06-05 04:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060520080606\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-19_17.47.30.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-20 23:44:28 16,384 ----atw c:\windows\temp\Perflib_Perfdata_654.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-24 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="c:\program files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon Internet Security Suite"="c:\program files\Verizon\Verizon Internet Security Suite\Rps.exe" [2008-02-26 318704]
"-FreedomNeedsReboot"="c:\program files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [2008-02-26 13552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="c:\program files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 61168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="c:\program files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 61168]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-24 20:45 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a------ 2007-03-11 16:37 936960 c:\program files\Verizon\McciTrayApp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 ati2mtaa;ati2mtaa;c:\windows\system32\DRIVERS\ati2mtaa.sys [2004-08-04 327040]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys [2006-08-05 281856]
S3 DetectAC2000;DetectAC2000;\??\c:\windows\system32\FinePointLib\DetectAC2000.sys [2006-08-06 79029]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-17 31592]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\NPF.sys [2007-11-18 34064]
S3 Radialpoint Security Services;Verizon Internet Security Suite;"c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe" [2008-02-26 67824]
S4 hpt3xx;hpt3xx; []
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2008-09-29 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1212555998.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 18:45:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Verizon\Verizon Internet Security Suite\Fws.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\windows\system32\snmp.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\program files\Verizon\VSP\VerizonServicepointComHandler.exe
c:\program files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-20 18:48:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 23:48:43
ComboFix2.txt 2008-11-19 22:48:37

Pre-Run: 83,636,654,080 bytes free
Post-Run: 83,654,344,704 bytes free

183 --- E O F --- 2008-11-16 17:20:44

#8 SpotCheckBilly

SpotCheckBilly

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 877 posts

Posted 21 November 2008 - 03:13 PM

Hi LJP,

Good news. Your logs are clean. Let's have a final HijackThis log to see if there are any leftovers that we need to take care of, then we can do some tidying up. :wave: SCB
IPB ImageIPB Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
IPB Image

#9 LJP

LJP

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 23 November 2008 - 07:46 PM

Ok, here it is:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:45:43, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Verizon\McciBrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec....ta/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...tallMgr_v01.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {A2721B6E-0000-0000-0000-000000000000} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

--
End of file - 10069 bytes

#10 SpotCheckBilly

SpotCheckBilly

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 877 posts

Posted 24 November 2008 - 03:39 PM

Hi LJP,

Here are a couple of things that you can fix with HijackThis. They are just a couple of programs that launch with Windows, but it's not necessary that they do. Adobe will launch automatically when you open a .pdf file and QuickTime can be launched manually when you need it.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe


Otherwise......

Congratulations! Your log looks clean - good work!

Below is my standard Final Cleanup and All Clean speech. Included in it are tips on how to keep your computer from being reinfected. They are simple to set up and simple to maintain, and I HIGHLY recommend that you follow them.


Download and scan with CCleaner
NOTE: Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Slim version instead of the Standard Build.

Before first use:
  • Select Options=>Advanced.
  • UNcheck Only delete files in Windows Temp folder older than 48 hours
Select the items you wish to clean up.
  • A note regarding cookies: CCleaner allows you to keep the cookies from selected sites such as those which use cookies to save your login information.
  • From the main screen:Click Options=>Cookies.
  • Highlight the web sites you wish to keep.
  • Click the -> button.
Click the Cleaner button to return to the main screen.
  • In the Windows tab:
    • Select all items.
  • In the Applications tab:
    • Select all items. NOTE: UN-check Saved Form Information, where available. If you leave this box checked. You will lose all of your saved passwords.
Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK.
CCleaner will scan and clean your system..
  • When cleaning is complete:
  • Close the CCleaner window
If everything is running ok, let's do the final cleanup...

1. Uninstall Combofix. (If Combofix was not used, proceed to step 2.)
  • Click START=>RUN
  • Type Combofix /u in the runbox (make sure you add the space in between the x in Combofix and /u)
  • Click OK

    Posted Image

2. Clear out any other special tools we've used to clean up your computer. They are very powerful and if used incorrectly, may cause irreparable damage to your computer.(If no other special tools were downloaded, proceed to step 3.) Download OTMoveIt by OldTimer to your Desktop.
  • Double click OTMoveIt.exe to launch it.
  • Click on the CleanUp! button.
  • OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTMoveIt
  • Now delete OTMoveIt.exe (if still present).
3. Disable, then reenable System Restore; with a reboot in-between. Then immediately create a new system restore point manually.

Here are some tips to reduce the potential for spyware infection in the future, I recommend the following applications:
  • Spywareblaster => SpywareBlaster will prevent spyware from being installed, and uses NO system resources.
  • Comodo BOCLEAN => Stop identity thieves from getting personal information. BOClean watches memory, registry, and the file system for malware loading up and shuts it down before it has a chance to launch.
  • How to use Winpatrol to protect your computer. => Download and install the free version of Winpatrol to keep malicious software from running.
  • [url="http://thespykiller.co.uk/index.php/topic,5946.0.html"%20target="_blank"]How to use Malwarebytes Anti-Malware to remove Spyware[/url]=> Follow link for instructions on how to download, install and use Malwarebytes Anti-Malware.
  • How to use Spybot to remove Spyware => Follow link for instructions on how to download, install and use Spybot.
To protect yourself further:
  • IE/Spyad => IE/Spyad (now known as ZonedOut ) places over 5000 websites and domains in the IE Restricted Sites list, and uses NO system resources..
  • Use a Firewall => I can not stress enough how important it is that you use a Firewall on your computer. See Computer Safety On line - Software Firewalls to learn why. I recommend any of these:
  • UPDATE!-UPDATE!-UPDATE! => This is, without a doubt, THE MOST IMPORTANT element in keeping your computer free of malware. Set Windows AND all of your anti-malware tools for Automatic Updates.
  • Delete temp files =>Clear the contents of your Temporary (Temp) folders, Temporary Internet Files (TIF), Cookies, and Recycle bin for all users of your machine. (do not delete the temp folders themselves). This can be done either manually or by using using a program such as CCleaner. IMPORTANT: clearing the contents of the temp/Internet/cookies/recycle bin should be done on a regular basis.
Also, please see: So how did I get infected in the first place?

****** STAND UP AND BE COUNTED ******

It is very rewarding to see that your computer is clean. Now we urge you to stand up and be counted! Document your experience, and by doing so, launch a complaint against the makers of malware. You can make a difference. Click on the Malware Complaints icon in my signature and support our cause.

If you are having any more problems, post back the description along with a fresh HijackThis log. :wave: SCB
IPB ImageIPB Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
IPB Image

#11 LJP

LJP

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 27 November 2008 - 09:56 PM

Hi LJP,

Here are a couple of things that you can fix with HijackThis. They are just a couple of programs that launch with Windows, but it's not necessary that they do. Adobe will launch automatically when you open a .pdf file and QuickTime can be launched manually when you need it.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe


Otherwise......

Congratulations! Your log looks clean - good work!

Below is my standard Final Cleanup and All Clean speech. Included in it are tips on how to keep your computer from being reinfected. They are simple to set up and simple to maintain, and I HIGHLY recommend that you follow them.


Download and scan with CCleaner
NOTE: Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Slim version instead of the Standard Build.

Before first use:

  • Select Options=>Advanced.
  • UNcheck Only delete files in Windows Temp folder older than 48 hours
Select the items you wish to clean up.
  • A note regarding cookies: CCleaner allows you to keep the cookies from selected sites such as those which use cookies to save your login information.
  • From the main screen:Click Options=>Cookies.
  • Highlight the web sites you wish to keep.
  • Click the -> button.
Click the Cleaner button to return to the main screen.
  • In the Windows tab:
    • Select all items.
  • In the Applications tab:
    • Select all items. NOTE: UN-check Saved Form Information, where available. If you leave this box checked. You will lose all of your saved passwords.
Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK.
CCleaner will scan and clean your system..
  • When cleaning is complete:
  • Close the CCleaner window
If everything is running ok, let's do the final cleanup...

1. Uninstall Combofix. (If Combofix was not used, proceed to step 2.)
  • Click START=>RUN
  • Type Combofix /u in the runbox (make sure you add the space in between the x in Combofix and /u)
  • Click OK

    Posted Image

2. Clear out any other special tools we've used to clean up your computer. They are very powerful and if used incorrectly, may cause irreparable damage to your computer.(If no other special tools were downloaded, proceed to step 3.) Download OTMoveIt by OldTimer to your Desktop.
  • Double click OTMoveIt.exe to launch it.
  • Click on the CleanUp! button.
  • OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTMoveIt
  • Now delete OTMoveIt.exe (if still present).
3. Disable, then reenable System Restore; with a reboot in-between. Then immediately create a new system restore point manually.

Here are some tips to reduce the potential for spyware infection in the future, I recommend the following applications:
  • Spywareblaster => SpywareBlaster will prevent spyware from being installed, and uses NO system resources.
  • Comodo BOCLEAN => Stop identity thieves from getting personal information. BOClean watches memory, registry, and the file system for malware loading up and shuts it down before it has a chance to launch.
  • How to use Winpatrol to protect your computer. => Download and install the free version of Winpatrol to keep malicious software from running.
  • [url="http://thespykiller.co.uk/index.php/topic,5946.0.html"%20target="_blank"]How to use Malwarebytes Anti-Malware to remove Spyware[/url]=> Follow link for instructions on how to download, install and use Malwarebytes Anti-Malware.
  • How to use Spybot to remove Spyware => Follow link for instructions on how to download, install and use Spybot.
To protect yourself further:
  • IE/Spyad => IE/Spyad (now known as ZonedOut ) places over 5000 websites and domains in the IE Restricted Sites list, and uses NO system resources..
  • Use a Firewall => I can not stress enough how important it is that you use a Firewall on your computer. See Computer Safety On line - Software Firewalls to learn why. I recommend any of these:
  • UPDATE!-UPDATE!-UPDATE! => This is, without a doubt, THE MOST IMPORTANT element in keeping your computer free of malware. Set Windows AND all of your anti-malware tools for Automatic Updates.
  • Delete temp files =>Clear the contents of your Temporary (Temp) folders, Temporary Internet Files (TIF), Cookies, and Recycle bin for all users of your machine. (do not delete the temp folders themselves). This can be done either manually or by using using a program such as CCleaner. IMPORTANT: clearing the contents of the temp/Internet/cookies/recycle bin should be done on a regular basis.
Also, please see: So how did I get infected in the first place?

****** STAND UP AND BE COUNTED ******

It is very rewarding to see that your computer is clean. Now we urge you to stand up and be counted! Document your experience, and by doing so, launch a complaint against the makers of malware. You can make a difference. Click on the Malware Complaints icon in my signature and support our cause.

If you are having any more problems, post back the description along with a fresh HijackThis log. :wave: SCB



#12 LJP

LJP

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 27 November 2008 - 09:58 PM

Apparently, OTMoveIt is obsolete and no longer available to download. How should I proceed?

#13 LJP

LJP

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 27 November 2008 - 10:28 PM

OK, apparently OTMoveIt is now obsolete & the only one available was OTMoveit3 so I took a chance w/ my fingers tightly crossed; went ahead & downloaded it & followed your directions. It automatically asked to reboot when it was through & was automatically deleted. All seems well, so I think I may be done but I just have a couple questions; do u think there are remnants of the OTMoveIt download still linguring, if so how do I remove it & are the applications you suggest to reduce & protect me from future spyware problems compatable w/ Verizon Security Suite & Windows XP Security? Thanks again for all your help, it was most helpful!! Finally, I posted my complaint & the satisfying experience I had with your help.

Edited by LJP, 27 November 2008 - 11:52 PM.


#14 teacup61

teacup61

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 4,064 posts

Posted 29 November 2008 - 06:15 PM

Hello :wave:

SpotCheckBilly cannot be here right now so I'll be looking in on his threads. :)

do u think there are remnants of the OTMoveIt

There shouldn't be, since it also deletes itself in the process. :thumbsup:

are the applications you suggest to reduce & protect me from future spyware problems compatable w/ Verizon Security Suite & Windows XP Security?

Unless you just overdo with the programs they should all play well together, yes. The only thing is IE Spyad is no longer. It hasn't been updated for a long time, and the owner says he won't be updating it. :( So, please disregard that particular suggestion.

If you have any further questions, please feel free to ask. :)

Take care!
tea
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.



#15 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 20,555 posts

Posted 02 June 2009 - 01:23 PM

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button