View Full Version : Yahoo and Google Worng Search Results
jcherreria
2009-01-12, 22:43
Hello all. I'm having a heck of a time finding and removing this thing that has affected my computer. I wouldn't even know what to call it.
My search engine results on Yahoo and Google are returning wrong websites.
ie: I search for Chia Pet and my search result descriptions are correct but they are being redirected to other websites.
I've tried SpyBot, McAfee and MalwareBytes and nothing.
J
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:09 PM, on 1/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cypherixsrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intuit\QuickBooks 2006\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/yme/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.purenetworks.com/redir/click/survey/uninstall/?pn=nm&a=3.3.6289.0&b=Pure&dc=DLINK0.routersetup&dt=OEM
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148333120147
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168725896171
O23 - Service: McAfee Application Installer Cleanup (0101821231419858) (0101821231419858mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\YJCATE~1\LOCALS~1\Temp\010182~1.EXE
O23 - Service: Cypherix service (cypherixservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cypherixsrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 7824 bytes
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
jcherreria
2009-01-18, 16:34
Thank you for your response. When I attempt to install the combo fix the set up screen is in a language I do not understand. Simultaneously all of my browser windows close.
???
J
Hi
Could you please provide a screenshot of that? Sounds a bit abnormal.
jcherreria
2009-01-19, 20:06
file:///C:/DOCUME%7E1/YJCATE%7E1/LOCALS%7E1/Temp/moz-screenshot-2.jpg
jcherreria
2009-01-19, 20:09
I guess I don't know how to add a screen shot.
Here is what the box text is:
Uppdatering
En nyare version av ComboFix ar tillganglig.
Vill du uppdatera ComboFix?
YES NO
Hi
Select 'yes' to that. It asked if you want to install a fresh version of ComboFix available :) Usually ComboFix should work in same language as the operating system.
jcherreria
2009-01-20, 17:27
I was able to finally run ComboFix in English by running in safe mode. It appears that everything is working perfectly after running ComboFix.
Thank you for your help.
Here are the logs requested:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:24 AM, on 1/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\cypherixsrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.purenetworks.com/redir/click/survey/uninstall/?pn=nm&a=3.3.6289.0&b=Pure&dc=DLINK0.routersetup&dt=OEM
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148333120147
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168725896171
O23 - Service: Cypherix service (cypherixservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cypherixsrv.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 7419 bytes
ComboFix 09-01-19.05 - YJ CATERING 2009-01-20 10:03:40.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.605 [GMT -5:00]
Running from: c:\documents and settings\YJ CATERING\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\bszip.dll
c:\windows\system32\wdmaud.sys
.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.
2009-01-15 11:11 . 2009-01-15 11:11 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-15 11:01 . 2009-01-15 11:01 1,374 --a------ c:\windows\imsins.BAK
2009-01-14 19:22 . 2009-01-14 19:22 <DIR> d-------- c:\windows\LastGood.Tmp
2009-01-12 17:41 . 2009-01-12 17:41 <DIR> d-------- c:\program files\NOS
2009-01-12 17:41 . 2009-01-12 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-11 13:09 . 2009-01-11 13:09 <DIR> d-------- c:\program files\Trend Micro
2009-01-09 13:06 . 2009-01-09 13:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 13:06 . 2009-01-09 13:06 <DIR> d-------- c:\documents and settings\YJ CATERING\Application Data\Malwarebytes
2009-01-09 13:06 . 2009-01-09 13:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 13:06 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 13:06 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 12:50 . 2009-01-08 12:50 <DIR> d-------- c:\program files\CCleaner
2009-01-08 08:08 . 2009-01-20 09:58 21,991 --a------ c:\windows\system32\Config.MPF
2009-01-08 08:05 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-08 08:04 . 2009-01-08 08:04 <DIR> d-------- C:\mcafee_mcpr
2009-01-08 08:04 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-08 08:04 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-08 08:04 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-08 08:04 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-08 08:04 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-08 08:02 . 2009-01-08 08:03 <DIR> d-------- c:\program files\McAfee.com
2009-01-08 08:02 . 2009-01-08 08:04 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-08 08:01 . 2009-01-13 10:23 <DIR> d-------- c:\program files\McAfee
2009-01-08 07:55 . 2009-01-08 07:55 6 --a------ c:\windows\msoffice.ini
2009-01-06 12:44 . 2009-01-20 02:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 17:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-08 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-08 13:00 --------- d-----w c:\program files\Common Files\AOL
2009-01-08 12:58 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-01-08 12:57 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\AOL
2009-01-06 17:45 --------- d-----w c:\program files\Google
2008-12-12 17:27 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 13:12 --------- d-----w c:\program files\Ahead
2008-12-10 13:09 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-12-10 13:08 --------- d-----w c:\program files\Common Files\Ahead
2008-12-07 14:19 --------- d-----w c:\program files\Cypherix LE
2008-12-05 18:38 --------- d-----w c:\program files\NCH Software
2008-12-05 18:38 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\NCH Software
2008-12-05 18:38 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Software
2008-12-04 20:54 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\Corel
2008-12-04 20:36 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-04 20:36 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-12-04 20:31 --------- d-----w c:\program files\Corel
2008-12-04 20:31 --------- d-----w c:\program files\Common Files\Corel
2008-12-04 20:31 --------- d-----w c:\documents and settings\All Users\Application Data\Corel
2008-12-04 18:12 --------- d-----w c:\program files\activePDF
2008-12-01 23:50 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\AdobeUM
2008-11-30 13:14 --------- d-----r c:\documents and settings\YJ CATERING\Application Data\Brother
2008-11-29 17:53 --------- d-----w c:\program files\Microsoft.NET
2008-11-29 13:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-28 18:14 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\McAfee.com Personal Firewall
2008-11-25 15:21 5,120 ----a-w C:\CLCNTRL.DAT
2008-11-25 14:54 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\Motive
2008-11-22 21:19 --------- d-----w c:\program files\Common Files\Motive
2008-11-22 21:19 --------- d-----w c:\program files\att-nap
2008-11-22 21:18 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-11-22 20:24 --------- d-----w c:\program files\Pure Networks
2008-11-22 20:22 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Networks
2008-11-22 20:20 --------- d-----w c:\program files\Common Files\Adobe
2008-11-22 19:57 --------- d-----w c:\program files\Common Files\Intuit
2008-11-22 19:56 --------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2008-11-22 19:55 --------- d-----w c:\program files\Intuit
2008-11-22 19:55 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2008-11-22 19:53 --------- d-----w c:\program files\Common Files\SWF Studio
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-01-04 16:59 270,296 ----a-w c:\documents and settings\BPA Server\Application Data\GDIPFONTCACHEV1.DAT
2007-01-12 20:01 72 ----a-w c:\documents and settings\BPA Server\Application Data\ftpfile.dat
2006-03-07 16:56 69 ----a-w c:\documents and settings\BPA Server\printertest.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-21 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-12 180269]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"aux"= wdmaud.sys
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAMMonitor]
--a------ 2005-08-02 10:00 4147200 c:\program files\X-Charge\XChrgSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-05-21 14:42 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-09-12 14:32 208941 c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2004-07-25 13:45 1277952 c:\program files\Support.com\BellSouth\hcenter.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-09-12 14:32 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Corel\\Graphics10\\Register\\NAVBrowser.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Lime Wire\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-12 33752]
S4 cypherixservice;Cypherix service;cypherixsrv.exe --> cypherixsrv.exe [?]
S4 cyphxdrv;cyphxdrv;c:\windows\system32\drivers\cyphxdrv.sys [2008-12-07 100728]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-08-07 46112]
S4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-11 14336]
.
Contents of the 'Scheduled Tasks' folder
2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-08 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -
Notify-LMIinit - (no file)
MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-AOLSPScheduler - c:\program files\Common Files\AOL\1134241760\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
MSConfigStartUp-EmailScan - c:\program files\mcafee.com\antivirus\mcvsescn.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1134241760\ee\AOLSoftware.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
MSConfigStartUp-MPFExe - c:\program files\mcafee.com\personal firewall\MPfTray.exe
MSConfigStartUp-nmapp - c:\program files\Pure Networks\Network Magic\nmapp.exe
MSConfigStartUp-OASClnt - c:\program files\mcafee.com\antivirus\oasclnt.exe
MSConfigStartUp-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
MSConfigStartUp-sscRun - c:\program files\Common Files\AOL\1134241760\ee\SSCRun.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
MSConfigStartUp-ymetray - c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://go.purenetworks.com/redir/click/survey/uninstall/?pn=nm&a=3.3.6289.0&b=Pure&dc=DLINK0.routersetup&dt=OEM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\YJ CATERING\Application Data\Mozilla\Firefox\Profiles\mzdl95rg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 10:05:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-01-20 10:07:11
ComboFix-quarantined-files.txt 2009-01-20 15:06:41
Pre-Run: 58,283,925,504 bytes free
Post-Run: 58,420,232,192 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
247 --- E O F --- 2009-01-15 16:03:18
Good. There's still something left to do though :)
Upload following file to http://www.virustotal.com and post back the scanning results:
c:\windows\system32\drivers\cyphxdrv.sys
Open notepad and copy/paste the text in the quotebox below into it:
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Lime Wire\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 11 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
jcherreria
2009-01-20, 18:21
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.20 -
AhnLab-V3 5.0.0.2 2009.01.20 -
AntiVir 7.9.0.57 2009.01.20 -
Authentium 5.1.0.4 2009.01.19 -
Avast 4.8.1281.0 2009.01.20 -
AVG 8.0.0.229 2009.01.20 -
BitDefender 7.2 2009.01.20 -
CAT-QuickHeal 10.00 2009.01.20 -
ClamAV 0.94.1 2009.01.20 -
Comodo 939 2009.01.20 -
DrWeb 4.44.0.09170 2009.01.20 -
eSafe 7.0.17.0 2009.01.20 -
eTrust-Vet 31.6.6317 2009.01.20 -
F-Prot 4.4.4.56 2009.01.19 -
F-Secure 8.0.14470.0 2009.01.20 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.20 -
Ikarus T3.1.1.45.0 2009.01.20 -
K7AntiVirus 7.10.596 2009.01.20 -
Kaspersky 7.0.0.125 2009.01.20 -
McAfee 5501 2009.01.20 -
McAfee+Artemis 5500 2009.01.19 -
Microsoft 1.4205 2009.01.20 -
NOD32 3780 2009.01.20 -
Norman 5.93.01 2009.01.20 -
nProtect 2009.1.8.0 2009.01.20 -
Panda 9.5.1.2 2009.01.20 -
PCTools 4.4.2.0 2009.01.20 -
Prevx1 V2 2009.01.20 -
Rising 21.13.11.00 2009.01.20 -
SecureWeb-Gateway 6.7.6 2009.01.20 -
Sophos 4.37.0 2009.01.20 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.20 -
TheHacker 6.3.1.5.224 2009.01.20 -
TrendMicro 8.700.0.1004 2009.01.20 -
ViRobot 2009.1.20.1569 2009.01.20 -
VirusBuster 4.5.11.0 2009.01.20 -
Additional information
File size: 100728 bytes
MD5...: 6605baea70a70bdbc28d4105b32e5564
SHA1..: a43724229f6ee617ed2befc41113628938ab122c
SHA256: d232915419cb86ffd706676e1546ab9557fa1ab923d9a3d5d3c5240e253f82b3
SHA512: 9d3fe4a03e203ae7117542fa047eb93672be9fb32dc346f9b01e1e32b7317432
ffab7ff69095e3f3706a959b7b7f25ec56a259ac5c75b61f0ca7cac22de3b132
ssdeep: 1536:qtCIeCdie8ZqgcGKsHHdY+67JICS4Ae1mmmfAeN5QLat9Wb2y:uVqVY+6WA
m9f3bDt9W
PEiD..: -
TrID..: File type identification
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x25979
timedatestamp.....: 0x48be80cb (Wed Sep 03 12:19:23 2008)
machinetype.......: 0x14c (I386)
( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0xe496 0xe500 6.59 4842e618566545054420e63a3dd07e12
.rdata 0xe980 0x3add 0x3b00 7.23 287f033f99a8a53bd5d836a3ae7334d5
.data 0x12480 0x3354 0x3380 7.84 87e9119c278cc1e34b3cd6d23fcaeb16
INIT 0x15800 0x6c6 0x700 5.71 d5f4ef7c3311d1ada9148bf574e65f59
.rsrc 0x15f00 0x398 0x400 2.96 036e983b84c317435f0e908022fa6e5e
.reloc 0x16300 0xc26 0xc80 6.27 b46dc7720a2174aafce183e570e342fb
( 1 imports )
> ntoskrnl.exe: IoDeleteDevice, IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, wcscpy, KeWaitForSingleObject, ZwClose, ObReferenceObjectByHandle, ExFreePool, PsCreateSystemThread, KeClearEvent, ExAllocatePoolWithTag, ObfDereferenceObject, KeReleaseSemaphore, wcsncat, wcscat, IoDeleteSymbolicLink, KeInitializeSpinLock, KeInitializeSemaphore, KeInitializeEvent, wcslen, IoSetHardErrorOrVerifyDevice, ZwCreateFile, KeReleaseMutex, ExfInterlockedRemoveHeadList, PsTerminateSystemThread, KeSetEvent, KeSetPriorityThread, KeGetCurrentThread, ExfInterlockedInsertTailList, IofCompleteRequest, KeInitializeMutex, IofCallDriver, IoAllocateIrp, RtlExtendedLargeIntegerDivide, IoFreeIrp, MmMapLockedPages, IoFreeMdl, MmUnlockPages, KeBugCheck, IoBuildDeviceIoControlRequest, wcscmp, IoGetDeviceObjectPointer, ObfReferenceObject, IoGetRelatedDeviceObject, ZwQueryInformationFile, ZwReadFile, _allmul, MmBuildMdlForNonPagedPool, IoAllocateMdl, KeTickCount, KeBugCheckEx
( 0 exports )
jcherreria
2009-01-20, 21:07
ComboFix 09-01-19.05 - YJ CATERING 2009-01-20 11:25:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.491 [GMT -5:00]
Running from: c:\documents and settings\YJ CATERING\Desktop\ANTI\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.
2009-01-15 11:11 . 2009-01-15 11:11 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-15 11:01 . 2009-01-15 11:01 1,374 --a------ c:\windows\imsins.BAK
2009-01-12 17:41 . 2009-01-12 17:41 <DIR> d-------- c:\program files\NOS
2009-01-12 17:41 . 2009-01-12 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-11 13:09 . 2009-01-11 13:09 <DIR> d-------- c:\program files\Trend Micro
2009-01-09 13:06 . 2009-01-09 13:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 13:06 . 2009-01-09 13:06 <DIR> d-------- c:\documents and settings\YJ CATERING\Application Data\Malwarebytes
2009-01-09 13:06 . 2009-01-09 13:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 13:06 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 13:06 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 12:50 . 2009-01-08 12:50 <DIR> d-------- c:\program files\CCleaner
2009-01-08 08:08 . 2009-01-20 11:24 21,991 --a------ c:\windows\system32\Config.MPF
2009-01-08 08:05 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-08 08:04 . 2009-01-08 08:04 <DIR> d-------- C:\mcafee_mcpr
2009-01-08 08:04 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-08 08:04 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-08 08:04 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-08 08:04 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-08 08:04 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-08 08:02 . 2009-01-08 08:03 <DIR> d-------- c:\program files\McAfee.com
2009-01-08 08:02 . 2009-01-08 08:04 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-08 08:01 . 2009-01-13 10:23 <DIR> d-------- c:\program files\McAfee
2009-01-08 07:55 . 2009-01-08 07:55 6 --a------ c:\windows\msoffice.ini
2009-01-06 12:44 . 2009-01-20 02:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 17:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-08 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-08 13:00 --------- d-----w c:\program files\Common Files\AOL
2009-01-08 12:58 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-01-08 12:57 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\AOL
2009-01-06 17:45 --------- d-----w c:\program files\Google
2008-12-12 17:27 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 13:12 --------- d-----w c:\program files\Ahead
2008-12-10 13:09 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-12-10 13:08 --------- d-----w c:\program files\Common Files\Ahead
2008-12-07 14:19 --------- d-----w c:\program files\Cypherix LE
2008-12-05 18:38 --------- d-----w c:\program files\NCH Software
2008-12-05 18:38 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\NCH Software
2008-12-05 18:38 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Software
2008-12-04 20:54 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\Corel
2008-12-04 20:36 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-04 20:36 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-12-04 20:31 --------- d-----w c:\program files\Corel
2008-12-04 20:31 --------- d-----w c:\program files\Common Files\Corel
2008-12-04 20:31 --------- d-----w c:\documents and settings\All Users\Application Data\Corel
2008-12-04 18:12 --------- d-----w c:\program files\activePDF
2008-12-01 23:50 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\AdobeUM
2008-11-30 13:14 --------- d-----r c:\documents and settings\YJ CATERING\Application Data\Brother
2008-11-29 17:53 --------- d-----w c:\program files\Microsoft.NET
2008-11-29 13:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-28 18:14 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\McAfee.com Personal Firewall
2008-11-25 15:21 5,120 ----a-w C:\CLCNTRL.DAT
2008-11-25 14:54 --------- d-----w c:\documents and settings\YJ CATERING\Application Data\Motive
2008-11-22 21:19 --------- d-----w c:\program files\Common Files\Motive
2008-11-22 21:19 --------- d-----w c:\program files\att-nap
2008-11-22 21:18 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-11-22 20:24 --------- d-----w c:\program files\Pure Networks
2008-11-22 20:22 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Networks
2008-11-22 20:20 --------- d-----w c:\program files\Common Files\Adobe
2008-11-22 19:57 --------- d-----w c:\program files\Common Files\Intuit
2008-11-22 19:56 --------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2008-11-22 19:55 --------- d-----w c:\program files\Intuit
2008-11-22 19:55 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2008-11-22 19:53 --------- d-----w c:\program files\Common Files\SWF Studio
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-01-04 16:59 270,296 ----a-w c:\documents and settings\BPA Server\Application Data\GDIPFONTCACHEV1.DAT
2007-01-12 20:01 72 ----a-w c:\documents and settings\BPA Server\Application Data\ftpfile.dat
2006-03-07 16:56 69 ----a-w c:\documents and settings\BPA Server\printertest.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-21 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-12 180269]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"aux"= wdmaud.sys
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAMMonitor]
--a------ 2005-08-02 10:00 4147200 c:\program files\X-Charge\XChrgSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-05-21 14:42 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-09-12 14:32 208941 c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2004-07-25 13:45 1277952 c:\program files\Support.com\BellSouth\hcenter.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-09-12 14:32 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Corel\\Graphics10\\Register\\NAVBrowser.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Lime Wire\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service
R4 cypherixservice;Cypherix service;cypherixsrv.exe --> cypherixsrv.exe [?]
R4 cyphxdrv;cyphxdrv;c:\windows\system32\drivers\cyphxdrv.sys [2008-12-07 100728]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-08-07 46112]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-11 14336]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-12 33752]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder
2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-01-08 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://go.purenetworks.com/redir/click/survey/uninstall/?pn=nm&a=3.3.6289.0&b=Pure&dc=DLINK0.routersetup&dt=OEM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\YJ CATERING\Application Data\Mozilla\Firefox\Profiles\mzdl95rg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 11:28:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-01-20 11:30:26
ComboFix-quarantined-files.txt 2009-01-20 16:30:16
ComboFix2.txt 2009-01-20 15:07:12
Pre-Run: 57,583,915,008 bytes free
Post-Run: 57,571,356,672 bytes free
220 --- E O F --- 2009-01-15 16:03:18
Running from: c:\documents and settings\YJ CATERING\Desktop\ANTI\ComboFix.exe
Hi
Seems like you didn't run ComboFix with CFScript.txt file I made you create. Please try that part again :)
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.