PDA

View Full Version : Recurring pmocntr2 - Trojan cookie


sky33
2011-04-01, 20:31
As requested by Tashi, http://forums.spybot.info/showthread.php?t=62013 here is the DDS - Notepad as copied:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by CHIEF at 9:03:39.76 on Fri 04/01/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.1590 [GMT -7:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k apphost
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\system32\svchost.exe -k wcssvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\Bandoo\Bandoo.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\FaxTalk Communicator\FTCtrl32.EXE
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MAXA Cookie Manager\Cookie.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\FaxTalk Communicator\FAPIEXE.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Bandoo\BndCore.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\CHIEF\Downloads\dds.com
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.rr.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.msn.com
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
uURLSearchHooks: H - No File
uURLSearchHooks: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} -
uURLSearchHooks: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} -
uURLSearchHooks: Sports Radio Online Toolbar: {a3568dac-c2bc-4122-9eab-1a05e08988be} -
uURLSearchHooks: Do Good Toolbar: {a7c707a4-57db-414e-80d5-198388f52ceb} -
uURLSearchHooks: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\prxtbSwag.dll
mURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
mURLSearchHooks: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} -
mURLSearchHooks: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} -
mURLSearchHooks: Sports Radio Online Toolbar: {a3568dac-c2bc-4122-9eab-1a05e08988be} -
mURLSearchHooks: Do Good Toolbar: {a7c707a4-57db-414e-80d5-198388f52ceb} -
mURLSearchHooks: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\prxtbSwag.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Set UA String (BHO): {3ce56db6-fcbe-4422-9454-63c354178985} - c:\program files\uapick\UABtn.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\prxtbSwag.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - Free Radio TV Toolbar
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: {a3568dac-c2bc-4122-9eab-1a05e08988be} - Sports Radio Online Toolbar
BHO: {a7c707a4-57db-414e-80d5-198388f52ceb} - Do Good Toolbar
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - Road Runner Toolbar
BHO: BandooIEPlugin Class: {eb5cee80-030a-4ed8-8e20-454e9c68380f} - c:\program files\bandoo\plugins\ie\ieplugin.dll
BHO: D-Link Toolbar Loader: {f01858c7-2a68-4d93-9e22-502eae3917c2} - c:\program files\d-link toolbar\dlinktb.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} -
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} -
TB: Sports Radio Online Toolbar: {a3568dac-c2bc-4122-9eab-1a05e08988be} -
TB: Do Good Toolbar: {a7c707a4-57db-414e-80d5-198388f52ceb} -
TB: D-Link Toolbar: {61874dfa-9adf-44e5-8e61-f3913707e7d7} - c:\program files\d-link toolbar\dlinktb.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: Swag Bucks Toolbar: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - c:\program files\swag_bucks\prxtbSwag.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
TB: {70A38074-97A6-45DA-B1A1-34B0A34DC3FF} - No File
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [HPAdvisor] "c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe" view=DOCKVIEW,SYSTRAY
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [AutoSizer] "c:\program files\autosizer\AutoSizer.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [MSCS] c:\program files\maxa cookie manager\Cookie.exe /autorun
mRun: [HP Health Check Scheduler] "c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe"
mRun: [hpsysdrv] "c:\hp\support\hpsysdrv.exe"
mRun: [<NO NAME>]
mRun: [CallControl 4.7] "c:\program files\faxtalk communicator\FTCtrl32.exe" /autoload
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [PhoneTray] c:\program files\traysoft\phonetray\PhoneTray.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoResolveTrack =
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoResolveTrack =
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Crawler Search - tbr:iemenu
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: Save Page As PDF ... - file://c:\program files\nitro pdf\pdf download\nitroweb.htm
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {16FE352D-F643-4A81-BC61-2C051F3A757D} - {16FE352D-F643-4A81-BC61-2C051F3A757D} - c:\progra~1\crawler\smileys\CSMILE~1.DLL
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110}
IE: {7CD59A63-0815-46D0-B474-2E5BCFCADD7C} - {1E866952-62EA-4161-B97D-4D228CEDF7A0} - c:\program files\uapick\UABtn.dll
IE: {82E2B317-7C9C-4F12-B920-AC37D928CD43} - {82E2B317-7C9C-4F12-B920-AC37D928CD43} - c:\progra~1\crawler\smileys\CSMILE~1.DLL
IE: {AD9E6088-E00B-42f9-9F0C-8480525D234E} - {FF5073C0-28A0-4223-9BDF-59FF020FE77C}
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: sportstradingchatter.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB70-AE6D-11cf-96B8-444553540000} -
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://gwesq.webex.com/client/T27L/webex/ieatgpc.cab
DPF: {E19F9331-3110-11D4-991C-005004D3B3DB} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
AppInit_DLLs: c:\progra~1\bandoo\bndhook.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\chief\appdata\roaming\mozilla\firefox\profiles\g73az67n.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://videobar.bingstart.com/?cfg=2-139-0-1HaNP
FF - prefs.js: keyword.URL - hxxp://videobar.bingstart.com/s/?src=FF-Address&site=Bing&cfg=2-139-0-1HaNP&q=
FF - component: c:\progra~1\crawler\firefox\components\xcomm.dll
FF - component: c:\progra~1\crawler\firefox\components\xshared.dll
FF - component: c:\progra~1\crawler\firefox\components\xsupport.dll
FF - component: c:\program files\discover\soan\components\SlimOrbAddonDiscoverSOAN.dll
FF - component: c:\program files\rebateinformer\firefox\components\FFRebateI.dll
FF - component: c:\program files\rebateinformer\firefox\components\ffrisupport.dll
FF - component: c:\program files\siteranker\firefox\components\siterank.dll
FF - component: c:\users\chief\appdata\roaming\mozilla\firefox\profiles\g73az67n.default\extensions\firefox@bandoo.com\components\FFPlugin.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox 3.6 beta 3\plugins\npdeploytk.dll
FF - plugin: c:\program files\mozilla firefox 3.6 beta 3\plugins\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox 3.6 beta 3\plugins\npyaxmpb.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\chief\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox 4.0 beta 2\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Inbox Toolbar: http://forums.spybot.info/misc.php?do=email_dev&email=aW5ib3hjb210b29sYmFyQGluYm94LmNvbQ== - %profile%\extensions\inboxcomtoolbar@inbox.com
FF - Ext: TVU Web Player: http://forums.spybot.info/misc.php?do=email_dev&email=ZmlyZWZveEB0dnVuZXR3b3Jrcy5jb20= - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: D-Link Toolbar: {926a10d2-4ce7-4331-b96f-ca4e22590fac} - %profile%\extensions\{926a10d2-4ce7-4331-b96f-ca4e22590fac}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Bandoo for Firefox: http://forums.spybot.info/misc.php?do=email_dev&email=ZmlyZWZveEBiYW5kb28uY29t - %profile%\extensions\firefox@bandoo.com
FF - Ext: Search Toolbar: http://forums.spybot.info/misc.php?do=email_dev&email=c2VhcmNodG9vbGJhckB6dWdvLmNvbQ== - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: ShopAtHome.com Intelligent Shopping Toolbar: http://forums.spybot.info/misc.php?do=email_dev&email=dG9vbGJhckBzaG9wYXRob21lLmNvbQ== - %profile%\extensions\toolbar@shopathome.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - c:\progra~1\crawler\firefox
FF - Ext: SiteRanker: http://forums.spybot.info/misc.php?do=email_dev&email=c2l0ZXJhbmtlckBzaXRlcmFua2VyLmNvbQ== - c:\program files\siteranker\firefox
FF - Ext: Secure Online Account Numbers: discoversoan@orbiscom - c:\program files\discover\SOAN
FF - Ext: RebateInformer: {ED76C299-85BC-4891-9237-74A140C28832} - c:\program files\rebateinformer\Firefox
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-20 64288]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2009-1-16 20392]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
R1 MpKsle5d9e608;MpKsle5d9e608;c:\programdata\microsoft\microsoft antimalware\definition updates\{42b46fe9-f09b-4ee5-a1d3-f26405895c23}\MpKsle5d9e608.sys [2011-4-1 28752]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-8-23 21504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-8-23 21504]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-4 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-10-16 369256]
R2 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2010-5-8 246792]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2009-3-19 391168]
R3 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2011-1-19 724152]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-19 135664]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-9-2 39264]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2011-1-19 724152]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1405384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15232]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-11-16 267568]
S3 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-11 167936]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2010-12-20 11232]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
S4 Recovery Commander Task Manager;Recovery Commander Task Manager;c:\progra~1\vcom\recove~1\mxtask.exe -service --> c:\progra~1\vcom\recove~1\MXTask.exe -Service [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-04-01 15:16:58 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{42b46fe9-f09b-4ee5-a1d3-f26405895c23}\MpKsle5d9e608.sys
2011-04-01 15:16:48 6792528 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{42b46fe9-f09b-4ee5-a1d3-f26405895c23}\mpengine.dll
2011-03-30 19:01:42 -------- d-----w- c:\users\chief\appdata\local\{C6C11074-C2F3-4CE8-B825-4E8D5564D81C}
2011-03-30 19:01:42 -------- d-----w- c:\users\chief\appdata\local\{B116FD2D-8C73-4B48-93CF-C756A1A7C01A}
2011-03-30 19:01:29 -------- d-----w- c:\users\chief\appdata\roaming\Windows Live Writer
2011-03-30 19:01:29 -------- d-----w- c:\users\chief\appdata\local\Windows Live Writer
2011-03-29 15:44:06 -------- d-----w- c:\users\chief\appdata\roaming\WildTangent
2011-03-26 15:09:03 -------- d-----w- c:\program files\Defraggler
2011-03-25 15:38:05 -------- d-----w- c:\program files\CCleaner
2011-03-25 15:12:45 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2011-03-25 15:12:12 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{ef9877da-3730-499d-bdb9-f3536de903b1}\gapaengine.dll
2011-03-24 15:31:47 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-24 15:31:47 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-24 15:31:47 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-18 16:07:21 56200 ----a-w- c:\windows\system32\offreg.dll
2011-03-15 21:29:50 -------- d-----w- c:\program files\Conduit
2011-03-15 21:29:45 -------- d-----w- c:\program files\ConduitEngine
2011-03-15 21:29:42 -------- d-----w- c:\program files\Swag_Bucks
2011-03-15 18:39:08 -------- d-----w- c:\program files\WOT
2011-03-09 17:13:51 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 17:13:50 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 17:13:50 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 17:13:50 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 17:13:49 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 17:13:49 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 01:00:32 -------- d-----w- c:\users\chief\appdata\local\Conduit
.
==================== Find3M ====================
.
2011-03-15 22:24:20 87688 ----a-w- c:\windows\system32\IncContxMenu.dll
2011-03-15 22:23:32 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-03-15 22:23:26 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-03-15 22:21:16 2234552 ----a-w- c:\windows\system32\Incinerator.dll
2011-02-16 17:22:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-08 12:55:21 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 9:04:22.07 ===============

I have saved the Notepad Attachment but don't know how to add it to this message.
shelf life
2011-04-03, 20:04
hi sky33,

Which of your malware apps are calling this a "trojan cookie"? If you can find it you can try uploading it here. (http://www.virustotal.com/) Browse for the file then use the send button. You can post the URL as a link to the results.
sky33
2011-04-04, 02:40
Hi shelf life,

Thank you for the link to "Virus Total".

To the best of my recollection, Spybot flagged some entries when I ran it and when SB destroyed the entries, "pmocntr2" was also removed, but it reoccurs with some annoying regularity.

Some of the references to either "pmocntr" or "pmocntr2" being a Trojan-Banker are:

http://www.threatexpert.com/report.aspx?md5=b25079b9d85ac6ec3175d9440253014a

specifically in that window is this entry:

%UserProfile%\UserData\WAPL0WFG\pmocntr2[1].xml 40 bytes
MD5: 0x301E1298E130E7CC7D541A38FEC3F422
SHA-1:
0xB88E26D46E61B86EB4F39A680FD0676D5AB71ED0

also,

http://www.spywareremove.com/removeUserProfileUserDataSTIVO1EBpmocntr1xml.html
shelf life
2011-04-04, 03:15
Did virus total have any positive results? You can get a download and see what it digs up:

Please download the free version of Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
sky33
2011-04-04, 04:36
Hi shelf life,

I don't believe that the last Spybot run had any virus' noted (most of my weekly Spybot runs turn up nothing) . . . is there a way I can check that at this few days later point?

I have run Malwarebytes weekly (and sometimes more) for well over a year now.

I usually run the Full Scan about twice a month.

When "pmocntr" and "pmocntr2" began appearing about 10-12 days ago, I ran an updated Malwarebytes when the pmocntr cookie was being noticed and it did not pick it up for deletion.

However, currently, I have been able to delete, primarily thru regedit, references to pmocntr/2 and neither has reappeared since about 24 hours ago (none today).

The next time they infect my computer, I will follow the directions in your email for logging mbam and uploading.
shelf life
2011-04-04, 23:50
I dont know what browser you use, but you can control cookies somewhat by settings. If FF you can have cookies deleted when you close the browser. Looks like you have a cookie manager installed also.


is there a way I can check that at this few days later point?
You mean keep this thread open? No problem.

This cookie by itself is harmless. If you really had a "banker" trojan it would be showing up in the other scans you did.
sky33
2011-04-06, 04:38
Hi sl,

Browser is IE9.

Cookie manager is MAXA Cookie Manager.

Re: is there a way I can check that at this few days later point? . . . what I meant was there any way that I can retrieve my last Spybot run to review it?

Re: This cookie by itself is harmless. If you really had a "banker" trojan it would be showing up in the other scans you did. . . . happy to read!

Also, good news thus far . . . no "pmocntr" since Saturday.

Only major difference I can think of having done since the last sighting of pmocntr is installing "Threatfire".
shelf life
2011-04-06, 23:42
I can retrieve my last Spybot run to review it
I really dont know. Iam in Linux most of the time. I dont use Spybot, If you poke around in the settings you might find previously saved scan logs, or check the help file.
Maybe it was a false positive all along. In any case it looks like your machine is free of malware.
sky33
2011-04-07, 00:54
Hi sl,

I did some "poking" around and found that retrieval appears possible in Recovery; however, it just lists the deleted file, not whether it is a virus, malware, etc., or not.

Also, in Tools, it indicates that scans can be saved for later retrieval; however, even though I have that checked in Settings I don't seem to have any to retrieve.

Looking through the myriad of options that SB offers, I did some "tweaking" on various aspects that I set up years ago when when I first started using SB . . . all in all, a worthwhile exercise!

Lastly, as a cookie manager, MAXA has worked well in identifying those pesky things for me . . .yesterday, it spotted "Phoenix" (listed as a "keylogger" on SB) and I eliminated that with CCleaner, another good product that I have used for over 2 years now.
shelf life
2011-04-08, 00:50
Looks like you are in good shape then.