jdena
2012-06-05, 19:18
Hello everyone.
Last night, my mother's PC sent out a couple emails from her yahoo email account. These emails were obviously not written by her, and they contained a link to a suspicious website (which I did not click). I ran an S&D scan and found that her PC was infected with a banker trojan.
First:
This post is being made from my PC, which is not infected.
I chose to remove what the S&D scan found. I have attached the scan log below.
I have backed up the registry with ERUNT.
DDS log is posted below.
Some other things I noticed:
She has Avast installed, but when I began investigating her computer I noticed the Avast service was disabled. I don't know why or for how long it has been disabled.
Like I said, two emails were sent from her account last night at about 9pm our time. I don't know if any more were sent. I have changed her password from my PC.
I want to be sure this has been removed, obviously. But I would also like to know where it came from, so I can hopefully prevent it from happening again. Unfortunately my mother is not one of the computer-confident, and she likes to purchase and download games from websites like iWin, which I've read can be pretty shady. I will ask her more once she gets home. I would like to know:
Where this trojan probably came from. From a game she downloaded? An advert she maybe clicked? How do these trojans usually spread?
Since this is a banker trojan, how concerned should I be about her account security? Changing passwords is obvious, but should we contact her bank about this?
Is there any way to tell how long this has been on her PC?
I apologize for the wall of text. Just wanted to give you as much info a possible. Thank you in advance for your help.
DDS LOG
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Owner at 10:35:46 on 2012-06-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.595 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Pogo Games\PGMTrusted.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gamesbar\SearchEngineProtection.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVAST Software\Avast\setup\avast.setup
C:\Program Files\HP\HP Software Update\HPWUCli.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprbUpdate.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\rbSolnUpdateENU.3.3.0.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\IXP000.TMP\rbSolnUpdate.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/?ilc=8
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/?ilc=8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3504
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3504
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: H - No File
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [SearchEngineProtection] c:\program files\gamesbar\SearchEngineProtection.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [EaseUs Watch] "c:\program files\easeus\todo backup\bin\EuWatch.exe"
mRun: [EaseUs Tray] "c:\program files\easeus\todo backup\bin\TrayNotify.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HostManager] c:\program files\common files\aol\1169342059\ee\AOLHostManager.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [Alcmtr] ALCMTR.EXE
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: pogo.com\www
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Amazing%20Adventures%20The%20Forgotten%20Dynasty/Images/stg_drm.ocx
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://clubgames.pogo.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Amazing%20Adventures%20The%20Forgotten%20Dynasty/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{4E5982B1-66C3-45B1-95D3-846EA2C6EDFE} : DhcpNameServer = 75.75.76.76 75.75.75.75
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\116pa1lm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.pogo.iplay.com/?o=shp
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=WCL2&o=100000082&locale=en_US&apn_uid=2F3E465F-9F11-40D6-9C7B-3535F1B273AC&apn_ptnrs=^AA2&apn_sauid=8B83C6AE-37A4-41E3-A455-A65FB1DB9988&apn_dtid=^YYYYYY^YY^US&q=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\116pa1lm.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.8\npapicomadapter.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\0\NP_wtapp.dll
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2011-11-17 38920]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2011-11-17 42376]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2012-6-5 28552]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-10-22 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-10-22 337880]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-12-3 239168]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2011-11-17 16008]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2011-11-17 184072]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-10-22 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-10-22 44768]
R2 EaseUS Agent;EaseUS Agent;c:\program files\easeus\todo backup\bin\Agent.exe [2011-11-17 60552]
R2 Guard Agent;Guard Agent;c:\program files\easeus\todo backup\bin\GuardAgent.exe [2011-11-17 23176]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2011-4-8 176848]
R2 PGMTrusted;PGMTrusted;c:\program files\pogo games\PGMTrusted.exe [2012-1-4 519888]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-2 136176]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-2 136176]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-06-05 14:04:58 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2012-06-05 14:04:48 -------- d-----w- c:\program files\Panda Security
2012-06-03 01:33:08 -------- d-----w- c:\documents and settings\owner\application data\AtlanticJourney
2012-06-01 12:23:52 -------- d-----w- c:\documents and settings\owner\application data\EntwinedSoD
2012-05-31 20:40:06 -------- d-----w- c:\documents and settings\owner\application data\Amulet_of_time
2012-05-30 19:25:30 -------- d-----w- c:\documents and settings\owner\application data\EnchantedCavern2
2012-05-30 17:58:06 -------- d-----w- c:\documents and settings\owner\application data\PopCap Games
2012-05-29 22:14:21 -------- d-----w- c:\documents and settings\owner\application data\Lazy Turtle Games
2012-05-28 02:12:40 -------- d-----w- c:\documents and settings\owner\application data\Sea Legends - Phantasmal Light Strategy Guide
2012-05-28 02:11:43 -------- d-----w- c:\program files\Sea Legends - Phantasmal Light Strategy Guide
2012-05-27 22:42:35 -------- d-----w- c:\documents and settings\owner\application data\Shadow Wolf Mysteries - Bane of the Family Strategy Guide
2012-05-27 22:41:37 -------- d-----w- c:\program files\Shadow Wolf Mysteries - Bane of the Family Strategy Guide
2012-05-27 22:39:30 -------- d-----w- c:\program files\bfgclient
2012-05-27 20:38:00 -------- d-----w- c:\documents and settings\all users\application data\10tons
2012-05-26 15:32:40 -------- d-----w- c:\documents and settings\owner\application data\My Games
2012-05-24 19:33:56 -------- d-----w- c:\documents and settings\owner\application data\FBI
2012-05-20 15:43:39 -------- d-----w- c:\documents and settings\all users\application data\Nevosoft
2012-05-19 20:26:07 -------- d-----w- c:\documents and settings\owner\application data\kingdom
2012-05-17 04:44:53 -------- d-----w- c:\documents and settings\owner\application data\Column of the Maya
2012-05-17 04:16:33 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess
2012-05-15 14:04:40 -------- d-----w- c:\documents and settings\owner\application data\Publisher
2012-05-15 14:04:40 -------- d-----w- c:\documents and settings\all users\application data\Publisher
2012-05-14 18:04:00 -------- d-----w- c:\documents and settings\owner\application data\YoudaGames
2012-05-13 19:23:17 -------- d-----w- c:\documents and settings\owner\local settings\application data\CrimsonThief
2012-05-13 14:06:56 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2012-05-13 14:04:49 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2012-05-13 12:57:30 -------- d-----w- c:\documents and settings\owner\application data\DGform
2012-05-13 12:03:43 -------- d-----w- c:\documents and settings\owner\application data\Between The Worlds 2
2012-05-13 11:38:43 -------- d-----w- c:\documents and settings\owner\application data\WildTangent
2012-05-12 14:51:43 -------- d-----w- c:\program files\MumboJumbo
2012-05-11 01:46:43 -------- d-----w- c:\documents and settings\owner\application data\tabagames
.
==================== Find3M ====================
.
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10:58 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35:52 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-02 13:46:18 473 ----a-w- c:\program files\120220117461859.bat
2011-12-02 03:01:03 451 ----a-w- c:\program files\1201201121010278.bat
2011-11-29 01:12:24 468 ----a-w- c:\program files\1128201119122434.bat
2011-11-27 04:58:19 466 ----a-w- c:\program files\1126201122581934.bat
2011-11-26 18:47:12 453 ----a-w- c:\program files\1126201112471228.bat
2011-11-23 15:04:02 449 ----a-w- c:\program files\112320119040190.bat
2011-11-21 04:52:36 456 ----a-w- c:\program files\1120201122523681.bat
2011-11-21 03:22:32 473 ----a-w- c:\program files\1120201121223235.bat
2011-11-21 02:40:48 489 ----a-w- c:\program files\1120201120404829.bat
2011-11-20 16:30:42 470 ----a-w- c:\program files\1120201110304284.bat
2011-11-19 18:15:35 489 ----a-w- c:\program files\1119201112153495.bat
2011-11-18 07:03:20 482 ----a-w- c:\program files\111820111032082.bat
2011-11-16 14:29:02 475 ----a-w- c:\program files\111620118290229.bat
2011-11-16 14:17:38 488 ----a-w- c:\program files\111620118173810.bat
2011-11-14 15:39:20 469 ----a-w- c:\program files\111420119392000.bat
2011-11-14 15:08:22 473 ----a-w- c:\program files\111420119082193.bat
2011-10-14 09:58:56 460 ----a-w- c:\program files\101420114585660.bat
.
============= FINISH: 10:40:06.42 ===============
S&D LOG
--- Report generated: 2012-06-05 08:48 ---
IWinGames: [SBI $C7B64946] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\ForseRemove
IWinGames: [SBI $8D161E83] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}
IWinGames: [SBI $FF593BF7] Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}
IWinGames: [SBI $E8B83F64] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2168448926-2180734944-1083858655-1003\Software\iWinArcade
IWinGames: [SBI $3B64B144] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\iWinArcade
IWinGames: [SBI $23600E87] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iWinArcade
IWinGames: [SBI $BBF70CC5] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\iWin Games\iWinGames.exe
IWinGames: [SBI $ED4042B7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\iWin Games\WebUpdater.exe
PlayPickle: [SBI $E2C000E6] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2168448926-2180734944-1083858655-1003\Software\AppDataLow\Software\Freecause
Banker: [SBI $EBFB4022] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}
Banker: [SBI $7F6039C1] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}
Right Media: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)
DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-07-16 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2012-01-16 Includes\Adware.sbi (*)
2012-05-30 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-11-29 Includes\DialerC.sbi (*)
2012-01-31 Includes\HeavyDuty.sbi (*)
2012-05-16 Includes\Hijackers.sbi (*)
2012-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2012-03-13 Includes\Keyloggers.sbi (*)
2012-03-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2012-04-17 Includes\Malware.sbi (*)
2012-05-29 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2012-05-29 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-12-13 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2012-01-17 Includes\Spyware.sbi (*)
2012-05-08 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-09-28 Includes\Trojans.sbi (*)
2012-05-16 Includes\TrojansC-02.sbi (*)
2012-05-18 Includes\TrojansC-03.sbi (*)
2012-05-22 Includes\TrojansC-04.sbi (*)
2012-05-23 Includes\TrojansC-05.sbi (*)
2012-05-29 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Last night, my mother's PC sent out a couple emails from her yahoo email account. These emails were obviously not written by her, and they contained a link to a suspicious website (which I did not click). I ran an S&D scan and found that her PC was infected with a banker trojan.
First:
This post is being made from my PC, which is not infected.
I chose to remove what the S&D scan found. I have attached the scan log below.
I have backed up the registry with ERUNT.
DDS log is posted below.
Some other things I noticed:
She has Avast installed, but when I began investigating her computer I noticed the Avast service was disabled. I don't know why or for how long it has been disabled.
Like I said, two emails were sent from her account last night at about 9pm our time. I don't know if any more were sent. I have changed her password from my PC.
I want to be sure this has been removed, obviously. But I would also like to know where it came from, so I can hopefully prevent it from happening again. Unfortunately my mother is not one of the computer-confident, and she likes to purchase and download games from websites like iWin, which I've read can be pretty shady. I will ask her more once she gets home. I would like to know:
Where this trojan probably came from. From a game she downloaded? An advert she maybe clicked? How do these trojans usually spread?
Since this is a banker trojan, how concerned should I be about her account security? Changing passwords is obvious, but should we contact her bank about this?
Is there any way to tell how long this has been on her PC?
I apologize for the wall of text. Just wanted to give you as much info a possible. Thank you in advance for your help.
DDS LOG
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Owner at 10:35:46 on 2012-06-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.595 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Pogo Games\PGMTrusted.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gamesbar\SearchEngineProtection.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVAST Software\Avast\setup\avast.setup
C:\Program Files\HP\HP Software Update\HPWUCli.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprbUpdate.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\rbSolnUpdateENU.3.3.0.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\IXP000.TMP\rbSolnUpdate.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/?ilc=8
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/?ilc=8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3504
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3504
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: H - No File
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [SearchEngineProtection] c:\program files\gamesbar\SearchEngineProtection.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [EaseUs Watch] "c:\program files\easeus\todo backup\bin\EuWatch.exe"
mRun: [EaseUs Tray] "c:\program files\easeus\todo backup\bin\TrayNotify.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HostManager] c:\program files\common files\aol\1169342059\ee\AOLHostManager.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [Alcmtr] ALCMTR.EXE
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: pogo.com\www
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Amazing%20Adventures%20The%20Forgotten%20Dynasty/Images/stg_drm.ocx
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://clubgames.pogo.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Amazing%20Adventures%20The%20Forgotten%20Dynasty/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{4E5982B1-66C3-45B1-95D3-846EA2C6EDFE} : DhcpNameServer = 75.75.76.76 75.75.75.75
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\116pa1lm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.pogo.iplay.com/?o=shp
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=WCL2&o=100000082&locale=en_US&apn_uid=2F3E465F-9F11-40D6-9C7B-3535F1B273AC&apn_ptnrs=^AA2&apn_sauid=8B83C6AE-37A4-41E3-A455-A65FB1DB9988&apn_dtid=^YYYYYY^YY^US&q=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\116pa1lm.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.8\npapicomadapter.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\0\NP_wtapp.dll
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2011-11-17 38920]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2011-11-17 42376]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2012-6-5 28552]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-10-22 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-10-22 337880]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-12-3 239168]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2011-11-17 16008]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2011-11-17 184072]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-10-22 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-10-22 44768]
R2 EaseUS Agent;EaseUS Agent;c:\program files\easeus\todo backup\bin\Agent.exe [2011-11-17 60552]
R2 Guard Agent;Guard Agent;c:\program files\easeus\todo backup\bin\GuardAgent.exe [2011-11-17 23176]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2011-4-8 176848]
R2 PGMTrusted;PGMTrusted;c:\program files\pogo games\PGMTrusted.exe [2012-1-4 519888]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-2 136176]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-2 136176]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-06-05 14:04:58 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2012-06-05 14:04:48 -------- d-----w- c:\program files\Panda Security
2012-06-03 01:33:08 -------- d-----w- c:\documents and settings\owner\application data\AtlanticJourney
2012-06-01 12:23:52 -------- d-----w- c:\documents and settings\owner\application data\EntwinedSoD
2012-05-31 20:40:06 -------- d-----w- c:\documents and settings\owner\application data\Amulet_of_time
2012-05-30 19:25:30 -------- d-----w- c:\documents and settings\owner\application data\EnchantedCavern2
2012-05-30 17:58:06 -------- d-----w- c:\documents and settings\owner\application data\PopCap Games
2012-05-29 22:14:21 -------- d-----w- c:\documents and settings\owner\application data\Lazy Turtle Games
2012-05-28 02:12:40 -------- d-----w- c:\documents and settings\owner\application data\Sea Legends - Phantasmal Light Strategy Guide
2012-05-28 02:11:43 -------- d-----w- c:\program files\Sea Legends - Phantasmal Light Strategy Guide
2012-05-27 22:42:35 -------- d-----w- c:\documents and settings\owner\application data\Shadow Wolf Mysteries - Bane of the Family Strategy Guide
2012-05-27 22:41:37 -------- d-----w- c:\program files\Shadow Wolf Mysteries - Bane of the Family Strategy Guide
2012-05-27 22:39:30 -------- d-----w- c:\program files\bfgclient
2012-05-27 20:38:00 -------- d-----w- c:\documents and settings\all users\application data\10tons
2012-05-26 15:32:40 -------- d-----w- c:\documents and settings\owner\application data\My Games
2012-05-24 19:33:56 -------- d-----w- c:\documents and settings\owner\application data\FBI
2012-05-20 15:43:39 -------- d-----w- c:\documents and settings\all users\application data\Nevosoft
2012-05-19 20:26:07 -------- d-----w- c:\documents and settings\owner\application data\kingdom
2012-05-17 04:44:53 -------- d-----w- c:\documents and settings\owner\application data\Column of the Maya
2012-05-17 04:16:33 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess
2012-05-15 14:04:40 -------- d-----w- c:\documents and settings\owner\application data\Publisher
2012-05-15 14:04:40 -------- d-----w- c:\documents and settings\all users\application data\Publisher
2012-05-14 18:04:00 -------- d-----w- c:\documents and settings\owner\application data\YoudaGames
2012-05-13 19:23:17 -------- d-----w- c:\documents and settings\owner\local settings\application data\CrimsonThief
2012-05-13 14:06:56 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2012-05-13 14:04:49 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2012-05-13 12:57:30 -------- d-----w- c:\documents and settings\owner\application data\DGform
2012-05-13 12:03:43 -------- d-----w- c:\documents and settings\owner\application data\Between The Worlds 2
2012-05-13 11:38:43 -------- d-----w- c:\documents and settings\owner\application data\WildTangent
2012-05-12 14:51:43 -------- d-----w- c:\program files\MumboJumbo
2012-05-11 01:46:43 -------- d-----w- c:\documents and settings\owner\application data\tabagames
.
==================== Find3M ====================
.
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10:58 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35:52 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-02 13:46:18 473 ----a-w- c:\program files\120220117461859.bat
2011-12-02 03:01:03 451 ----a-w- c:\program files\1201201121010278.bat
2011-11-29 01:12:24 468 ----a-w- c:\program files\1128201119122434.bat
2011-11-27 04:58:19 466 ----a-w- c:\program files\1126201122581934.bat
2011-11-26 18:47:12 453 ----a-w- c:\program files\1126201112471228.bat
2011-11-23 15:04:02 449 ----a-w- c:\program files\112320119040190.bat
2011-11-21 04:52:36 456 ----a-w- c:\program files\1120201122523681.bat
2011-11-21 03:22:32 473 ----a-w- c:\program files\1120201121223235.bat
2011-11-21 02:40:48 489 ----a-w- c:\program files\1120201120404829.bat
2011-11-20 16:30:42 470 ----a-w- c:\program files\1120201110304284.bat
2011-11-19 18:15:35 489 ----a-w- c:\program files\1119201112153495.bat
2011-11-18 07:03:20 482 ----a-w- c:\program files\111820111032082.bat
2011-11-16 14:29:02 475 ----a-w- c:\program files\111620118290229.bat
2011-11-16 14:17:38 488 ----a-w- c:\program files\111620118173810.bat
2011-11-14 15:39:20 469 ----a-w- c:\program files\111420119392000.bat
2011-11-14 15:08:22 473 ----a-w- c:\program files\111420119082193.bat
2011-10-14 09:58:56 460 ----a-w- c:\program files\101420114585660.bat
.
============= FINISH: 10:40:06.42 ===============
S&D LOG
--- Report generated: 2012-06-05 08:48 ---
IWinGames: [SBI $C7B64946] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\ForseRemove
IWinGames: [SBI $8D161E83] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}
IWinGames: [SBI $FF593BF7] Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}
IWinGames: [SBI $E8B83F64] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2168448926-2180734944-1083858655-1003\Software\iWinArcade
IWinGames: [SBI $3B64B144] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\iWinArcade
IWinGames: [SBI $23600E87] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iWinArcade
IWinGames: [SBI $BBF70CC5] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\iWin Games\iWinGames.exe
IWinGames: [SBI $ED4042B7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\iWin Games\WebUpdater.exe
PlayPickle: [SBI $E2C000E6] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2168448926-2180734944-1083858655-1003\Software\AppDataLow\Software\Freecause
Banker: [SBI $EBFB4022] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}
Banker: [SBI $7F6039C1] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}
Right Media: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)
DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-07-16 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2012-01-16 Includes\Adware.sbi (*)
2012-05-30 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-11-29 Includes\DialerC.sbi (*)
2012-01-31 Includes\HeavyDuty.sbi (*)
2012-05-16 Includes\Hijackers.sbi (*)
2012-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2012-03-13 Includes\Keyloggers.sbi (*)
2012-03-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2012-04-17 Includes\Malware.sbi (*)
2012-05-29 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2012-05-29 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-12-13 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2012-01-17 Includes\Spyware.sbi (*)
2012-05-08 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-09-28 Includes\Trojans.sbi (*)
2012-05-16 Includes\TrojansC-02.sbi (*)
2012-05-18 Includes\TrojansC-03.sbi (*)
2012-05-22 Includes\TrojansC-04.sbi (*)
2012-05-23 Includes\TrojansC-05.sbi (*)
2012-05-29 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll