Page 6 of 6 FirstFirst ... 23456
Results 51 to 60 of 60

Thread: Dymanet problem here are the dds and attach files

  1. #51
    Member
    Join Date
    Apr 2011
    Posts
    34

    Default Here is the log file

    Hi Blade81,

    Below is the log file from Combofix.

    ================================

    ComboFix 11-05-19.02 - Linda Patrick 05/21/2011 6:03.8.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.384 [GMT -7:00]
    Running from: c:\documents and settings\Linda Patrick\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Linda Patrick\Desktop\CFScript.txt
    AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    FILE ::
    "c:\windows\system32\bdfd40ad-640e-8168-79bb-e3d3eb7a9f9d.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Linda Patrick\Local Settings\Temporary Internet Files\7871ef18-be0f-7035-dd3f-223fd9661f5e
    E:\autorun.inf
    c:\windows\Fonts\ALGERIA.TTF . . . . Failed to delete
    c:\windows\Fonts\ANIM____.TTF . . . . Failed to delete
    c:\windows\Fonts\Anncrawl.ttf . . . . Failed to delete
    c:\windows\Fonts\bp-anim.ttf . . . . Failed to delete
    c:\windows\Fonts\Butterfl.ttf . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_Senfppyelc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-19 13:42 . 2011-05-19 13:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-14 01:46 . 2011-05-14 01:46 -------- d-----w- c:\documents and settings\Linda Patrick\Application Data\Foxit Software
    2011-05-12 03:11 . 2011-05-12 03:11 -------- d-----w- c:\program files\ESET
    2011-05-12 02:38 . 2011-05-12 02:37 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-05-12 02:38 . 2011-05-12 02:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-02 19:35 . 2011-05-02 19:37 -------- d-----w- c:\program files\Easy Click Commissions
    2011-05-02 19:35 . 2011-05-02 19:37 -------- d-----w- c:\documents and settings\Linda Patrick\Application Data\Easy Click Commissions
    2011-04-30 23:44 . 2011-04-30 23:44 -------- d-----w- c:\program files\ERUNT
    2011-04-28 00:36 . 2011-04-28 00:37 -------- d-----w- c:\program files\Microsoft Speech SDK 5.1
    2011-04-28 00:26 . 2011-04-28 00:26 -------- d-----w- c:\program files\e-Speaking
    2011-04-22 07:40 . 2011-04-22 07:40 -------- d-----w- c:\documents and settings\Linda Patrick\Local Settings\Application Data\Symantec
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-12 02:37 . 2007-04-26 13:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-05 23:38 . 2011-03-05 23:38 125918 ----a-w- c:\windows\system32\bdfd40ad-640e-8168-79bb-e3d3eb7a9f9d.exe
    2011-02-24 00:04 . 2011-04-11 15:22 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    2011-02-23 23:54 . 2011-04-11 15:22 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    2007-08-25 03:52 . 2008-02-18 19:08 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Linda Patrick\Application Data\Dropbox\bin\DropboxExt.13.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Linda Patrick\Application Data\Dropbox\bin\DropboxExt.13.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Linda Patrick\Application Data\Dropbox\bin\DropboxExt.13.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
    "Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
    "NortonUpdateAgent"="c:\documents and settings\All Users\Application Data\Norton\NUA.exe" [2011-04-05 2692024]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-13 126976]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-13 155648]
    "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
    "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-02 160328]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0lsdelete
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 4.0.lnk]
    backup=c:\windows\pss\eFax DllCmd 4.0.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 4.0.lnk]
    backup=c:\windows\pss\eFax Tray Menu 4.0.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
    backup=c:\windows\pss\PalTalk.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Linda Patrick^Start Menu^Programs^Startup^eFax 4.4.lnk]
    path=c:\documents and settings\Linda Patrick\Start Menu\Programs\Startup\eFax 4.4.lnk
    backup=c:\windows\pss\eFax 4.4.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2005-04-11 22:21 794624 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
    2010-08-19 23:23 3069192 ----a-w- c:\program files\TechSmith\Jing\Jing.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
    2005-09-24 22:46 20480 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 20:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    2007-06-07 20:08 4670968 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "EarthLinkMonitor"=2 (0x2)
    "ERSvc"=2 (0x2)
    "WMPNetworkSvc"=3 (0x3)
    "QBFCService"=3 (0x3)
    "Netlogon"=3 (0x3)
    "mnmsrvc"=3 (0x3)
    "LightScribeService"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "hpqwmi"=3 (0x3)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\documents and settings\Linda Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
    "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
    "eabconfg.cpl"=c:\program files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\CoffeeCup Software\\CoffeeCup Free FTP\\FreeFTP.exe"=
    "c:\\Documents and Settings\\Linda Patrick\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Documents and Settings\\Linda Patrick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
    "5353:TCP"= 5353:TCP:Adobe CSI CS4
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/1/2009 10:09 AM 64288]
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/11/2011 8:22 AM 13496]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [2/12/2011 12:41 AM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [2/12/2011 12:41 AM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20110518.001\BHDrvx86.sys [5/18/2011 6:38 PM 802936]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [2/12/2011 12:41 AM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [2/12/2011 12:41 AM 116784]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 12:25 PM 189736]
    R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [2/12/2011 12:40 AM 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/11/2011 1:11 PM 105592]
    S0 TfFsMon;TfFsMon; [x]
    S0 TFSysMon;TfSysMon; [x]
    S2 gupdate1c9d4a4c1329514;Google Update Service (gupdate1c9d4a4c1329514);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 8:00 AM 133104]
    S3 BW2NDIS5;BW2NDIS5; [x]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 8:00 AM 133104]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20110518.001\IDSXpx86.sys [5/18/2011 6:39 PM 341944]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; [x]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver; [x]
    S3 RegKernelHelp;RegKernelHelp; [x]
    S3 TfNetMon;TfNetMon; [x]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    tapisrv REG_MULTI_SZ Tapisrv
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 15:00]
    .
    2011-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 15:00]
    .
    2011-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2075307622-3171654227-2039206519-1006Core.job
    - c:\documents and settings\Linda Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-05 00:47]
    .
    2011-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2075307622-3171654227-2039206519-1006UA.job
    - c:\documents and settings\Linda Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-05 00:47]
    .
    2011-03-29 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
    - c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-11 09:00]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
    IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
    IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
    Handler: safeprint - {159A8CC0-E15B-11D3-A0FC-0050047FA13D} - c:\program files\SafePublish\sp.dll
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {4EC69696-0E77-4043-AB29-6103776A697E} - hxxp://www.snap.com/downloads/SnapVisualSearch_19.exe
    FF - ProfilePath - c:\documents and settings\Linda Patrick\Application Data\Mozilla\Firefox\Profiles\47muxjb6.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ffsc&p=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: z: {64620e81-b27a-ff43-0ef1-d9818183f5ce} - c:\program files\Mozilla Firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
    FF - Ext: Shareaholic: firefox-extension@shareaholic.com - %profile%\extensions\firefox-extension@shareaholic.com
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
    FF - Ext: WiseStamp: wisestamp@wisestamp.com - %profile%\extensions\wisestamp@wisestamp.com
    FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Evernote Web Clipper: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - %profile%\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
    FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
    FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn
    FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-21 07:46
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.application.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.xaml\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.xaml.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.xbap\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.xbap.1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(768)
    c:\windows\system32\COMRes.dll
    .
    - - - - - - - > 'explorer.exe'(1908)
    c:\windows\system32\WININET.dll
    c:\windows\system32\logishrd\LVPrcInj01.dll
    c:\program files\Logitech\MouseWare\System\LgWndHk.dll
    c:\documents and settings\Linda Patrick\Application Data\Dropbox\bin\DropboxExt.13.dll
    c:\program files\Windows Media Player\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\windows\system32\astsrv.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Norton 360\Engine\4.3.0.5\hsplayer.exe
    c:\program files\Logitech\MouseWare\system\em_exec.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-21 08:01:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-21 15:01
    ComboFix2.txt 2011-05-21 03:44
    ComboFix3.txt 2011-05-12 20:34
    ComboFix4.txt 2011-05-12 02:05
    ComboFix5.txt 2011-05-21 13:00
    .
    Pre-Run: 19,221,106,688 bytes free
    Post-Run: 19,416,690,688 bytes free
    .
    - - End Of File - - 5DCBB80460E43377AEE46494D42EFFB2

  2. #52
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Folder::
    c:\program files\mozilla firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #53
    Member
    Join Date
    Apr 2011
    Posts
    34

    Default log file

    Hi Blade81,

    Here is the log file:


    ComboFix 11-05-19.02 - Linda Patrick 05/22/2011 5:29.9.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.455 [GMT -7:00]
    Running from: c:\documents and settings\Linda Patrick\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Linda Patrick\Desktop\CFScript.txt
    AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\mozilla firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}
    c:\program files\mozilla firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}\chrome.manifest
    c:\program files\mozilla firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}\components\b4901fd7-7a79-3090-a1f6-cbe8f69edf21.dll
    c:\program files\mozilla firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}\install.rdf
    E:\autorun.inf
    c:\windows\Fonts\ALGERIA.TTF . . . . Failed to delete
    c:\windows\Fonts\ANIM____.TTF . . . . Failed to delete
    c:\windows\Fonts\Anncrawl.ttf . . . . Failed to delete
    c:\windows\Fonts\bp-anim.ttf . . . . Failed to delete
    c:\windows\Fonts\Butterfl.ttf . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-19 13:42 . 2011-05-19 13:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-14 01:46 . 2011-05-14 01:46 -------- d-----w- c:\documents and settings\Linda Patrick\Application Data\Foxit Software
    2011-05-12 03:11 . 2011-05-12 03:11 -------- d-----w- c:\program files\ESET
    2011-05-12 02:38 . 2011-05-12 02:37 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-05-12 02:38 . 2011-05-12 02:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-02 19:35 . 2011-05-02 19:37 -------- d-----w- c:\program files\Easy Click Commissions
    2011-05-02 19:35 . 2011-05-02 19:37 -------- d-----w- c:\documents and settings\Linda Patrick\Application Data\Easy Click Commissions
    2011-04-30 23:44 . 2011-04-30 23:44 -------- d-----w- c:\program files\ERUNT
    2011-04-28 00:36 . 2011-04-28 00:37 -------- d-----w- c:\program files\Microsoft Speech SDK 5.1
    2011-04-28 00:26 . 2011-04-28 00:26 -------- d-----w- c:\program files\e-Speaking
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-12 02:37 . 2007-04-26 13:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-05 23:38 . 2011-03-05 23:38 125918 ----a-w- c:\windows\system32\bdfd40ad-640e-8168-79bb-e3d3eb7a9f9d.exe
    2011-02-24 00:04 . 2011-04-11 15:22 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    2011-02-23 23:54 . 2011-04-11 15:22 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    2007-08-25 03:52 . 2008-02-18 19:08 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Linda Patrick\Application Data\Dropbox\bin\DropboxExt.13.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Linda Patrick\Application Data\Dropbox\bin\DropboxExt.13.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Linda Patrick\Application Data\Dropbox\bin\DropboxExt.13.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
    "Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
    "NortonUpdateAgent"="c:\documents and settings\All Users\Application Data\Norton\NUA.exe" [2011-04-05 2692024]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-13 126976]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-13 155648]
    "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
    "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-02 160328]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0lsdelete
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 4.0.lnk]
    backup=c:\windows\pss\eFax DllCmd 4.0.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 4.0.lnk]
    backup=c:\windows\pss\eFax Tray Menu 4.0.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
    backup=c:\windows\pss\PalTalk.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Linda Patrick^Start Menu^Programs^Startup^eFax 4.4.lnk]
    path=c:\documents and settings\Linda Patrick\Start Menu\Programs\Startup\eFax 4.4.lnk
    backup=c:\windows\pss\eFax 4.4.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2005-04-11 22:21 794624 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
    2010-08-19 23:23 3069192 ----a-w- c:\program files\TechSmith\Jing\Jing.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
    2005-09-24 22:46 20480 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 20:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    2007-06-07 20:08 4670968 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "EarthLinkMonitor"=2 (0x2)
    "ERSvc"=2 (0x2)
    "WMPNetworkSvc"=3 (0x3)
    "QBFCService"=3 (0x3)
    "Netlogon"=3 (0x3)
    "mnmsrvc"=3 (0x3)
    "LightScribeService"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "hpqwmi"=3 (0x3)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\documents and settings\Linda Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
    "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
    "eabconfg.cpl"=c:\program files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\CoffeeCup Software\\CoffeeCup Free FTP\\FreeFTP.exe"=
    "c:\\Documents and Settings\\Linda Patrick\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Documents and Settings\\Linda Patrick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
    "5353:TCP"= 5353:TCP:Adobe CSI CS4
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/1/2009 10:09 AM 64288]
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/11/2011 8:22 AM 13496]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [2/12/2011 12:41 AM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [2/12/2011 12:41 AM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20110518.001\BHDrvx86.sys [5/18/2011 6:38 PM 802936]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [2/12/2011 12:41 AM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [2/12/2011 12:41 AM 116784]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 12:25 PM 189736]
    R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [2/12/2011 12:40 AM 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/11/2011 1:11 PM 105592]
    S0 TfFsMon;TfFsMon; [x]
    S0 TFSysMon;TfSysMon; [x]
    S2 gupdate1c9d4a4c1329514;Google Update Service (gupdate1c9d4a4c1329514);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 8:00 AM 133104]
    S3 BW2NDIS5;BW2NDIS5; [x]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 8:00 AM 133104]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20110518.001\IDSXpx86.sys [5/18/2011 6:39 PM 341944]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; [x]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver; [x]
    S3 RegKernelHelp;RegKernelHelp; [x]
    S3 TfNetMon;TfNetMon; [x]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    tapisrv REG_MULTI_SZ Tapisrv
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 15:00]
    .
    2011-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 15:00]
    .
    2011-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2075307622-3171654227-2039206519-1006Core.job
    - c:\documents and settings\Linda Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-05 00:47]
    .
    2011-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2075307622-3171654227-2039206519-1006UA.job
    - c:\documents and settings\Linda Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-05 00:47]
    .
    2011-03-29 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
    - c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-11 09:00]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
    IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
    IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
    Handler: safeprint - {159A8CC0-E15B-11D3-A0FC-0050047FA13D} - c:\program files\SafePublish\sp.dll
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {4EC69696-0E77-4043-AB29-6103776A697E} - hxxp://www.snap.com/downloads/SnapVisualSearch_19.exe
    FF - ProfilePath - c:\documents and settings\Linda Patrick\Application Data\Mozilla\Firefox\Profiles\47muxjb6.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ffsc&p=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
    FF - Ext: Shareaholic: firefox-extension@shareaholic.com - %profile%\extensions\firefox-extension@shareaholic.com
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
    FF - Ext: WiseStamp: wisestamp@wisestamp.com - %profile%\extensions\wisestamp@wisestamp.com
    FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Evernote Web Clipper: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - %profile%\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
    FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
    FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn
    FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-22 07:08
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.application.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.xaml\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.xaml.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.xbap\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.xbap.1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3288)
    c:\windows\system32\WININET.dll
    c:\windows\system32\logishrd\LVPrcInj01.dll
    c:\program files\Logitech\MouseWare\System\LgWndHk.dll
    c:\documents and settings\Linda Patrick\Application Data\Dropbox\bin\DropboxExt.13.dll
    c:\program files\Windows Media Player\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\windows\system32\astsrv.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Logitech\MouseWare\system\em_exec.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-22 07:24:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-22 14:24
    ComboFix2.txt 2011-05-21 15:01
    ComboFix3.txt 2011-05-21 03:44
    ComboFix4.txt 2011-05-12 20:34
    ComboFix5.txt 2011-05-22 12:27
    .
    Pre-Run: 19,343,970,304 bytes free
    Post-Run: 19,321,552,896 bytes free
    .
    - - End Of File - - 378E9F052547E73F08748C48EA6647E6

  4. #54
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please post fresh dds logs. Still any symptoms left?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #55
    Member
    Join Date
    Apr 2011
    Posts
    34

    Smile Thank you THANK YOU!!!!

    Hi Blade81,

    YOU ROCK!!!!!!

    The malware is all gone. What a relief. Thanks for your volunteerism for Spybot. Next paycheck donation to Sypbot.

    Thanks again,

    Linda in CA

  6. #56
    Member
    Join Date
    Apr 2011
    Posts
    34

    Default final dds file

    HI Blade81,

    I was so excited I didn't read your email completely.Below is the dds file and the attach file.
    I think you can label this one SOLVED.

    Thanks!
    --------------------

    .
    DDS (Ver_11-05-19.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
    Run by Linda Patrick at 14:20:08 on 2011-05-22
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.249 [GMT -7:00]
    .
    AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Disabled*
    .
    ============== Running Processes ===============
    .
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k DComLaunch
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\astsrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
    C:\WINDOWS\System32\svchost.exe -k tapisrv
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Documents and Settings\All Users\Application Data\Norton\NUA.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Siber Systems\GoodSync\GoodSync.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe
    C:\Program Files\NoteTab Light\NoteTab.exe
    C:\Documents and Settings\Linda Patrick\Desktop\dds.scr
    C:\WINDOWS\system32\WSCRIPT.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
    BHO: $$F2E08-6F39-479a-B547-B2026E4C7EDF} - No File
    BHO: H$$07962-6F74-2D53-2644-206D7942484F} - No File
    BHO: rsion - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
    BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
    BHO: ¨$¨$1-6A23-4246-8691-C9244E858967} - No File
    BHO: Ø$Ø$8-01DD-4d91-8333-CF10577473F7} - No File
    BHO: ø$$J - No File
    BHO: ˜$$B4B5B-68BC-4B02-94D6-2FC0DE4A7897} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
    EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
    EB: Search panel: {a7188ffc-a7fa-e1fb-5bc9-2a5c4ca21148} - c:\windows\system32\ntqmlesiytmavwobq.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode
    uRun: [NortonUpdateAgent] c:\documents and settings\all users\application data\norton\NUA.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [Logitech Utility] Logi_MwX.Exe
    mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
    mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
    IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
    IE: Add to &Evernote - c:\program files\evernote\evernote3.5\enbar.dll/2000
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
    IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mythic%20Mahjong/Images/stg_drm.ocx
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
    DPF: {4EC69696-0E77-4043-AB29-6103776A697E} - hxxp://www.snap.com/downloads/SnapVisualSearch_19.exe
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267220923593
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267220909359
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} - hxxps://www.jiwire.com/activeX/wlaninfo.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: safeprint - {159A8CC0-E15B-11D3-A0FC-0050047FA13D} - c:\program files\safepublish\sp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\linda patrick\application data\mozilla\firefox\profiles\47muxjb6.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ffsc&p=
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\coffplgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\ipsffplgn\components\IPSFFPl.dll
    FF - component: c:\documents and settings\linda patrick\application data\mozilla\firefox\profiles\47muxjb6.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
    FF - component: c:\documents and settings\linda patrick\application data\mozilla\firefox\profiles\47muxjb6.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar.dll
    FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
    FF - plugin: c:\documents and settings\linda patrick\application data\mozilla\firefox\profiles\47muxjb6.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
    FF - plugin: c:\documents and settings\linda patrick\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\linda patrick\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\linda patrick\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\documents and settings\linda patrick\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npImgCtl.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
    FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
    FF - Ext: Shareaholic: firefox-extension@shareaholic.com - %profile%\extensions\firefox-extension@shareaholic.com
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
    FF - Ext: WiseStamp: wisestamp@wisestamp.com - %profile%\extensions\wisestamp@wisestamp.com
    FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Evernote Web Clipper: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - %profile%\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
    FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\siber systems\ai roboform\Firefox
    FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\IPSFFPlgn
    FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\coFFPlgn
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-1 64288]
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-11 13496]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2011-2-12 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2011-2-12 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\bashdefs\20110518.001\BHDrvx86.sys [2011-5-18 802936]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2011-2-12 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2011-2-12 116784]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-12-18 189736]
    R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2011-2-12 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-11 105592]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20110522.002\NAVENG.SYS [2011-5-22 86008]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20110522.002\NAVEX15.SYS [2011-5-22 1542392]
    S0 TfFsMon;TfFsMon; [x]
    S0 TFSysMon;TfSysMon; [x]
    S2 gupdate1c9d4a4c1329514;Google Update Service (gupdate1c9d4a4c1329514);c:\program files\google\update\GoogleUpdate.exe [2009-5-14 133104]
    S3 BW2NDIS5;BW2NDIS5; [x]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-14 133104]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\ipsdefs\20110518.001\IDSXpx86.sys [2011-5-18 341944]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; [x]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver; [x]
    S3 RegKernelHelp;RegKernelHelp; [x]
    S3 TfNetMon;TfNetMon; [x]
    .
    =============== Created Last 30 ================
    .
    2011-05-19 13:42:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-14 01:46:05 -------- d-----w- c:\documents and settings\linda patrick\application data\Foxit Software
    2011-05-12 03:11:25 -------- d-----w- c:\program files\ESET
    2011-05-12 02:38:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-12 02:38:00 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-05-11 21:23:06 98816 ----a-w- c:\windows\sed.exe
    2011-05-11 21:23:06 89088 ----a-w- c:\windows\MBR.exe
    2011-05-11 21:23:06 256512 ----a-w- c:\windows\PEV.exe
    2011-05-11 21:23:06 161792 ----a-w- c:\windows\SWREG.exe
    2011-05-02 19:35:31 -------- d-----w- c:\program files\Easy Click Commissions
    2011-05-02 19:35:31 -------- d-----w- c:\documents and settings\linda patrick\application data\Easy Click Commissions
    2011-04-28 00:36:59 -------- d-----w- c:\program files\Microsoft Speech SDK 5.1
    2011-04-28 00:26:37 -------- d-----w- c:\program files\e-Speaking
    .
    ==================== Find3M ====================
    .
    2011-05-12 02:37:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-05 23:38:40 125918 ----a-w- c:\windows\system32\bdfd40ad-640e-8168-79bb-e3d3eb7a9f9d.exe
    2011-02-24 00:04:32 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    2011-02-23 23:54:12 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    .
    ============= FINISH: 14:25:09.81 ===============

  7. #57
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    You're welcome

    It's time to secure your system to prevent against further intrusions.


    THESE STEPS ARE VERY IMPORTANT

    Let's reset system restore
    Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

    1. Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.
    NOTE: only do this ONCE,NOT on a regular basis


    Now lets uninstall ComboFix:
    • Click START then RUN
    • Now copy-paste Combofix /uninstall in the runbox and click OK



    UPDATING WINDOWS AND INTERNET EXPLORER

    IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

    If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


    Make your Internet Explorer more secure

    This can be done by following these simple instructions:
    From within Internet Explorer click on the Tools menu and then click on Options.
    Click once on the Security tab
    Click once on the Internet icon so it becomes highlighted.
    Click once on the Custom Level button.
    Change the Download signed ActiveX controls to Prompt
    Change the Download unsigned ActiveX controls to Disable
    Change the Initialize and script ActiveX controls not marked as safe to Disable
    Change the Installation of desktop items to Prompt
    Change the Launching programs and files in an IFRAME to Prompt
    Change the Navigate sub-frames across different domains to Prompt
    When all these settings have been made, click on the OK button.
    If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


    Download and run Secunia Personal Software Inspector (PSI) and fix its findings.


    Just a final reminder for you. I am trying to stress these two points.
    UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
    Make sure all of your security programs are up to date.
    Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


    Once again, please post and tell me how things are going with your system... problems etc.

    Have a great day,
    Blade
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  8. #58
    Member
    Join Date
    Apr 2011
    Posts
    34

    Default Update

    Hi Blade81,

    I Reset and Re-enabled my System Restore and uninstalled ComboFix. I have also begun to do the Secundia updates. That will take a while and I want to do the XP Service pack 3 update.

    Thanks for the neat Secundia software update tool. It is very useful.

    Thanks again for all your help.

    Linda

  9. #59
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    You're welcome
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  10. #60
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

    Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

    If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •