1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

DWHB8A6.tmp was found by Symantec

Discussion in 'Virus & Other Malware Removal' started by cromaczs07, Apr 20, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    Symantec has popped 281 times in 2 hours, declaring an infection. Some are successfully quarantined. Some are not.
    I'm now afraid to use my personal laptop, i'm not sure what's in this desktop.

    I initially scanned it with MBAM's quick scan, but it did not find anything.
    Thanks.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:39:54 PM, on 4/20/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
    C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Symantec AntiVirus\SmcGui.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\USB Disk Security\USBGuard.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Documents and Settings\mambaltazar\Start Menu\Programs\Startup\PopChat.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\DWHWizrd.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Symantec AntiVirus\SavUI.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ph.yahoo.com/?fr=fp-yie8
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/security_response/index.jsp
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKLM\..\Policies\Explorer\Run: [] 
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Startup: PopChat.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = philrice.local
    O17 - HKLM\Software\..\Telephony: DomainName = philrice.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = philrice.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = philrice.local
    O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = philrice.local
    O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = philrice.local
    O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = philrice.local
    O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = philrice.local
    O17 - HKLM\System\CS8\Services\Tcpip\Parameters: Domain = philrice.local
    O17 - HKLM\System\CS9\Services\Tcpip\Parameters: Domain = philrice.local
    O17 - HKLM\System\CS10\Services\Tcpip\Parameters: Domain = philrice.local
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
    O23 - Service: Autorun CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 8968 bytes
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,919
    First Name:
    Karen
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  3. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    Thank you Cokiegal!

    Here is my combofix log.

    ComboFix 10-04-19.08 - mambaltazar 04/21/2010 9:56.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.230 [GMT 8:00]
    Running from: c:\documents and settings\mambaltazar\Desktop\puppy.exe
    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Marco\Application Data\AD ON Multimedia
    c:\documents and settings\Marco\Application Data\AD ON Multimedia\eBay Shortcuts\eBayShortcuts.exe
    c:\windows\eSellerateEngine.dll
    c:\windows\Fonts\Graphic1.ttf
    c:\windows\system32\nsprs.dll
    c:\windows\system32\ssprs.dll
    c:\windows\system32\VB6KO.DLL
    c:\windows\system32\win.ini

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
    .

    2010-04-20 13:15 . 2009-06-30 01:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-04-20 13:13 . 2010-04-20 13:13 -------- d-----w- c:\program files\Panda Security
    2010-03-31 03:41 . 2010-03-31 03:42 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\ColorCop
    2010-03-31 03:41 . 2010-03-31 03:41 -------- d-----w- c:\program files\Color_Cop

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-21 00:54 . 2009-04-01 05:57 -------- d-----w- c:\program files\Symantec AntiVirus
    2010-04-20 09:29 . 2009-02-05 10:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-20 09:29 . 2009-08-24 03:10 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-04-13 05:04 . 2008-10-10 10:30 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
    2010-03-30 06:20 . 2008-08-22 01:34 3452 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-03-30 06:20 . 2008-08-26 09:02 95240 ----a-w- c:\documents and settings\mambaltazar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-29 16:46 . 2009-02-05 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-29 16:45 . 2009-02-05 10:09 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-29 03:40 . 2008-12-03 02:38 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\VSO
    2010-03-26 00:33 . 2009-07-09 01:10 -------- d-----w- c:\program files\McAfee
    2010-03-17 03:45 . 2010-03-17 03:45 -------- d-----w- c:\program files\DC-Unlocker
    2010-03-17 03:35 . 2009-06-22 05:14 -------- d-----w- c:\program files\Smart Bro
    2010-02-24 15:13 . 2009-06-22 14:31 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\Skype
    2010-02-24 14:12 . 2009-06-29 05:51 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\skypePM
    2010-02-19 06:46 . 2010-02-19 06:46 355584 ----a-w- c:\windows\system32\TuneUpDefragService.exe
    2010-02-18 00:47 . 2009-09-23 02:35 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 149040]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2006-03-01 577536]
    "VTTimer"="VTTimer.exe" [2005-03-07 53248]
    "VTTrayp"="VTtrayp.exe" [2005-10-31 163840]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-23 115560]
    "USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2009-09-23 815104]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

    c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
    PopChat.exe [1999-1-30 594432]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Firefox Preloader.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Firefox Preloader.lnk
    backup=c:\windows\pss\Firefox Preloader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pathfinder Office Connection Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pathfinder Office Connection Manager.lnk
    backup=c:\windows\pss\Pathfinder Office Connection Manager.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pathfinder Office Project Changer.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pathfinder Office Project Changer.lnk
    backup=c:\windows\pss\Pathfinder Office Project Changer.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^mambaltazar^Start Menu^Programs^Startup^HotSync Manager.lnk]
    path=c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\HotSync Manager.lnk
    backup=c:\windows\pss\HotSync Manager.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^mambaltazar^Start Menu^Programs^Startup^PopChat.INI]
    path=c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\PopChat.INI
    backup=c:\windows\pss\PopChat.INIStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PFO Check Settings

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2007-04-24 06:25 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2006-10-26 16:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2005-08-11 08:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2005-08-11 08:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2009-11-10 07:39 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2007-03-15 13:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-01-05 08:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-06-02 03:56 24264488 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
    2005-10-26 09:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-03-08 21:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
    2005-03-07 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTtrayp]
    2005-10-31 20:15 163840 ----a-r- c:\windows\system32\VTTrayp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
    "c:\\Program Files\\NetMeeting\\conf.exe"=
    "i:\\Warcraft\\Warcraft III.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dllhost.exe"=
    "i:\\Software Installers\\PFO_251 (E)\\SETUP.EXE"=
    "c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\GPLOAD.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8979:TCP"= 8979:TCP:hmgkmr

    R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [1999-12-01 467968]
    R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [2009-10-10 81920]
    R2 BulkUsb;Genius ColorPage USB Scanner;c:\windows\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
    R2 qmlcacmjs;Update Security;c:\windows\system32\svchost.exe [2008-04-13 14336]
    R2 uabjbcajd;Monitor Windows;c:\windows\system32\svchost.exe [2008-04-13 14336]
    R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-09-23 23888]
    R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2008-12-30 102656]
    R3 TrmbTS;TrmbTS;c:\windows\system32\Drivers\TrmbTS.sys [2007-04-23 29184]
    R3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\system32\drivers\TRMUSB5K.sys [2000-06-19 9881]
    R4 Lbcloomrasto;Lbcloomrasto;c:\windows\system32\drivers\mbam.sys [2010-03-29 20824]
    S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-23 93320]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-24 102448]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - PAVBOOT

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2008-04-13 21:41 99840 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-21 c:\windows\Tasks\1-Click Maintenance.job
    - c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 01:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp
    uSearchAssistant =
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\mambaltazar\Application Data\Mozilla\Firefox\Profiles\n2xz6x1u.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.com
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - plugin: c:\documents and settings\mambaltazar\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-NavLogon - (no file)
    SafeBoot-Wdf01000.sys
    SafeBoot-Symantec Antvirus
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    AddRemove-numpy-py2.5 - c:\python25\Removenumpy.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-21 10:05
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet009\Services\qmlcacmjs]
    "ServiceDll"="c:\windows\system32\goccra.dll"
    .
    Completion time: 2010-04-21 10:10:54
    ComboFix-quarantined-files.txt 2010-04-21 02:10

    Pre-Run: 6,097,772,544 bytes free
    Post-Run: 6,092,247,040 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
    - - End Of File - - D5D7090A1931DDE970B319B85B382365
     
  4. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    Thank you Cokiegal!

    Here is my combofix log.

    ComboFix 10-04-19.08 - mambaltazar 04/21/2010 9:56.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.230 [GMT 8:00]
    Running from: c:\documents and settings\mambaltazar\Desktop\puppy.exe
    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Marco\Application Data\AD ON Multimedia
    c:\documents and settings\Marco\Application Data\AD ON Multimedia\eBay Shortcuts\eBayShortcuts.exe
    c:\windows\eSellerateEngine.dll
    c:\windows\Fonts\Graphic1.ttf
    c:\windows\system32\nsprs.dll
    c:\windows\system32\ssprs.dll
    c:\windows\system32\VB6KO.DLL
    c:\windows\system32\win.ini

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
    .

    2010-04-20 13:15 . 2009-06-30 01:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-04-20 13:13 . 2010-04-20 13:13 -------- d-----w- c:\program files\Panda Security
    2010-03-31 03:41 . 2010-03-31 03:42 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\ColorCop
    2010-03-31 03:41 . 2010-03-31 03:41 -------- d-----w- c:\program files\Color_Cop

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-21 00:54 . 2009-04-01 05:57 -------- d-----w- c:\program files\Symantec AntiVirus
    2010-04-20 09:29 . 2009-02-05 10:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-20 09:29 . 2009-08-24 03:10 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-04-13 05:04 . 2008-10-10 10:30 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
    2010-03-30 06:20 . 2008-08-22 01:34 3452 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-03-30 06:20 . 2008-08-26 09:02 95240 ----a-w- c:\documents and settings\mambaltazar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-29 16:46 . 2009-02-05 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-29 16:45 . 2009-02-05 10:09 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-29 03:40 . 2008-12-03 02:38 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\VSO
    2010-03-26 00:33 . 2009-07-09 01:10 -------- d-----w- c:\program files\McAfee
    2010-03-17 03:45 . 2010-03-17 03:45 -------- d-----w- c:\program files\DC-Unlocker
    2010-03-17 03:35 . 2009-06-22 05:14 -------- d-----w- c:\program files\Smart Bro
    2010-02-24 15:13 . 2009-06-22 14:31 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\Skype
    2010-02-24 14:12 . 2009-06-29 05:51 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\skypePM
    2010-02-19 06:46 . 2010-02-19 06:46 355584 ----a-w- c:\windows\system32\TuneUpDefragService.exe
    2010-02-18 00:47 . 2009-09-23 02:35 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 149040]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2006-03-01 577536]
    "VTTimer"="VTTimer.exe" [2005-03-07 53248]
    "VTTrayp"="VTtrayp.exe" [2005-10-31 163840]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-23 115560]
    "USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2009-09-23 815104]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

    c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
    PopChat.exe [1999-1-30 594432]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Firefox Preloader.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Firefox Preloader.lnk
    backup=c:\windows\pss\Firefox Preloader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pathfinder Office Connection Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pathfinder Office Connection Manager.lnk
    backup=c:\windows\pss\Pathfinder Office Connection Manager.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pathfinder Office Project Changer.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pathfinder Office Project Changer.lnk
    backup=c:\windows\pss\Pathfinder Office Project Changer.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^mambaltazar^Start Menu^Programs^Startup^HotSync Manager.lnk]
    path=c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\HotSync Manager.lnk
    backup=c:\windows\pss\HotSync Manager.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^mambaltazar^Start Menu^Programs^Startup^PopChat.INI]
    path=c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\PopChat.INI
    backup=c:\windows\pss\PopChat.INIStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PFO Check Settings

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2007-04-24 06:25 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2006-10-26 16:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2005-08-11 08:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2005-08-11 08:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2009-11-10 07:39 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2007-03-15 13:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-01-05 08:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-06-02 03:56 24264488 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
    2005-10-26 09:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-03-08 21:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
    2005-03-07 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTtrayp]
    2005-10-31 20:15 163840 ----a-r- c:\windows\system32\VTTrayp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
    "c:\\Program Files\\NetMeeting\\conf.exe"=
    "i:\\Warcraft\\Warcraft III.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dllhost.exe"=
    "i:\\Software Installers\\PFO_251 (E)\\SETUP.EXE"=
    "c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\GPLOAD.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8979:TCP"= 8979:TCP:hmgkmr

    R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [1999-12-01 467968]
    R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [2009-10-10 81920]
    R2 BulkUsb;Genius ColorPage USB Scanner;c:\windows\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
    R2 qmlcacmjs;Update Security;c:\windows\system32\svchost.exe [2008-04-13 14336]
    R2 uabjbcajd;Monitor Windows;c:\windows\system32\svchost.exe [2008-04-13 14336]
    R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-09-23 23888]
    R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2008-12-30 102656]
    R3 TrmbTS;TrmbTS;c:\windows\system32\Drivers\TrmbTS.sys [2007-04-23 29184]
    R3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\system32\drivers\TRMUSB5K.sys [2000-06-19 9881]
    R4 Lbcloomrasto;Lbcloomrasto;c:\windows\system32\drivers\mbam.sys [2010-03-29 20824]
    S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-23 93320]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-24 102448]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - PAVBOOT

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2008-04-13 21:41 99840 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-21 c:\windows\Tasks\1-Click Maintenance.job
    - c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 01:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp
    uSearchAssistant =
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\mambaltazar\Application Data\Mozilla\Firefox\Profiles\n2xz6x1u.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.com
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - plugin: c:\documents and settings\mambaltazar\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-NavLogon - (no file)
    SafeBoot-Wdf01000.sys
    SafeBoot-Symantec Antvirus
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    AddRemove-numpy-py2.5 - c:\python25\Removenumpy.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-21 10:05
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet009\Services\qmlcacmjs]
    "ServiceDll"="c:\windows\system32\goccra.dll"
    .
    Completion time: 2010-04-21 10:10:54
    ComboFix-quarantined-files.txt 2010-04-21 02:10

    Pre-Run: 6,097,772,544 bytes free
    Post-Run: 6,092,247,040 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
    - - End Of File - - D5D7090A1931DDE970B319B85B382365
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,919
    First Name:
    Karen
    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    http://forums.techguy.org/malware-removal-hijackthis-logs/918044-dwhb8a6-tmp-found-symantec.html#post7341136
    
    Collect::
    c:\windows\system32\goccra.dll
    
    Driver::
    qmlcacmjs
    uabjbcajd
    
    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet009\Services\qmlcacmjs]
     
    Save the file to your desktop and name it CFScript.txt

    Referring to the picture below, drag CFScript.txt into ComboFix.exe

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

    **Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
     
  6. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    When i dragged the script on the combofix, it prompted me to update combofix, i click yes. it successfully downloaded it.

    then it scanned the machine.

    But when the log popped up, a message box did not prompt me to upload the files anywhere...

    Here is the combofix log.


    ComboFix 10-04-21.01 - mambaltazar 04/22/2010 9:09.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.345 [GMT 8:00]
    Running from: c:\documents and settings\mambaltazar\Desktop\puppy.exe
    Command switches used :: c:\documents and settings\mambaltazar\Desktop\CFScript.txt
    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_QMLCACMJS
    -------\Legacy_UABJBCAJD
    -------\Service_qmlcacmjs
    -------\Service_uabjbcajd


    ((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
    .

    2010-04-20 13:15 . 2009-06-30 01:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-04-20 13:13 . 2010-04-20 13:13 -------- d-----w- c:\program files\Panda Security
    2010-03-31 03:41 . 2010-03-31 03:42 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\ColorCop
    2010-03-31 03:41 . 2010-03-31 03:41 -------- d-----w- c:\program files\Color_Cop

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-21 00:54 . 2009-04-01 05:57 -------- d-----w- c:\program files\Symantec AntiVirus
    2010-04-20 09:29 . 2009-02-05 10:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-20 09:29 . 2009-08-24 03:10 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-04-13 05:04 . 2008-10-10 10:30 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
    2010-03-30 06:20 . 2008-08-22 01:34 3452 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-03-30 06:20 . 2008-08-26 09:02 95240 ----a-w- c:\documents and settings\mambaltazar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-29 16:46 . 2009-02-05 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-29 16:45 . 2009-02-05 10:09 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-29 03:40 . 2008-12-03 02:38 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\VSO
    2010-03-26 00:33 . 2009-07-09 01:10 -------- d-----w- c:\program files\McAfee
    2010-03-17 03:45 . 2010-03-17 03:45 -------- d-----w- c:\program files\DC-Unlocker
    2010-03-17 03:35 . 2009-06-22 05:14 -------- d-----w- c:\program files\Smart Bro
    2010-02-24 15:13 . 2009-06-22 14:31 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\Skype
    2010-02-24 14:12 . 2009-06-29 05:51 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\skypePM
    2010-02-19 06:46 . 2010-02-19 06:46 355584 ----a-w- c:\windows\system32\TuneUpDefragService.exe
    2010-02-18 00:47 . 2009-09-23 02:35 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 149040]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2006-03-01 577536]
    "VTTimer"="VTTimer.exe" [2005-03-07 53248]
    "VTTrayp"="VTtrayp.exe" [2005-10-31 163840]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-23 115560]
    "USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2009-09-23 815104]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

    c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
    PopChat.exe [1999-1-30 594432]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Firefox Preloader.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Firefox Preloader.lnk
    backup=c:\windows\pss\Firefox Preloader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pathfinder Office Connection Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pathfinder Office Connection Manager.lnk
    backup=c:\windows\pss\Pathfinder Office Connection Manager.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pathfinder Office Project Changer.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pathfinder Office Project Changer.lnk
    backup=c:\windows\pss\Pathfinder Office Project Changer.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^mambaltazar^Start Menu^Programs^Startup^HotSync Manager.lnk]
    path=c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\HotSync Manager.lnk
    backup=c:\windows\pss\HotSync Manager.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^mambaltazar^Start Menu^Programs^Startup^PopChat.INI]
    path=c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\PopChat.INI
    backup=c:\windows\pss\PopChat.INIStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2007-04-24 06:25 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2006-10-26 16:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2005-08-11 08:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2005-08-11 08:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2009-11-10 07:39 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2007-03-15 13:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-01-05 08:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-06-02 03:56 24264488 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
    2005-10-26 09:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-03-08 21:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
    2005-03-07 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTtrayp]
    2005-10-31 20:15 163840 ----a-r- c:\windows\system32\VTTrayp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
    "c:\\Program Files\\NetMeeting\\conf.exe"=
    "i:\\Warcraft\\Warcraft III.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dllhost.exe"=
    "i:\\Software Installers\\PFO_251 (E)\\SETUP.EXE"=
    "c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\GPLOAD.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8979:TCP"= 8979:TCP:hmgkmr

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [4/20/2010 9:15 PM 28552]
    R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [10/22/2008 10:16 AM 467968]
    R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [1/14/2010 9:58 AM 81920]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/9/2009 9:11 AM 93320]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/24/2009 4:30 PM 102448]
    S2 BulkUsb;Genius ColorPage USB Scanner;c:\windows\system32\drivers\usbscan.sys [8/15/2008 10:09 AM 15104]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [9/23/2009 10:35 AM 23888]
    S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [3/17/2010 11:32 AM 102656]
    S3 TrmbTS;TrmbTS;c:\windows\system32\drivers\TrmbTS.sys [6/8/2009 4:03 PM 29184]
    S3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\system32\drivers\TRMUSB5K.SYS [6/8/2009 4:04 PM 9881]
    S4 Lbcloomrasto;Lbcloomrasto;c:\windows\system32\drivers\mbam.sys [2/5/2009 6:09 PM 20824]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2008-04-13 21:41 99840 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-22 c:\windows\Tasks\1-Click Maintenance.job
    - c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 01:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp
    uSearchAssistant =
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\mambaltazar\Application Data\Mozilla\Firefox\Profiles\n2xz6x1u.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.com
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - plugin: c:\documents and settings\mambaltazar\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-22 09:26
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2916)
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Symantec AntiVirus\Smc.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\progra~1\ESRI\License\arcgis9x\ARCGIS.exe
    c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\program files\RealVNC\VNC4\WinVNC4.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Symantec AntiVirus\SmcGui.exe
    c:\windows\SOUNDMAN.EXE
    c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\PopChat.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-22 09:38:39 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-22 01:38
    ComboFix2.txt 2010-04-21 02:10

    Pre-Run: 6,120,652,800 bytes free
    Post-Run: 6,056,140,800 bytes free

    Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
    - - End Of File - - 38DA1D31462D7C0A0BDAA06083C409BA
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,919
    First Name:
    Karen
    Go to the link below and upload the following file(s) for analysis and post the results please:

    http://virusscan.jotti.org/

    c:\GPLOAD.exe

    Also, do you recognize this that's using port 8979? Any idea what it's related to?

    8979:TCP:hmgkmr
     
  8. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    i know GPload, it is a data transfer utility for my gps unit. Its from Garmin.

    about port 8979, could it be my second LAN card? i have two LAN cards, one is for our small group network with internet and the other is for my personal laptop...

    that's all.
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,919
    First Name:
    Karen
    I'm not sure about that port but it looks suspicious.

    Please download to Desktop: DDS by sUBs from one of these locations:

    http://www.techsupportforum.com/sectools/sUBs/dds
    http://download.bleepingcomputer.com/sUBs/dds.scr
    http://www.forospyware.com/sUBs/dds

    Double-click DDS.scr to run.

    When complete, DDS.txt will open.

    Click Yes for Optional Scan.
    Save both reports to your desktop.
    DDS.txt
    Attach.txt

    Please post the DDS.txt report in the reply itself and upload the Attach.txt log as an attachment please.
     
  10. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    DDS (Ver_10-03-17.01) - NTFSx86
    Run by mambaltazar at 9:07:16.82 on Mon 04/26/2010
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.321 [GMT 8:00]

    AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    ============== Running Processes ===============

    C:\Program Files\Symantec AntiVirus\Smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
    C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Symantec AntiVirus\SmcGui.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\USB Disk Security\USBGuard.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Documents and Settings\mambaltazar\Start Menu\Programs\Startup\PopChat.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
    C:\Program Files\Symantec AntiVirus\DWHWizrd.exe
    H:\Downloads2\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp
    uSearchAssistant =
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
    uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [VTTimer] VTTimer.exe
    mRun: [VTTrayp] VTtrayp.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [USB Antivirus] c:\program files\usb disk security\USBGuard.exe
    mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
    dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\office~1\office11\REFIEBAR.DLL
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\mambal~1\applic~1\mozilla\firefox\profiles\n2xz6x1u.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.com
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\documents and settings\mambaltazar\local settings\application data\yahoo!\browserplus\2.6.0\plugins\npybrowserplus_2.6.0.dll

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R? BulkUsb;Genius ColorPage USB Scanner
    R? COH_Mon;COH_Mon
    R? hwusbfake;Huawei DataCard USB Fake
    R? Lbcloomrasto;Lbcloomrasto
    R? TrmbTS;TrmbTS
    R? TRMUSB5K;Trimble USB GPS Driver
    S? ArcGIS License Manager;ArcGIS License Manager
    S? Autorun CDROM Monitor;Autorun CDROM Monitor
    S? ccEvtMgr;Symantec Event Manager
    S? ccSetMgr;Symantec Settings Manager
    S? EraserUtilRebootDrv;EraserUtilRebootDrv
    S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
    S? NAVENG;NAVENG
    S? NAVEX15;NAVEX15
    S? pavboot;pavboot
    S? Symantec AntiVirus;Symantec Endpoint Protection
    S? xfilt;VIA SATA IDE Hot-plug Driver

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2010-03-30 06:20:21 3452 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-03-29 16:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-29 16:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-19 06:46:00 355584 ----a-w- c:\windows\system32\TuneUpDefragService.exe

    ============= FINISH: 9:09:29.25 ===============
     

    Attached Files:

  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,919
    First Name:
    Karen
    Open HijackThis and click on the Open Misc Tools section button. Click on the Open Uninstall Manager button. Click the Save List button. Save the list then copy and paste it here.
     
  12. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    ABBYY FineReader 8.0 Professional Edition
    Acrobat.com
    Acrobat.com
    Adobe Acrobat 4.0
    Adobe AIR
    Adobe AIR
    Adobe Creative Suite
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe SVG Viewer 3.0
    APC PowerChute Personal Edition
    Apple Software Update
    Applian FLV Player
    ArcGIS Desktop
    ArcGIS License Manager
    Artopik 1.51
    CleanUp!
    Client Activator 2.2 - English
    Color Cop 5.4.3
    CorelDRAW Graphics Suite 12
    CorelDRAW Graphics Suite X3
    Doc Scrubber v1.1
    EN
    FileZilla Client 3.2.4.1
    Firefox Preloader
    Flash Movie Player 1.5
    FontFrenzy 1.51
    FontNav
    Foxit Reader
    Free Music Zilla
    Garmin Trip and Waypoint Manager v4
    Genius ColorPage-Vivid3XE USB
    GPL Ghostscript 8.70
    GSview 4.9
    HijackThis 2.0.2
    HP Deskjet Printer Driver Software 9.0
    HP LaserJet P1000 series
    HPCarePackProducts
    Instant Eyedropper 1.75
    iQue - Detail Map Install
    iQue - MapInstall and ContactLocation
    iQue - Palm Manual
    iQue - TransferWaypoints
    Java(TM) 6 Update 13
    K-Lite Codec Pack 5.0.5 (Basic)
    LiveUpdate 3.3 (Symantec Corporation)
    Macromedia Extension Manager
    Malwarebytes' Anti-Malware
    McAfee SiteAdvisor
    Metadata Analyzer v2.2
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Edition 2003
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.6.3)
    MrvlUsgTracking
    MSVC80_x86
    MyPhoneExplorer
    Nero 7 Essentials
    neroxml
    Nokia Connectivity Cable Driver
    Nokia PC Suite
    Nokia PC Suite
    Palm Desktop for Garmin iQue 3600
    Panda ActiveScan 2.0
    Pathfinder Office 2.51
    PC Connectivity Solution
    Picture Package Music Transfer
    PrimoPDF
    PrimoPDF Redistribution Package
    Python 2.4.1
    Python 2.5.2
    QuickTime
    QuickTime 3.0
    Realtek AC'97 Audio
    Revo Uninstaller 1.83
    SA32xx Device Manager
    Scrapbook Flair
    Sentinel Protection Installer 7.2.2
    ShapeEditingExtension
    Skype™ 4.0
    SMART BRO
    Smart Bro
    Sony Ericsson PC Suite 1.20.224
    Sony Picture Utility
    SpeedFan (remove only)
    SPSS 16.0 for Windows
    SPSS SmartViewer 15.0
    Stata/SE 8 for Windows
    Symantec Endpoint Protection
    Symbolizer
    Trimble Data Transfer
    TuneUp Utilities 2008
    Tweak UI
    Ucinet 6
    Update for Word 2007 (KB934173)
    Update Manager
    USB Disk Security
    VBA
    VIA Platform Device Manager
    VNC Enterprise Edition E4.3.1
    VNC Mirror Driver 1.7
    VSO Image Resizer 2.1.3.5
    Windows Driver Package - Nokia Modem (06/01/2009 4.1)
    Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.3)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Media Format Runtime
    Windows XP Service Pack 3
    WinRAR archiver
    WinZip
    Yahoo! Install Manager
    Yahoo! Internet Mail
    Yahoo! Messenger
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,919
    First Name:
    Karen
    Please run the MGA Diagnostic Tool and post back the report it creates:
    • Download MGADiag to your desktop.
    • Double-click on MGADiag.exe to launch the program
    • Click "Continue"
    • Ensure that the "Windows" tab is selected (it should be by default).
    • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
    • Paste the MGA Diagnostic Report back here in your next reply.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/918044

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice