DWHB8A6.tmp was found by Symantec

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

cromaczs07

Thread Starter
Joined
Feb 20, 2006
Messages
310
Symantec has popped 281 times in 2 hours, declaring an infection. Some are successfully quarantined. Some are not.
I'm now afraid to use my personal laptop, i'm not sure what's in this desktop.

I initially scanned it with MBAM's quick scan, but it did not find anything.
Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:54 PM, on 4/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Documents and Settings\mambaltazar\Start Menu\Programs\Startup\PopChat.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\DWHWizrd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ph.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/security_response/index.jsp
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [] 
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: PopChat.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = philrice.local
O17 - HKLM\Software\..\Telephony: DomainName = philrice.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = philrice.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = philrice.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = philrice.local
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = philrice.local
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = philrice.local
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = philrice.local
O17 - HKLM\System\CS8\Services\Tcpip\Parameters: Domain = philrice.local
O17 - HKLM\System\CS9\Services\Tcpip\Parameters: Domain = philrice.local
O17 - HKLM\System\CS10\Services\Tcpip\Parameters: Domain = philrice.local
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autorun CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8968 bytes
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
 

cromaczs07

Thread Starter
Joined
Feb 20, 2006
Messages
310
Thank you Cokiegal!

Here is my combofix log.

ComboFix 10-04-19.08 - mambaltazar 04/21/2010 9:56.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.230 [GMT 8:00]
Running from: c:\documents and settings\mambaltazar\Desktop\puppy.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marco\Application Data\AD ON Multimedia
c:\documents and settings\Marco\Application Data\AD ON Multimedia\eBay Shortcuts\eBayShortcuts.exe
c:\windows\eSellerateEngine.dll
c:\windows\Fonts\Graphic1.ttf
c:\windows\system32\nsprs.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\VB6KO.DLL
c:\windows\system32\win.ini

.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-20 13:15 . 2009-06-30 01:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-04-20 13:13 . 2010-04-20 13:13 -------- d-----w- c:\program files\Panda Security
2010-03-31 03:41 . 2010-03-31 03:42 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\ColorCop
2010-03-31 03:41 . 2010-03-31 03:41 -------- d-----w- c:\program files\Color_Cop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 00:54 . 2009-04-01 05:57 -------- d-----w- c:\program files\Symantec AntiVirus
2010-04-20 09:29 . 2009-02-05 10:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 09:29 . 2009-08-24 03:10 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-13 05:04 . 2008-10-10 10:30 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2010-03-30 06:20 . 2008-08-22 01:34 3452 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-30 06:20 . 2008-08-26 09:02 95240 ----a-w- c:\documents and settings\mambaltazar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-29 16:46 . 2009-02-05 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 16:45 . 2009-02-05 10:09 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 03:40 . 2008-12-03 02:38 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\VSO
2010-03-26 00:33 . 2009-07-09 01:10 -------- d-----w- c:\program files\McAfee
2010-03-17 03:45 . 2010-03-17 03:45 -------- d-----w- c:\program files\DC-Unlocker
2010-03-17 03:35 . 2009-06-22 05:14 -------- d-----w- c:\program files\Smart Bro
2010-02-24 15:13 . 2009-06-22 14:31 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\Skype
2010-02-24 14:12 . 2009-06-29 05:51 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\skypePM
2010-02-19 06:46 . 2010-02-19 06:46 355584 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2010-02-18 00:47 . 2009-09-23 02:35 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 149040]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 577536]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" [2005-10-31 163840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-23 115560]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2009-09-23 815104]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
PopChat.exe [1999-1-30 594432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Firefox Preloader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Firefox Preloader.lnk
backup=c:\windows\pss\Firefox Preloader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pathfinder Office Connection Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pathfinder Office Connection Manager.lnk
backup=c:\windows\pss\Pathfinder Office Connection Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pathfinder Office Project Changer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pathfinder Office Project Changer.lnk
backup=c:\windows\pss\Pathfinder Office Project Changer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^mambaltazar^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^mambaltazar^Start Menu^Programs^Startup^PopChat.INI]
path=c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\PopChat.INI
backup=c:\windows\pss\PopChat.INIStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PFO Check Settings

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-04-24 06:25 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 16:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 08:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 08:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 07:39 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-15 13:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 08:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-06-02 03:56 24264488 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2005-10-26 09:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-08 21:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2005-03-07 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTtrayp]
2005-10-31 20:15 163840 ----a-r- c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"i:\\Warcraft\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"i:\\Software Installers\\PFO_251 (E)\\SETUP.EXE"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\GPLOAD.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8979:TCP"= 8979:TCP:hmgkmr

R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [1999-12-01 467968]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [2009-10-10 81920]
R2 BulkUsb;Genius ColorPage USB Scanner;c:\windows\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R2 qmlcacmjs;Update Security;c:\windows\system32\svchost.exe [2008-04-13 14336]
R2 uabjbcajd;Monitor Windows;c:\windows\system32\svchost.exe [2008-04-13 14336]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-09-23 23888]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2008-12-30 102656]
R3 TrmbTS;TrmbTS;c:\windows\system32\Drivers\TrmbTS.sys [2007-04-23 29184]
R3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\system32\drivers\TRMUSB5K.sys [2000-06-19 9881]
R4 Lbcloomrasto;Lbcloomrasto;c:\windows\system32\drivers\mbam.sys [2010-03-29 20824]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-23 93320]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-24 102448]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - PAVBOOT

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2008-04-13 21:41 99840 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 01:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\mambaltazar\Application Data\Mozilla\Firefox\Profiles\n2xz6x1u.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\mambaltazar\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Wdf01000.sys
SafeBoot-Symantec Antvirus
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
AddRemove-numpy-py2.5 - c:\python25\Removenumpy.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 10:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\qmlcacmjs]
"ServiceDll"="c:\windows\system32\goccra.dll"
.
Completion time: 2010-04-21 10:10:54
ComboFix-quarantined-files.txt 2010-04-21 02:10

Pre-Run: 6,097,772,544 bytes free
Post-Run: 6,092,247,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - D5D7090A1931DDE970B319B85B382365
 

cromaczs07

Thread Starter
Joined
Feb 20, 2006
Messages
310
Thank you Cokiegal!

Here is my combofix log.

ComboFix 10-04-19.08 - mambaltazar 04/21/2010 9:56.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.230 [GMT 8:00]
Running from: c:\documents and settings\mambaltazar\Desktop\puppy.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marco\Application Data\AD ON Multimedia
c:\documents and settings\Marco\Application Data\AD ON Multimedia\eBay Shortcuts\eBayShortcuts.exe
c:\windows\eSellerateEngine.dll
c:\windows\Fonts\Graphic1.ttf
c:\windows\system32\nsprs.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\VB6KO.DLL
c:\windows\system32\win.ini

.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-20 13:15 . 2009-06-30 01:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-04-20 13:13 . 2010-04-20 13:13 -------- d-----w- c:\program files\Panda Security
2010-03-31 03:41 . 2010-03-31 03:42 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\ColorCop
2010-03-31 03:41 . 2010-03-31 03:41 -------- d-----w- c:\program files\Color_Cop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 00:54 . 2009-04-01 05:57 -------- d-----w- c:\program files\Symantec AntiVirus
2010-04-20 09:29 . 2009-02-05 10:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 09:29 . 2009-08-24 03:10 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-13 05:04 . 2008-10-10 10:30 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2010-03-30 06:20 . 2008-08-22 01:34 3452 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-30 06:20 . 2008-08-26 09:02 95240 ----a-w- c:\documents and settings\mambaltazar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-29 16:46 . 2009-02-05 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 16:45 . 2009-02-05 10:09 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 03:40 . 2008-12-03 02:38 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\VSO
2010-03-26 00:33 . 2009-07-09 01:10 -------- d-----w- c:\program files\McAfee
2010-03-17 03:45 . 2010-03-17 03:45 -------- d-----w- c:\program files\DC-Unlocker
2010-03-17 03:35 . 2009-06-22 05:14 -------- d-----w- c:\program files\Smart Bro
2010-02-24 15:13 . 2009-06-22 14:31 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\Skype
2010-02-24 14:12 . 2009-06-29 05:51 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\skypePM
2010-02-19 06:46 . 2010-02-19 06:46 355584 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2010-02-18 00:47 . 2009-09-23 02:35 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 149040]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 577536]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" [2005-10-31 163840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-23 115560]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2009-09-23 815104]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
PopChat.exe [1999-1-30 594432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Firefox Preloader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Firefox Preloader.lnk
backup=c:\windows\pss\Firefox Preloader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pathfinder Office Connection Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pathfinder Office Connection Manager.lnk
backup=c:\windows\pss\Pathfinder Office Connection Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pathfinder Office Project Changer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pathfinder Office Project Changer.lnk
backup=c:\windows\pss\Pathfinder Office Project Changer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^mambaltazar^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^mambaltazar^Start Menu^Programs^Startup^PopChat.INI]
path=c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\PopChat.INI
backup=c:\windows\pss\PopChat.INIStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PFO Check Settings

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-04-24 06:25 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 16:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 08:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 08:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 07:39 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-15 13:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 08:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-06-02 03:56 24264488 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2005-10-26 09:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-08 21:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2005-03-07 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTtrayp]
2005-10-31 20:15 163840 ----a-r- c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"i:\\Warcraft\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"i:\\Software Installers\\PFO_251 (E)\\SETUP.EXE"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\GPLOAD.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8979:TCP"= 8979:TCP:hmgkmr

R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [1999-12-01 467968]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [2009-10-10 81920]
R2 BulkUsb;Genius ColorPage USB Scanner;c:\windows\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R2 qmlcacmjs;Update Security;c:\windows\system32\svchost.exe [2008-04-13 14336]
R2 uabjbcajd;Monitor Windows;c:\windows\system32\svchost.exe [2008-04-13 14336]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-09-23 23888]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2008-12-30 102656]
R3 TrmbTS;TrmbTS;c:\windows\system32\Drivers\TrmbTS.sys [2007-04-23 29184]
R3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\system32\drivers\TRMUSB5K.sys [2000-06-19 9881]
R4 Lbcloomrasto;Lbcloomrasto;c:\windows\system32\drivers\mbam.sys [2010-03-29 20824]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-23 93320]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-24 102448]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - PAVBOOT

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2008-04-13 21:41 99840 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 01:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\mambaltazar\Application Data\Mozilla\Firefox\Profiles\n2xz6x1u.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\mambaltazar\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Wdf01000.sys
SafeBoot-Symantec Antvirus
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
AddRemove-numpy-py2.5 - c:\python25\Removenumpy.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 10:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\qmlcacmjs]
"ServiceDll"="c:\windows\system32\goccra.dll"
.
Completion time: 2010-04-21 10:10:54
ComboFix-quarantined-files.txt 2010-04-21 02:10

Pre-Run: 6,097,772,544 bytes free
Post-Run: 6,092,247,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - D5D7090A1931DDE970B319B85B382365
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
Open Notepad and copy and paste the text in the code box below into it:

Code:
http://forums.techguy.org/malware-removal-hijackthis-logs/918044-dwhb8a6-tmp-found-symantec.html#post7341136

Collect::
c:\windows\system32\goccra.dll

Driver::
qmlcacmjs
uabjbcajd

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet009\Services\qmlcacmjs]
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
 

cromaczs07

Thread Starter
Joined
Feb 20, 2006
Messages
310
When i dragged the script on the combofix, it prompted me to update combofix, i click yes. it successfully downloaded it.

then it scanned the machine.

But when the log popped up, a message box did not prompt me to upload the files anywhere...

Here is the combofix log.


ComboFix 10-04-21.01 - mambaltazar 04/22/2010 9:09.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.345 [GMT 8:00]
Running from: c:\documents and settings\mambaltazar\Desktop\puppy.exe
Command switches used :: c:\documents and settings\mambaltazar\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QMLCACMJS
-------\Legacy_UABJBCAJD
-------\Service_qmlcacmjs
-------\Service_uabjbcajd


((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-20 13:15 . 2009-06-30 01:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-04-20 13:13 . 2010-04-20 13:13 -------- d-----w- c:\program files\Panda Security
2010-03-31 03:41 . 2010-03-31 03:42 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\ColorCop
2010-03-31 03:41 . 2010-03-31 03:41 -------- d-----w- c:\program files\Color_Cop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 00:54 . 2009-04-01 05:57 -------- d-----w- c:\program files\Symantec AntiVirus
2010-04-20 09:29 . 2009-02-05 10:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 09:29 . 2009-08-24 03:10 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-13 05:04 . 2008-10-10 10:30 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2010-03-30 06:20 . 2008-08-22 01:34 3452 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-30 06:20 . 2008-08-26 09:02 95240 ----a-w- c:\documents and settings\mambaltazar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-29 16:46 . 2009-02-05 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 16:45 . 2009-02-05 10:09 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 03:40 . 2008-12-03 02:38 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\VSO
2010-03-26 00:33 . 2009-07-09 01:10 -------- d-----w- c:\program files\McAfee
2010-03-17 03:45 . 2010-03-17 03:45 -------- d-----w- c:\program files\DC-Unlocker
2010-03-17 03:35 . 2009-06-22 05:14 -------- d-----w- c:\program files\Smart Bro
2010-02-24 15:13 . 2009-06-22 14:31 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\Skype
2010-02-24 14:12 . 2009-06-29 05:51 -------- d-----w- c:\documents and settings\mambaltazar\Application Data\skypePM
2010-02-19 06:46 . 2010-02-19 06:46 355584 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2010-02-18 00:47 . 2009-09-23 02:35 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 149040]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 577536]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" [2005-10-31 163840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-23 115560]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2009-09-23 815104]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
PopChat.exe [1999-1-30 594432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Firefox Preloader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Firefox Preloader.lnk
backup=c:\windows\pss\Firefox Preloader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pathfinder Office Connection Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pathfinder Office Connection Manager.lnk
backup=c:\windows\pss\Pathfinder Office Connection Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pathfinder Office Project Changer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pathfinder Office Project Changer.lnk
backup=c:\windows\pss\Pathfinder Office Project Changer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^mambaltazar^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^mambaltazar^Start Menu^Programs^Startup^PopChat.INI]
path=c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\PopChat.INI
backup=c:\windows\pss\PopChat.INIStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-04-24 06:25 149040 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 16:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 08:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 08:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 07:39 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-15 13:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 08:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-06-02 03:56 24264488 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2005-10-26 09:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-08 21:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2005-03-07 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTtrayp]
2005-10-31 20:15 163840 ----a-r- c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"i:\\Warcraft\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"i:\\Software Installers\\PFO_251 (E)\\SETUP.EXE"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\GPLOAD.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8979:TCP"= 8979:TCP:hmgkmr

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [4/20/2010 9:15 PM 28552]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [10/22/2008 10:16 AM 467968]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [1/14/2010 9:58 AM 81920]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/9/2009 9:11 AM 93320]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/24/2009 4:30 PM 102448]
S2 BulkUsb;Genius ColorPage USB Scanner;c:\windows\system32\drivers\usbscan.sys [8/15/2008 10:09 AM 15104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [9/23/2009 10:35 AM 23888]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [3/17/2010 11:32 AM 102656]
S3 TrmbTS;TrmbTS;c:\windows\system32\drivers\TrmbTS.sys [6/8/2009 4:03 PM 29184]
S3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\system32\drivers\TRMUSB5K.SYS [6/8/2009 4:04 PM 9881]
S4 Lbcloomrasto;Lbcloomrasto;c:\windows\system32\drivers\mbam.sys [2/5/2009 6:09 PM 20824]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2008-04-13 21:41 99840 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 01:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\mambaltazar\Application Data\Mozilla\Firefox\Profiles\n2xz6x1u.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\mambaltazar\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-22 09:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2916)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\ESRI\License\arcgis9x\ARCGIS.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\rundll32.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\windows\SOUNDMAN.EXE
c:\documents and settings\mambaltazar\Start Menu\Programs\Startup\PopChat.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2010-04-22 09:38:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-22 01:38
ComboFix2.txt 2010-04-21 02:10

Pre-Run: 6,120,652,800 bytes free
Post-Run: 6,056,140,800 bytes free

Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - 38DA1D31462D7C0A0BDAA06083C409BA
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
Go to the link below and upload the following file(s) for analysis and post the results please:

http://virusscan.jotti.org/

c:\GPLOAD.exe

Also, do you recognize this that's using port 8979? Any idea what it's related to?

8979:TCP:hmgkmr
 

cromaczs07

Thread Starter
Joined
Feb 20, 2006
Messages
310
i know GPload, it is a data transfer utility for my gps unit. Its from Garmin.

about port 8979, could it be my second LAN card? i have two LAN cards, one is for our small group network with internet and the other is for my personal laptop...

that's all.
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
I'm not sure about that port but it looks suspicious.

Please download to Desktop: DDS by sUBs from one of these locations:

http://www.techsupportforum.com/sectools/sUBs/dds
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

Double-click DDS.scr to run.

When complete, DDS.txt will open.

Click Yes for Optional Scan.
Save both reports to your desktop.
DDS.txt
Attach.txt

Please post the DDS.txt report in the reply itself and upload the Attach.txt log as an attachment please.
 

cromaczs07

Thread Starter
Joined
Feb 20, 2006
Messages
310
DDS (Ver_10-03-17.01) - NTFSx86
Run by mambaltazar at 9:07:16.82 on Mon 04/26/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.321 [GMT 8:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Documents and Settings\mambaltazar\Start Menu\Programs\Startup\PopChat.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Program Files\Symantec AntiVirus\DWHWizrd.exe
H:\Downloads2\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp
uSearchAssistant =
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [USB Antivirus] c:\program files\usb disk security\USBGuard.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\office~1\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mambal~1\applic~1\mozilla\firefox\profiles\n2xz6x1u.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\mambaltazar\local settings\application data\yahoo!\browserplus\2.6.0\plugins\npybrowserplus_2.6.0.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R? BulkUsb;Genius ColorPage USB Scanner
R? COH_Mon;COH_Mon
R? hwusbfake;Huawei DataCard USB Fake
R? Lbcloomrasto;Lbcloomrasto
R? TrmbTS;TrmbTS
R? TRMUSB5K;Trimble USB GPS Driver
S? ArcGIS License Manager;ArcGIS License Manager
S? Autorun CDROM Monitor;Autorun CDROM Monitor
S? ccEvtMgr;Symantec Event Manager
S? ccSetMgr;Symantec Settings Manager
S? EraserUtilRebootDrv;EraserUtilRebootDrv
S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
S? NAVENG;NAVENG
S? NAVEX15;NAVEX15
S? pavboot;pavboot
S? Symantec AntiVirus;Symantec Endpoint Protection
S? xfilt;VIA SATA IDE Hot-plug Driver

=============== Created Last 30 ================


==================== Find3M ====================

2010-03-30 06:20:21 3452 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-29 16:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 16:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 06:46:00 355584 ----a-w- c:\windows\system32\TuneUpDefragService.exe

============= FINISH: 9:09:29.25 ===============
 

Attachments

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
Open HijackThis and click on the Open Misc Tools section button. Click on the Open Uninstall Manager button. Click the Save List button. Save the list then copy and paste it here.
 

cromaczs07

Thread Starter
Joined
Feb 20, 2006
Messages
310
ABBYY FineReader 8.0 Professional Edition
Acrobat.com
Acrobat.com
Adobe Acrobat 4.0
Adobe AIR
Adobe AIR
Adobe Creative Suite
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe SVG Viewer 3.0
APC PowerChute Personal Edition
Apple Software Update
Applian FLV Player
ArcGIS Desktop
ArcGIS License Manager
Artopik 1.51
CleanUp!
Client Activator 2.2 - English
Color Cop 5.4.3
CorelDRAW Graphics Suite 12
CorelDRAW Graphics Suite X3
Doc Scrubber v1.1
EN
FileZilla Client 3.2.4.1
Firefox Preloader
Flash Movie Player 1.5
FontFrenzy 1.51
FontNav
Foxit Reader
Free Music Zilla
Garmin Trip and Waypoint Manager v4
Genius ColorPage-Vivid3XE USB
GPL Ghostscript 8.70
GSview 4.9
HijackThis 2.0.2
HP Deskjet Printer Driver Software 9.0
HP LaserJet P1000 series
HPCarePackProducts
Instant Eyedropper 1.75
iQue - Detail Map Install
iQue - MapInstall and ContactLocation
iQue - Palm Manual
iQue - TransferWaypoints
Java(TM) 6 Update 13
K-Lite Codec Pack 5.0.5 (Basic)
LiveUpdate 3.3 (Symantec Corporation)
Macromedia Extension Manager
Malwarebytes' Anti-Malware
McAfee SiteAdvisor
Metadata Analyzer v2.2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.3)
MrvlUsgTracking
MSVC80_x86
MyPhoneExplorer
Nero 7 Essentials
neroxml
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Palm Desktop for Garmin iQue 3600
Panda ActiveScan 2.0
Pathfinder Office 2.51
PC Connectivity Solution
Picture Package Music Transfer
PrimoPDF
PrimoPDF Redistribution Package
Python 2.4.1
Python 2.5.2
QuickTime
QuickTime 3.0
Realtek AC'97 Audio
Revo Uninstaller 1.83
SA32xx Device Manager
Scrapbook Flair
Sentinel Protection Installer 7.2.2
ShapeEditingExtension
Skype™ 4.0
SMART BRO
Smart Bro
Sony Ericsson PC Suite 1.20.224
Sony Picture Utility
SpeedFan (remove only)
SPSS 16.0 for Windows
SPSS SmartViewer 15.0
Stata/SE 8 for Windows
Symantec Endpoint Protection
Symbolizer
Trimble Data Transfer
TuneUp Utilities 2008
Tweak UI
Ucinet 6
Update for Word 2007 (KB934173)
Update Manager
USB Disk Security
VBA
VIA Platform Device Manager
VNC Enterprise Edition E4.3.1
VNC Mirror Driver 1.7
VSO Image Resizer 2.1.3.5
Windows Driver Package - Nokia Modem (06/01/2009 4.1)
Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.3)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
WinZip
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
Please run the MGA Diagnostic Tool and post back the report it creates:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top