[Kat]

I am unable to run MBAM or any other spyware but I can run Hijack this so here's my log.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:48 AM, on 8/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\AOL\1163476802\ee\AOLSoftware.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/home/home.do
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1163476802\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://aol.pogo.com/...erInstaller.CAB
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer....l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C45AFFC-3466-4D09-AE9B-B9416E06AA6E}: NameServer = 64.250.192.64 64.250.192.65
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 6417 bytes

[Fred Flintstone]

Hi Kat..

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

When saving the file, rename it to Combo-Fix.exe << just insert a hyphen into the filename

* IMPORTANT !!! Save Combo-Fix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Thanks..

Fred..

[Kat]

When it was done and booted back up IE shortcut was on my desktop when it wasn't there before and somethings that start at start up wasn't there either. Is this normal for that program to do that? Thank you so much for helping me and that's not the last time you'll read that.

Here's the log combo fix gave me.


ComboFix 09-08-10.06 - Owner 08/12/2009 10:13.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.646 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\inst.exe
c:\recycler\S-1-5-21-1225212112-160552882-4132283247-500
c:\windows\kb913800.exe
c:\windows\system32\drivers\SKYNETjldtlemr.sys
c:\windows\system32\drivers\UACgfhyoxydop.sys
c:\windows\system32\SKYNETagftyxvi.dat
c:\windows\system32\SKYNETmttpixdu.dll
c:\windows\system32\SKYNETqovwekcp.dll
c:\windows\system32\SKYNETyuxrloto.dat
c:\windows\system32\UACcwrqpxvpln.dll
c:\windows\system32\UACeavobuhdqc.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmexyqbaiqh.dll
c:\windows\system32\UACngvrdrwwil.dat
c:\windows\system32\UAColriltqfqx.dll
c:\windows\system32\UACyyxgwqucfs.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETqrsswwkr
-------\Legacy_SKYNETqrsswwkr
-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.

2009-08-11 18:46 . 2009-08-11 16:27 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-11 16:26 . 2009-08-11 23:20 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-08-11 15:49 . 2009-08-11 15:49 -------- d-----w- c:\documents and settings\Owner\Application Data\WinPatrol
2009-08-11 15:49 . 2004-10-28 01:20 0 ----a-w- c:\documents and settings\Owner\Application Data\WinPatrol\Config.sys
2009-08-11 15:49 . 2004-10-28 01:20 0 ----a-w- c:\documents and settings\Owner\Application Data\WinPatrol\Autoexec.bat
2009-08-11 15:48 . 2009-08-11 15:48 -------- d-----w- c:\program files\BillP Studios
2009-08-10 15:34 . 2009-08-10 15:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Graboid_Inc
2009-08-10 15:34 . 2009-08-10 15:34 -------- d-----w- c:\documents and settings\Owner\Application Data\MozillaControl
2009-08-10 15:34 . 2009-08-10 15:37 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Graboid
2009-08-10 15:28 . 2009-08-10 15:28 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-08-10 15:27 . 2009-08-10 18:55 -------- d-----w- c:\program files\VideoLAN
2009-08-10 15:26 . 2009-08-10 18:55 -------- d-----w- c:\program files\Graboid
2009-07-28 17:09 . 2009-08-11 19:18 -------- d-----w- c:\program files\SpeedFan
2009-07-27 23:09 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-07-26 16:03 . 2009-07-26 16:58 -------- d-----w- c:\program files\DVDFab 5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 05:16 . 2006-11-14 04:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-08-11 21:30 . 2006-11-14 22:50 -------- d-----w- c:\documents and settings\Owner\Application Data\WeatherBug
2009-08-11 19:19 . 2006-11-14 22:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-11 19:18 . 2008-12-20 18:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 19:18 . 2008-12-20 18:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-10 23:28 . 2009-01-23 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-04 03:36 . 2008-10-22 16:23 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-03 18:36 . 2009-01-23 15:56 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-01-23 15:56 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 04:33 . 2007-07-17 20:32 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-27 23:24 . 2008-04-08 23:50 -------- d-----w- c:\program files\DVDFab Platinum 4
2009-07-27 23:24 . 2007-02-11 23:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Vso
2009-07-27 23:24 . 2007-02-11 23:38 47360 ----a-w- c:\documents and settings\Owner\Application Data\pcouffin.sys
2009-07-27 23:24 . 2007-02-11 23:38 47360 ----a-w- c:\documents and settings\Owner\Application Data\pcouffin.sys
2009-07-27 23:10 . 2009-07-27 23:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-27 23:10 . 2009-07-27 23:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-27 23:04 . 2007-07-17 20:31 -------- d-----w- c:\program files\Oberon Media
2009-07-12 21:44 . 2009-07-12 21:44 -------- d-----w- c:\program files\JumpStart
2009-07-12 21:44 . 2009-07-12 21:44 -------- d-----w- c:\program files\Common Files\Knowledge Adventure
2009-07-10 18:27 . 2008-05-17 05:18 -------- d-----w- c:\program files\Easy Songwriter
2009-07-10 18:22 . 2008-02-06 23:23 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak
2009-07-10 18:20 . 2008-02-06 23:26 -------- d-----w- c:\program files\Kodak
2009-07-06 23:45 . 2009-07-06 23:34 103535 ----a-w- c:\windows\hpoins04.dat
2009-07-06 23:45 . 2009-07-06 23:45 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-07-06 23:34 . 2009-07-06 23:34 -------- d-----w- c:\program files\HP
2009-06-29 16:12 . 2006-11-14 02:48 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-14 02:46 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-14 02:45 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2006-11-14 02:48 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-14 02:45 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2006-11-14 02:48 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-09-12 03:58 . 2008-01-20 02:49 88 --sh--r- c:\windows\system32\86EF8C55ED.sys
2008-09-12 03:58 . 2008-01-20 02:49 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-25 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-25 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-25 114688]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
"HostManager"="c:\program files\Common Files\AOL\1163476802\ee\AOLSoftware.exe" [2008-06-24 41824]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-02-20 1443072]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2005-05-03 543232]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax 4.2.lnk
backup=c:\windows\pss\eFax 4.2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1163476802\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1163476802\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\kdx\\khost.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Total War\\Medieval - Total War\\Medieval_TW.exe"=

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2/20/2008 11:08 AM 472320]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [11/13/2006 9:48 PM 3584]
S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913d.sys [9/16/2007 8:11 PM 29522]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SigmatelSysTrayApp - sttray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pogo.com/home/home.do
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://aol.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\oc0e9m55.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pogo.com/home/home.do
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oc0e9m55.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 10:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-08-12 10:21
ComboFix-quarantined-files.txt 2009-08-12 15:21

Pre-Run: 214,816,333,824 bytes free
Post-Run: 214,992,359,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows XP Media Center Edition" /noexecute=optin /fastdetect

181 --- E O F --- 2009-07-29 03:06

[Fred Flintstone]

Hi Kat,
You are welcome.. I am just out through the door to work so will need to look at this when I get home.
In the meantime, see if MBAM will run now, if so please post that log as well.

Thanks..
Fred..

[Kat]

I ran a scan before this one and it found 4 infected objects so I took care of that and now here is the current one.


Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/12/2009 12:56:18 PM
mbam-log-2009-08-12 (12-56-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 216260
Time elapsed: 46 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Fred Flintstone]

Hi Kat,

Combofix seems to have removed the junk, but MBAM will need updating before you run another scan.
MBAM is currently on version 2615 of it's definitions database so you are behind with your updates..

Quote

Malwarebytes' Anti-Malware 1.40
Database version: 2551

It's been updated 64 times since you did it last! (MBAM is updated several times a day)...

Please update MBAM now then run a scan and post the log..
How are things running now?

Thanks..
Fred..

[Kat]

Things are running much better now! Thanks! Here is the latest log......


Malwarebytes' Anti-Malware 1.40
Database version: 2616
Windows 5.1.2600 Service Pack 3

8/18/2009 5:35:36 PM
mbam-log-2009-08-18 (17-35-36).txt

Scan type: Quick Scan
Objects scanned: 98289
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Fred Flintstone]

Hi Kat

Glad to hear thing are running better..
Let's check out your security etc, then we will have a clean up.


Download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Are you experiencing any other issues??

Thanks
Fred..

[Kat]

No there's not any other problems......THANK YOU SO MUCH!



Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Smart Security


Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 10
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.1
``````````````````````````````
Process Check:
objlist.exe by Laurent


``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

[Kat]

I updated my java just now when I noticed that! Sorry!

[Fred Flintstone]

Hi Kat.. you are welcome..

Couple of things:
Apparently, ESET Smart Security includes a firewall??

Quote

also blocks spam and includes personal firewall.

If so you should disable the windows firewall as it is not recommended to run two firewalls at once!

Well done on updating your Java, but you also need to completely remove the old versions if you haven't already done so.
(Just go to control panel Add/Remove programs and uninstall all versions except the latest one).

Next:
Please go to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u It needs to be there.

The above procedure will delete the following:

• ComboFix and its associated files and folders.
  
• VundoFix backups, if present
  
• The C:\Deckard folder, if present
  
• The C:_OtMoveIt folder, if present
  
• Reset the clock settings.
  
• Hide file extensions, if required.
  
• Hide System/Hidden files, if required.
  
• Set a new, clean Restore Point.

If all is good with you now, I will post some security tips for you and we are done here..

Thanks..
Fred...

[Kat]

Ok I did all of the above but when uninstalling Combofix through the run command it didn't work. It says that windows can not find combofix. I have not uninstalled it I was waiting for the go ahead.

[Fred Flintstone]

Ooops.. sorry, my mistake, forgot the hyphen!!...

We renamed Combofix didn't we?!.. the command should be:

Start --> Run, and type Combo-fix /u in the box that appears.

Any problem with that let me know!..

Thanks
Fred..

[Kat]

Hmmm.....it says the same thing but when I double click combo fix like I want to run it it asks me if I want to run the program so is it really installed?

[Fred Flintstone]

Hi Kat..

Try the following command:

"%userprofile%\Desktop\combofix" /u << make sure to include the quotation marks.

That should sort it..

Fred.

[Kat]

Windows said it still can't locate it. Hmmm tricky! Other than that everything is fine and I appreciate your help so much!!!!

[Fred Flintstone]

Hi Kat,
That is odd!!..

Try this:
When you got to Start / run, click on the "Browse" button.

Navigate to Combofix on your desktop: should be c:\documents and settings\Owner\Desktop\Combo-Fix.exe

Click once on Combofix, that should put the file path into the run window.

Then click in behind the command and put the /u behind it.. (don't forget the space before /u).. then click ok

Fred..

This post has been edited by Fred Flintstone: 24 August 2009 - 06:45 PM

[Kat]

That seemed to work! That was odd! Thanks again!

[Fred Flintstone]

Hi Kat..

Kat, on Aug 24 2009, 09:09 PM, said:

That seemed to work! That was odd! Thanks again!

Glad about that..saved me a trip round to your house to take it off with a hammer!!..

Glad things are ok now, please see info below:
---------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update
Office Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

• Go to Start > Control Panel > Automatic Updates
  
• Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  
• Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  
• Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

• Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  
• Never open emails from unknown senders.
  
• Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  
• Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, please refer to this website to learn how to secure Internet Explorer 6.

To secure Internet Explorer 7, please read this article.


Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

• Spyware Blaster
  SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.
  
  You can download SpywareBlaster from Javacool.
  
  If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.
  
  
  
• Hosts File
  A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.
  
  Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.
  
  Here are some Hosts files:
  
  MVPS Hosts File
  Bluetack's Hosts File
  Bluetack's Host Manager
  hpHosts
  
  A tutorial about Hosts File can be found at Malware Removal.
  
  
  
• Malwarebytes RogueNET Bleeping Computer
  Before downloading any anti-spyware programs, always check it. This will save you from a lot of trouble. If in doubt, don't ever download it.

Here are some more things to read about:

Securing Skype
Greater email safety
Phishing - what is it?
80 Super Security Tips

Happy surfing and stay clean!

Good luck..
Fred..

[Fred Flintstone]

Since this issue appears to be resolved, this Topic is now closed. Should you need this thread reopened, please PM me or another Staff member, including the address of this thread and we will reopen it for you.