mjgreenley
asked on
How do I find what is causing my pop-ups?
I am fixing a friend of mine's, mother's computer. I have already cleaned it pretty well and have got rid of a bunch of vruses, but she still has a lot of pop-ups that I can't get rid of, even using pop-up blockers. Also, Norton tells me that the machine is still infected with viruses...but does not give me any other information other than telling me that it's infected(no virus names or descriptions). I've already ran Smitfraud and hijackthis. Here is the current hijack this log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:54, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\iWin Games\iWinGamesInstaller.e xe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMNET~1\SNDWa rn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPA D.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn0 \yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-B E2DF4D9AE2 9} - C:\PROGRA~1\COMCAS~1\COMCA S~1.DLL
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A 4449A05863 D} - C:\Program Files\GamesBar\oberontb.dl l
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn0 \yt.dll
O3 - Toolbar: eGames Toolbar - {4E7BD74F-2B8D-469E-85B2-B C27FE9AAE2 E} - C:\PROGRA~1\EGAMES~1\EGAME S~1.DLL
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A 37C9A5676A 7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt .dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWa rn.exe
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9 654A700323 9} - C:\Program Files\GamesBar\oberontb.dl l
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9 654A700323 9} - C:\Program Files\GamesBar\oberontb.dl l
O16 - DPF: {149E45D8-163E-4189-86FC-4 5022AB2B6C 9} (SpinTop DRM Control) - file:///C:/Program%20Files /Mystery%2 0P.I.%20-% 20The%20Ve gas%20Heis t/Images/s tg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-f a1d4f56a2a b} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsth elper20071 1281.dll
O16 - DPF: {D0C0F75C-683A-4390-A791-1 ACFD5599AB 8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.e xe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC S\Sync\Net Svc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMAN T~1\SCRIPT ~1\SBServ. exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 4870 bytes
Any help is greatly appreciated. Thankt!!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:54, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\iWin Games\iWinGamesInstaller.e
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMNET~1\SNDWa
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPA
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-B
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: eGames Toolbar - {4E7BD74F-2B8D-469E-85B2-B
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWa
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9
O16 - DPF: {149E45D8-163E-4189-86FC-4
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O16 - DPF: {D0C0F75C-683A-4390-A791-1
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.e
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMAN
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 4870 bytes
Any help is greatly appreciated. Thankt!!!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the help so far everyone!
Here is the ComboFix log; and I will post the new Hijackthis log below as well. Thanks:
ComboFix 08-06-12.2 - Barbara Watson 2008-06-14 1:50:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18. 1569 [GMT -3:00]
Running from: C:\Documents and Settings\Barbara Watson\Desktop\ComboFix.ex e
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
C:\Program Files\GamesBar\oberontb.dl l
C:\Program Files\WinAntivirusPro3.8
C:\Program Files\WinAntivirusPro3.8\W inAntiviru sPro.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c00D 3B6C.exe
C:\WINDOWS\system32\__c00D B09A.exe
C:\WINDOWS\system32\akhuhj rf.dll
C:\WINDOWS\system32\awoerk uo.dll
C:\WINDOWS\system32\bjmuvv ok.ini
C:\WINDOWS\system32\cboyvf ni.dll
C:\WINDOWS\system32\csyepi mh.ini
C:\WINDOWS\system32\dbkeug au.dll
C:\WINDOWS\system32\fijeub is.ini
C:\WINDOWS\system32\frjhuh ka.ini
C:\WINDOWS\system32\gqwgpe rs.ini
C:\WINDOWS\system32\klbbsq yi.dll
C:\WINDOWS\system32\lnponn nn.ini
C:\WINDOWS\system32\lnponn nn.ini2
C:\WINDOWS\system32\mxggib em.dll
C:\WINDOWS\system32\nnnnop nl.dll
C:\WINDOWS\system32\nvs2.i nf
C:\WINDOWS\system32\pllauj oi.dll
C:\WINDOWS\system32\qahwkl js.dll
C:\WINDOWS\system32\qiebdv ej.ini
C:\WINDOWS\system32\qqpdvv go.ini
C:\WINDOWS\system32\ssmosk dl.ini
C:\WINDOWS\system32\tbhyrd ct.dll
C:\WINDOWS\system32\uaguek bd.ini
C:\WINDOWS\system32\uyqhpg sf.ini
C:\WINDOWS\system32\wcnpep eo.dll
.
((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))) )))))
.
2008-06-13 00:16 . 2005-06-08 14:17 <DIR> d-------- C:\Documents and Settings\Administrator\App lication Data\Symantec
2008-06-13 00:16 . 2005-06-08 14:07 <DIR> d-------- C:\Documents and Settings\Administrator\App lication Data\Jasc Software Inc
2008-06-13 00:16 . 2005-06-08 14:06 <DIR> d--h----- C:\Documents and Settings\Administrator\App lication Data\Gtek
2008-06-13 00:16 . 2008-06-13 00:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-13 00:04 . 2008-06-13 00:19 922 --a------ C:\WINDOWS\system32\tmp.re g
2008-06-12 23:01 . 2008-06-12 23:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-10 19:48 . 2008-06-10 19:48 <DIR> d-------- C:\Documents and Settings\Barbara Watson\Application Data\Uniblue
2008-06-10 19:47 . 2008-06-10 19:47 <DIR> d-------- C:\Program Files\Uniblue
2008-06-04 23:04 . 2008-06-04 23:04 <DIR> d-------- C:\Program Files\SymNetDrv
2008-06-04 22:53 . 2008-06-04 22:56 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-06-04 22:52 . 2003-08-15 18:22 83,208 --a------ C:\WINDOWS\system32\S32EVN T1.DLL
2008-06-04 22:52 . 2003-08-15 18:22 82,136 --a------ C:\WINDOWS\system32\driver s\SYMEVENT .SYS
2008-06-04 22:51 . 2008-06-04 22:55 <DIR> d-------- C:\Program Files\Symantec
2008-06-04 22:30 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\system32\hhacti vex.dll
2008-06-04 22:30 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\system32\COMCT3 32.OCX
2008-06-04 22:30 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\system32\ssa3d3 0.ocx
2008-06-04 22:30 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\system32\RcdSca n.dll
2008-06-04 22:30 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcje t.hlp
2008-06-04 22:30 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\system32\VB5DB. DLL
2008-06-04 22:30 . 2001-08-22 08:42 13,632 --a------ C:\WINDOWS\system32\driver s\omci.sys
2008-06-04 22:30 . 1998-09-24 12:03 7,348 --a------ C:\WINDOWS\system32\Odbcje t.cnt
2008-06-04 02:26 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\driver s\kbdhid.s ys
2008-06-04 02:26 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\dllcac he\kbdhid. sys
2008-06-04 02:25 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\driver s\usbccgp. sys
2008-06-04 02:25 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcac he\usbccgp .sys
2008-06-04 02:25 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidser v.dll
2008-06-04 02:25 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcac he\hidserv .dll
2008-05-31 22:00 . 2008-05-31 22:04 <DIR> d-------- C:\Documents and Settings\Barbara Watson\Application Data\EGAMESTOOLBAR
2008-05-31 21:30 . 2008-06-04 22:29 <DIR> d-------- C:\Program Files\LiveAntispy
2008-05-29 16:21 . 2008-05-29 16:21 0 --a--c--- C:\4A.tmp
2008-05-29 16:20 . 2008-05-29 16:20 0 --a--c--- C:\49.tmp
2008-05-29 16:20 . 2008-05-29 16:20 0 --a--c--- C:\48.tmp
2008-05-29 16:20 . 2008-05-29 16:20 0 --a--c--- C:\47.tmp
2008-05-29 08:34 . 2008-05-29 20:28 34,037 --ahs---- C:\WINDOWS\system32\sxgoix ed.ini
2008-05-28 08:29 . 2008-05-29 08:29 33,805 --ahs---- C:\WINDOWS\system32\cnyhmh bc.ini
2008-05-24 19:18 . 2008-05-24 19:18 <DIR> d-------- C:\Documents and Settings\Barbara Watson\Application Data\Sudden Games
2008-05-18 11:20 . 2008-05-18 11:20 <DIR> d-------- C:\Documents and Settings\Barbara Watson\Application Data\EleFun Games
2008-05-17 19:27 . 2008-05-17 19:27 1,409 --a------ C:\WINDOWS\system32\tmpE6B FA.FOT
2008-05-17 19:27 . 2008-05-17 19:27 1,409 --a------ C:\WINDOWS\system32\tmp9A9 FA.FOT
2008-05-17 19:27 . 2008-05-17 19:27 1,409 --a------ C:\WINDOWS\system32\tmp48A FA.FOT
2008-05-17 19:27 . 2008-05-17 19:27 1,409 --a------ C:\WINDOWS\system32\tmp1EA FA.FOT
2008-05-16 22:48 . 2008-05-16 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Astar Games
2008-05-16 22:45 . 2008-05-16 22:45 <DIR> d-------- C:\Program Files\Laura Jones and the Gates of Good and Evil
2008-05-15 11:38 . 2008-05-31 22:03 <DIR> d-------- C:\Program Files\egamestoolbar
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2008-06-14 04:50 --------- d-----w C:\Program Files\GamesBar
2008-06-14 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\GamesBar
2008-06-13 01:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-05 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-05 01:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 21:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 11:22 --------- d-----w C:\Program Files\iWin.com
2008-05-31 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-05-31 21:18 --------- d-----w C:\Program Files\Google
2008-05-23 14:41 --------- d-----w C:\Program Files\Chill
2008-05-18 01:47 --------- d-----w C:\Program Files\Games
2008-05-18 01:44 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\SpinTop
2008-05-18 01:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop
2008-05-18 01:42 --------- d-----w C:\Program Files\GameHouse
2008-05-18 01:42 --------- d-----w C:\Program Files\AOL Games
2008-05-17 11:42 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\PlayFirst
2008-05-17 11:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-14 21:29 --------- d-----w C:\Program Files\goodsol
2008-05-11 22:16 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\GameHouse
2008-05-10 17:47 --------- d-----w C:\Program Files\Mystery Solitaire
2008-05-10 11:46 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Gaijin Ent
2008-05-06 13:02 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Oberon Media
2008-05-06 13:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Oberon Media
2008-05-03 23:42 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\StoneLoopsIW
2008-05-03 13:21 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Big Fish Games
2008-05-03 12:55 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Legends of pirates
2008-05-03 12:20 --------- d-----w C:\Program Files\Pirateville
2008-05-03 00:57 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Valusoft
2008-05-03 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Valusoft
2008-05-02 14:09 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\GamesCafe
2008-04-28 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\EscapeTheMuseum
2008-04-27 00:33 --------- d-----w C:\Program Files\Little Shop of Treasures 2
2008-04-26 01:40 --------- d-----w C:\Program Files\Natalie Brooks Secrets Of Treasure House
2008-04-25 23:56 --------- d-----w C:\Program Files\The Hidden Object Show
2008-04-25 23:47 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Talkback
2008-04-22 19:52 --------- d-----w C:\Program Files\Jigsaw Adorable Animals 2
2008-04-22 19:47 --------- d-----w C:\Program Files\Jigsaw Beach Holiday
2008-04-22 11:13 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Friday's games
2008-04-20 02:16 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Yatec Games
2008-04-19 00:37 --------- d-----w C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-19 00:17 --------- d-----w C:\Program Files\Big City Adventure
2008-04-18 14:31 --------- d-----w C:\Program Files\Travelogue 360 - Paris
2008-04-14 19:20 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Magic Academy
2008-04-14 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\NeptunesAdve
2008-04-14 16:12 --------- d-----w C:\Program Files\Mahjong Escape - Ancient China
2008-04-14 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\JollyBear
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint 40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k .sys
2007-08-16 11:00 26,578,096 ----a-w C:\Program Files\avg75free_484a1100.e xe
2007-05-25 00:02 532,480 ----a-w C:\Program Files\cwshredder.exe
2007-05-25 00:01 1,308,216 ----a-w C:\Program Files\HiJackThis_v2.exe
2005-12-23 20:20 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{4E7BD74F-2B8D-469 E-85B2-BC2 7FE9AAE2E} ]
2008-05-31 22:03 1947136 --a------ C:\PROGRA~1\EGAMES~1\EGAME S~1.DLL
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{8CA5ED52-F3FB-441 4-A105-2E3 491156990} ]
2008-03-05 09:48 78848 --a------ C:\PROGRA~1\IWINGA~1\IWING A~1.DLL
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Interne t Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-85B2- BC27FE9AAE 2E}"= "C:\PROGRA~1\EGAMES~1\EGAM ES~1.DLL" [2008-05-31 22:03 1947136]
[HKEY_CLASSES_ROOT\clsid\{ 4e7bd74f-2 b8d-469e-8 5b2-bc27fe 9aae2e}]
[HKEY_CLASSES_ROOT\egamest oolbar.EGA MESTOOLBAR ]
[HKEY_CURRENT_USER\Softwar e\Microsof t\Internet Explorer\Toolbar\WebBrowse r]
"{4E7BD74F-2B8D-469E-85B2- BC27FE9AAE 2E}"= C:\PROGRA~1\EGAMES~1\EGAME S~1.DLL [2008-05-31 22:03 1947136]
[HKEY_CLASSES_ROOT\clsid\{ 4e7bd74f-2 b8d-469e-8 5b2-bc27fe 9aae2e}]
[HKEY_CLASSES_ROOT\egamest oolbar.EGA MESTOOLBAR ]
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMN ET~1\SNDWa rn.exe" [2004-10-29 08:52 218232]
"Uniblue SpeedUpMyPC"="" []
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 11:47 71328]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-10-22 09:42 70840]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\ur qRHabC]
urqRHabC.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\__ c00DB5A]
C:\WINDOWS\system32\__c00D B5A.dat
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^MyWe bSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWe bSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWe bSearch Email Plugin.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Quic kBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quic kBooks Update Agent.lnk
backup=C:\WINDOWS\pss\Quic kBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^Barbara Watson^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=C:\Documents and Settings\Barbara Watson\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=C:\WINDOWS\pss\iWin Desktop Alerts.lnkStartup
[HKLM\~\startupfolder\C:^D ocuments and Settings^Barbara Watson^Start Menu^Programs^Startup^MyWe bSearch Email Plugin.lnk]
path=C:\Documents and Settings\Barbara Watson\Start Menu\Programs\Startup\MyWe bSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWe bSearch Email Plugin.lnkStartup
[HKLM\~\startupfolder\C:^D ocuments and Settings^Barbara Watson^Start Menu^Programs^Startup^Webs hots.lnk]
path=C:\Documents and Settings\Barbara Watson\Start Menu\Programs\Startup\Webs hots.lnk
backup=C:\WINDOWS\pss\Webs hots.lnkSt artup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ 9c9a94d5]
C:\WINDOWS\system32\akhuhj rf.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ A00F190298 F1.exe]
C:\DOCUME~1\BARBAR~1\LOCAL S~1\Temp\_ A00F190298 F1.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ DellSuppor t]
--a------ 2004-07-19 09:51 306688 C:\Program Files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ DeviceDisc overy]
--a------ 2003-05-22 01:37 229437 C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpotdd01.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ dla]
C:\WINDOWS\system32\dla\tf swctrl.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ DMXLaunche r]
--a------ 2005-01-27 03:02 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ gcNotifier ]
--a------ 2008-01-25 14:03 176128 C:\Documents and Settings\Barbara Watson\Local Settings\Application Data\VTShared\GCNotifier.e xe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ HP Component Manager]
--a------ 2003-10-23 19:51 233472 C:\Program Files\HP\hpcoretech\hpcmpm gr.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ HP Software Update]
--a------ 2003-06-25 11:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ HPDJ Taskbar Utility]
--a------ 2003-09-01 08:42 176128 C:\WINDOWS\system32\spool\ drivers\w3 2x86\3\hpz tsb09.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ igfxhkcmd]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd. exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ igfxpers]
--a------ 2005-09-20 10:36 114688 C:\WINDOWS\system32\igfxpe rs.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ igfxtray]
--a------ 2005-09-20 10:35 94208 C:\WINDOWS\system32\igfxtr ay.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ImInstalle r_IncrediM ail]
C:\DOCUME~1\BARBAR~1\LOCAL S~1\Temp\I mInstaller \IncrediMa il\incredi mail_insta ll
[1].exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTA L~1\UPDATE ~1\ISUSPM. exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ISUSSchedu ler]
--a------ 2004-07-27 18:50 81920 C:\Program Files\Common Files\InstallShield\Update Service\is sch.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Magentic]
C:\PROGRA~1\Magentic\bin\M agentic.ex e
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ mmtask]
--a------ 2005-03-15 09:58 53248 C:\Program Files\Musicmatch\Musicmatc h Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ MMTray]
--a------ 2005-03-15 09:58 135168 C:\Program Files\Musicmatch\Musicmatc h Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ My Web Search Bar]
C:\PROGRA~1\MYWEBS~1\bar\2 .bin\MWSBA R.DLL
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ MyWebSearc h Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\2 .bin\mwsoe mon.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ QBReminder Flash]
--a------ 2004-11-11 12:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ QuickTime Task]
--a------ 2005-06-08 14:12 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ RealTray]
C:\Program Files\Real\RealPlayer\Real Play.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SlipStream ]
C:\Program Files\SlipStream Web Accelerator\slipcore.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SoundMAXPn P]
--a------ 2004-10-14 21:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SunJavaUpd ateSched]
C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ TimeSink Ad Client]
C:\Program Files\TimeSink\AdGateway\T sAdBot.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ UserFaultC heck]
C:\WINDOWS\system32\dumpre p 0 -u
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ WeatherDPA ]
C:\Program Files\Zango\bin\10.1.181.0 \Weather.e xe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ WinAntivir usPro]
C:\Program Files\WinAntivirusPro3.8\W inAntiviru sPro.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Windows update loader]
C:\Windows\xpupdate.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ YSearchPro tection]
--a------ 2008-01-10 13:41 223984 C:\Program Files\Yahoo!\Search Protection\SearchProtectio n.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ZangoOE]
C:\Program Files\Zango\bin\10.1.181.0 \OEAddOn.e xe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ZangoSA]
C:\Program Files\Zango\bin\10.1.181.0 \ZangoSA.e xe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center]
"AntiVirusDisableNotify"=d word:00000 001
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center\Monitoring\Symantec AntiVirus]
"DisableMonitoring"=dword: 00000001
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center\Monitoring\Symantec Firewall]
"DisableMonitoring"=dword: 00000001
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"C:\\WINDOWS\\system32\\se ssmgr.exe" =
"C:\\Program Files\\Messenger\\msmsgs.e xe"=
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Glob allyOpenPo rts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2 res.dll,-2 2009
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drive rs\iqvw32. sys [2004-02-11 17:27]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 02:03:45 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTO N~1\Navw32 .exeh/task :
"2008-06-12 12:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPow erCleaner\ RegPowerCl ean.exe
"2008-06-14 05:02:11 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\ NDETECT.EX E
"2008-06-10 22:48:08 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-06-10 22:48:06 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 01:57:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVSCAN.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntf y.exe
.
************************** ********** ********** ********** ********** ********
.
Completion time: 2008-06-14 2:10:18 - machine was rebooted
ComboFix-quarantined-files .txt 2008-06-14 05:10:14
Pre-Run: 18,567,376,896 bytes free
Post-Run: 19,574,243,328 bytes free
313 --- E O F --- 2008-06-14 05:10:11
HIJACK THIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:14:41, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMNET~1\SNDWa rn.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntf y.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepa d.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\WINDOWS\SoftwareDistrib ution\Down load\7215c dd2a5992ff 3eb59bc846 f07eb4e\up date\updat e.exe
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn0 \yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn0 \yt.dll
O2 - BHO: eGames Toolbar - {4E7BD74F-2B8D-469E-85B2-B C27FE9AAE2 E} - C:\PROGRA~1\EGAMES~1\EGAME S~1.DLL
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-B E2DF4D9AE2 9} - C:\PROGRA~1\COMCAS~1\COMCA S~1.DLL
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2 E349115699 0} - C:\PROGRA~1\IWINGA~1\IWING A~1.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-B E2DF4D9AE2 9} - C:\PROGRA~1\COMCAS~1\COMCA S~1.DLL
O3 - Toolbar: (no name) - {6F282B65-56BF-4BD1-A8B2-A 4449A05863 D} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn0 \yt.dll
O3 - Toolbar: eGames Toolbar - {4E7BD74F-2B8D-469E-85B2-B C27FE9AAE2 E} - C:\PROGRA~1\EGAMES~1\EGAME S~1.DLL
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A 37C9A5676A 7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt .dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWa rn.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-f a1d4f56a2a b} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsth elper20071 1281.dll
O20 - Winlogon Notify: urqRHabC - urqRHabC.dll (file missing)
O20 - Winlogon Notify: __c00DB5A - C:\WINDOWS\system32\__c00D B5A.dat (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC S\Sync\Net Svc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMAN T~1\SCRIPT ~1\SBServ. exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 5069 bytes
Here is the ComboFix log; and I will post the new Hijackthis log below as well. Thanks:
ComboFix 08-06-12.2 - Barbara Watson 2008-06-14 1:50:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.
Running from: C:\Documents and Settings\Barbara Watson\Desktop\ComboFix.ex
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((
.
C:\Program Files\GamesBar\oberontb.dl
C:\Program Files\WinAntivirusPro3.8
C:\Program Files\WinAntivirusPro3.8\W
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c00D
C:\WINDOWS\system32\__c00D
C:\WINDOWS\system32\akhuhj
C:\WINDOWS\system32\awoerk
C:\WINDOWS\system32\bjmuvv
C:\WINDOWS\system32\cboyvf
C:\WINDOWS\system32\csyepi
C:\WINDOWS\system32\dbkeug
C:\WINDOWS\system32\fijeub
C:\WINDOWS\system32\frjhuh
C:\WINDOWS\system32\gqwgpe
C:\WINDOWS\system32\klbbsq
C:\WINDOWS\system32\lnponn
C:\WINDOWS\system32\lnponn
C:\WINDOWS\system32\mxggib
C:\WINDOWS\system32\nnnnop
C:\WINDOWS\system32\nvs2.i
C:\WINDOWS\system32\pllauj
C:\WINDOWS\system32\qahwkl
C:\WINDOWS\system32\qiebdv
C:\WINDOWS\system32\qqpdvv
C:\WINDOWS\system32\ssmosk
C:\WINDOWS\system32\tbhyrd
C:\WINDOWS\system32\uaguek
C:\WINDOWS\system32\uyqhpg
C:\WINDOWS\system32\wcnpep
.
((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 ))))))))))))))))))))))))))
.
2008-06-13 00:16 . 2005-06-08 14:17 <DIR> d-------- C:\Documents and Settings\Administrator\App
2008-06-13 00:16 . 2005-06-08 14:07 <DIR> d-------- C:\Documents and Settings\Administrator\App
2008-06-13 00:16 . 2005-06-08 14:06 <DIR> d--h----- C:\Documents and Settings\Administrator\App
2008-06-13 00:16 . 2008-06-13 00:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-13 00:04 . 2008-06-13 00:19 922 --a------ C:\WINDOWS\system32\tmp.re
2008-06-12 23:01 . 2008-06-12 23:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-10 19:48 . 2008-06-10 19:48 <DIR> d-------- C:\Documents and Settings\Barbara Watson\Application Data\Uniblue
2008-06-10 19:47 . 2008-06-10 19:47 <DIR> d-------- C:\Program Files\Uniblue
2008-06-04 23:04 . 2008-06-04 23:04 <DIR> d-------- C:\Program Files\SymNetDrv
2008-06-04 22:53 . 2008-06-04 22:56 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-06-04 22:52 . 2003-08-15 18:22 83,208 --a------ C:\WINDOWS\system32\S32EVN
2008-06-04 22:52 . 2003-08-15 18:22 82,136 --a------ C:\WINDOWS\system32\driver
2008-06-04 22:51 . 2008-06-04 22:55 <DIR> d-------- C:\Program Files\Symantec
2008-06-04 22:30 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\system32\hhacti
2008-06-04 22:30 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\system32\COMCT3
2008-06-04 22:30 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\system32\ssa3d3
2008-06-04 22:30 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\system32\RcdSca
2008-06-04 22:30 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcje
2008-06-04 22:30 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.
2008-06-04 22:30 . 2001-08-22 08:42 13,632 --a------ C:\WINDOWS\system32\driver
2008-06-04 22:30 . 1998-09-24 12:03 7,348 --a------ C:\WINDOWS\system32\Odbcje
2008-06-04 02:26 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\driver
2008-06-04 02:26 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\dllcac
2008-06-04 02:25 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\driver
2008-06-04 02:25 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcac
2008-06-04 02:25 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidser
2008-06-04 02:25 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcac
2008-05-31 22:00 . 2008-05-31 22:04 <DIR> d-------- C:\Documents and Settings\Barbara Watson\Application Data\EGAMESTOOLBAR
2008-05-31 21:30 . 2008-06-04 22:29 <DIR> d-------- C:\Program Files\LiveAntispy
2008-05-29 16:21 . 2008-05-29 16:21 0 --a--c--- C:\4A.tmp
2008-05-29 16:20 . 2008-05-29 16:20 0 --a--c--- C:\49.tmp
2008-05-29 16:20 . 2008-05-29 16:20 0 --a--c--- C:\48.tmp
2008-05-29 16:20 . 2008-05-29 16:20 0 --a--c--- C:\47.tmp
2008-05-29 08:34 . 2008-05-29 20:28 34,037 --ahs---- C:\WINDOWS\system32\sxgoix
2008-05-28 08:29 . 2008-05-29 08:29 33,805 --ahs---- C:\WINDOWS\system32\cnyhmh
2008-05-24 19:18 . 2008-05-24 19:18 <DIR> d-------- C:\Documents and Settings\Barbara Watson\Application Data\Sudden Games
2008-05-18 11:20 . 2008-05-18 11:20 <DIR> d-------- C:\Documents and Settings\Barbara Watson\Application Data\EleFun Games
2008-05-17 19:27 . 2008-05-17 19:27 1,409 --a------ C:\WINDOWS\system32\tmpE6B
2008-05-17 19:27 . 2008-05-17 19:27 1,409 --a------ C:\WINDOWS\system32\tmp9A9
2008-05-17 19:27 . 2008-05-17 19:27 1,409 --a------ C:\WINDOWS\system32\tmp48A
2008-05-17 19:27 . 2008-05-17 19:27 1,409 --a------ C:\WINDOWS\system32\tmp1EA
2008-05-16 22:48 . 2008-05-16 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Astar Games
2008-05-16 22:45 . 2008-05-16 22:45 <DIR> d-------- C:\Program Files\Laura Jones and the Gates of Good and Evil
2008-05-15 11:38 . 2008-05-31 22:03 <DIR> d-------- C:\Program Files\egamestoolbar
.
((((((((((((((((((((((((((
.
2008-06-14 04:50 --------- d-----w C:\Program Files\GamesBar
2008-06-14 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\GamesBar
2008-06-13 01:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-05 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-05 01:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 21:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 11:22 --------- d-----w C:\Program Files\iWin.com
2008-05-31 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-05-31 21:18 --------- d-----w C:\Program Files\Google
2008-05-23 14:41 --------- d-----w C:\Program Files\Chill
2008-05-18 01:47 --------- d-----w C:\Program Files\Games
2008-05-18 01:44 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\SpinTop
2008-05-18 01:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop
2008-05-18 01:42 --------- d-----w C:\Program Files\GameHouse
2008-05-18 01:42 --------- d-----w C:\Program Files\AOL Games
2008-05-17 11:42 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\PlayFirst
2008-05-17 11:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-14 21:29 --------- d-----w C:\Program Files\goodsol
2008-05-11 22:16 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\GameHouse
2008-05-10 17:47 --------- d-----w C:\Program Files\Mystery Solitaire
2008-05-10 11:46 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Gaijin Ent
2008-05-06 13:02 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Oberon Media
2008-05-06 13:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Oberon Media
2008-05-03 23:42 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\StoneLoopsIW
2008-05-03 13:21 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Big Fish Games
2008-05-03 12:55 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Legends of pirates
2008-05-03 12:20 --------- d-----w C:\Program Files\Pirateville
2008-05-03 00:57 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Valusoft
2008-05-03 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Valusoft
2008-05-02 14:09 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\GamesCafe
2008-04-28 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\EscapeTheMuseum
2008-04-27 00:33 --------- d-----w C:\Program Files\Little Shop of Treasures 2
2008-04-26 01:40 --------- d-----w C:\Program Files\Natalie Brooks Secrets Of Treasure House
2008-04-25 23:56 --------- d-----w C:\Program Files\The Hidden Object Show
2008-04-25 23:47 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Talkback
2008-04-22 19:52 --------- d-----w C:\Program Files\Jigsaw Adorable Animals 2
2008-04-22 19:47 --------- d-----w C:\Program Files\Jigsaw Beach Holiday
2008-04-22 11:13 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Friday's games
2008-04-20 02:16 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Yatec Games
2008-04-19 00:37 --------- d-----w C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-19 00:17 --------- d-----w C:\Program Files\Big City Adventure
2008-04-18 14:31 --------- d-----w C:\Program Files\Travelogue 360 - Paris
2008-04-14 19:20 --------- d-----w C:\Documents and Settings\Barbara Watson\Application Data\Magic Academy
2008-04-14 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\NeptunesAdve
2008-04-14 16:12 --------- d-----w C:\Program Files\Mahjong Escape - Ancient China
2008-04-14 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\JollyBear
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k
2007-08-16 11:00 26,578,096 ----a-w C:\Program Files\avg75free_484a1100.e
2007-05-25 00:02 532,480 ----a-w C:\Program Files\cwshredder.exe
2007-05-25 00:01 1,308,216 ----a-w C:\Program Files\HiJackThis_v2.exe
2005-12-23 20:20 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Brow
2008-05-31 22:03 1947136 --a------ C:\PROGRA~1\EGAMES~1\EGAME
[HKEY_LOCAL_MACHINE\~\Brow
2008-03-05 09:48 78848 --a------ C:\PROGRA~1\IWINGA~1\IWING
[HKEY_LOCAL_MACHINE\SOFTWA
"{4E7BD74F-2B8D-469E-85B2-
[HKEY_CLASSES_ROOT\clsid\{
[HKEY_CLASSES_ROOT\egamest
[HKEY_CURRENT_USER\Softwar
"{4E7BD74F-2B8D-469E-85B2-
[HKEY_CLASSES_ROOT\clsid\{
[HKEY_CLASSES_ROOT\egamest
[HKEY_CURRENT_USER\SOFTWAR
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMN
"Uniblue SpeedUpMyPC"="" []
[HKEY_LOCAL_MACHINE\SOFTWA
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 11:47 71328]
"URLLSTCK.exe"="C:\Program
[HKEY_LOCAL_MACHINE\softwa
urqRHabC.dll
[HKEY_LOCAL_MACHINE\softwa
C:\WINDOWS\system32\__c00D
[HKLM\~\startupfolder\C:^D
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWe
backup=C:\WINDOWS\pss\MyWe
[HKLM\~\startupfolder\C:^D
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quic
backup=C:\WINDOWS\pss\Quic
[HKLM\~\startupfolder\C:^D
path=C:\Documents and Settings\Barbara Watson\Start Menu\Programs\Startup\iWin
backup=C:\WINDOWS\pss\iWin
[HKLM\~\startupfolder\C:^D
path=C:\Documents and Settings\Barbara Watson\Start Menu\Programs\Startup\MyWe
backup=C:\WINDOWS\pss\MyWe
[HKLM\~\startupfolder\C:^D
path=C:\Documents and Settings\Barbara Watson\Start Menu\Programs\Startup\Webs
backup=C:\WINDOWS\pss\Webs
[HKEY_LOCAL_MACHINE\softwa
C:\WINDOWS\system32\akhuhj
[HKEY_LOCAL_MACHINE\softwa
C:\DOCUME~1\BARBAR~1\LOCAL
[HKEY_LOCAL_MACHINE\softwa
--a------ 2004-07-19 09:51 306688 C:\Program Files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2003-05-22 01:37 229437 C:\Program Files\Hewlett-Packard\Digi
[HKEY_LOCAL_MACHINE\softwa
C:\WINDOWS\system32\dla\tf
[HKEY_LOCAL_MACHINE\softwa
--a------ 2005-01-27 03:02 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2008-01-25 14:03 176128 C:\Documents and Settings\Barbara Watson\Local Settings\Application Data\VTShared\GCNotifier.e
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2003-10-23 19:51 233472 C:\Program Files\HP\hpcoretech\hpcmpm
[HKEY_LOCAL_MACHINE\softwa
--a------ 2003-06-25 11:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2003-09-01 08:42 176128 C:\WINDOWS\system32\spool\
[HKEY_LOCAL_MACHINE\softwa
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.
[HKEY_LOCAL_MACHINE\softwa
--a------ 2005-09-20 10:36 114688 C:\WINDOWS\system32\igfxpe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2005-09-20 10:35 94208 C:\WINDOWS\system32\igfxtr
[HKEY_LOCAL_MACHINE\softwa
C:\DOCUME~1\BARBAR~1\LOCAL
[1].exe
[HKEY_LOCAL_MACHINE\softwa
C:\PROGRA~1\COMMON~1\INSTA
[HKEY_LOCAL_MACHINE\softwa
--a------ 2004-07-27 18:50 81920 C:\Program Files\Common Files\InstallShield\Update
[HKEY_LOCAL_MACHINE\softwa
C:\PROGRA~1\Magentic\bin\M
[HKEY_LOCAL_MACHINE\softwa
--a------ 2005-03-15 09:58 53248 C:\Program Files\Musicmatch\Musicmatc
[HKEY_LOCAL_MACHINE\softwa
--a------ 2005-03-15 09:58 135168 C:\Program Files\Musicmatch\Musicmatc
[HKEY_LOCAL_MACHINE\softwa
C:\PROGRA~1\MYWEBS~1\bar\2
[HKEY_LOCAL_MACHINE\softwa
C:\PROGRA~1\MYWEBS~1\bar\2
[HKEY_LOCAL_MACHINE\softwa
--a------ 2004-11-11 12:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2005-06-08 14:12 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Real\RealPlayer\Real
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\SlipStream Web Accelerator\slipcore.exe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2004-10-14 21:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Java\j2re1.4.2_03\bi
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\TimeSink\AdGateway\T
[HKEY_LOCAL_MACHINE\softwa
C:\WINDOWS\system32\dumpre
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Zango\bin\10.1.181.0
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\WinAntivirusPro3.8\W
[HKEY_LOCAL_MACHINE\softwa
C:\Windows\xpupdate.exe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2008-01-10 13:41 223984 C:\Program Files\Yahoo!\Search Protection\SearchProtectio
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Zango\bin\10.1.181.0
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Zango\bin\10.1.181.0
[HKEY_LOCAL_MACHINE\softwa
"AntiVirusDisableNotify"=d
[HKEY_LOCAL_MACHINE\softwa
"DisableMonitoring"=dword:
[HKEY_LOCAL_MACHINE\softwa
"DisableMonitoring"=dword:
[HKLM\~\services\sharedacc
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc
"C:\\WINDOWS\\system32\\se
"C:\\Program Files\\Messenger\\msmsgs.e
[HKLM\~\services\sharedacc
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drive
.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 02:03:45 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTO
"2008-06-12 12:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPow
"2008-06-14 05:02:11 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\
"2008-06-10 22:48:08 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-06-10 22:48:06 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 01:57:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVSCAN.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntf
.
**************************
.
Completion time: 2008-06-14 2:10:18 - machine was rebooted
ComboFix-quarantined-files
Pre-Run: 18,567,376,896 bytes free
Post-Run: 19,574,243,328 bytes free
313 --- E O F --- 2008-06-14 05:10:11
HIJACK THIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:14:41, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMNET~1\SNDWa
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntf
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepa
C:\WINDOWS\system32\wuaucl
C:\Program Files\Trend Micro\HijackThis\HijackThi
C:\WINDOWS\system32\wuaucl
C:\WINDOWS\SoftwareDistrib
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: eGames Toolbar - {4E7BD74F-2B8D-469E-85B2-B
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-B
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-B
O3 - Toolbar: (no name) - {6F282B65-56BF-4BD1-A8B2-A
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: eGames Toolbar - {4E7BD74F-2B8D-469E-85B2-B
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWa
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O20 - Winlogon Notify: urqRHabC - urqRHabC.dll (file missing)
O20 - Winlogon Notify: __c00DB5A - C:\WINDOWS\system32\__c00D
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMAN
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 5069 bytes
Oh ya...you have some infections for sure.
Egames, iwin, winantivirus, etc etc....you may try scanning with other programs as well.
As stated in my comments....one program does not take care of everything.
Try some of the programs I suggested...if you need help finding them let me know...
Egames, iwin, winantivirus, etc etc....you may try scanning with other programs as well.
As stated in my comments....one program does not take care of everything.
Try some of the programs I suggested...if you need help finding them let me know...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah this is actually my friend's mother's computer. She's not to savvy when it comes to knowing what's legite vs. what's not. I will definitely try running some of those other programs Wakeup; as well as the combofix txt file from you rpggamergirl and let you know what happens. Thanks again for all of this help, I really appreciate it! I get back to ya's
ASKER
Thanks for all of your help everyone! I've been sick, so sorry for the delay in communication. Your collaborative inputs cleared up all of my issues. I really appreciate it! And the owner is very happy!
ASKER
Thanks again for all of your help! I tried to be as fair as possible with the points. Since rpggamergirl's solutions cleared up the majority of the problems, I gave her more points. Thanks!
Hey not a problem here! RPGGamergirl is amazing at this stuff no doubt!
I know she has different methods as I do, but it's all good!
I know she has different methods as I do, but it's all good!
mjgreenley,
Hope you're feeling 100% recovered now.
Glad to know that her pc issues has been resolved.
You can then uninstall combofix please.
Go to Start > Run and copy and paste next command in the field:
ComboFix /u
Thanks!
------------
WakeUp,
Thanks for the kind words.
It's good to have different approaches available for the Askers, in the end it's the teamwork/collaborative inputs that's what really counts.
Hope you're feeling 100% recovered now.
Glad to know that her pc issues has been resolved.
You can then uninstall combofix please.
Go to Start > Run and copy and paste next command in the field:
ComboFix /u
Thanks!
------------
WakeUp,
Thanks for the kind words.
It's good to have different approaches available for the Askers, in the end it's the teamwork/collaborative inputs that's what really counts.
Amen! I hold nothing against anyone! no reason to...this is the internet! I know your methods differ from my methods and I know your methods work! so aint no complaints here! :)
ASKER