Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - viejo1221

Pages: [1]

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: January 02, 2009, 06:33:52 AM »

Thanks for all your help guestolo! Really appreciate it and will be making a donation. Thanks, happy new year.

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: January 01, 2009, 11:34:54 PM »

At one point, one of the bad files I saw referenced something about SightSpeed, which is something that was installed when they got a webcam, but is not needed. Should I go ahead and remove that?

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: January 01, 2009, 11:19:38 PM »

Excellent!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: January 01, 2009, 11:17:07 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:48 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0270Mon.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0270Mon.exe] C:\WINDOWS\V0270Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.Email Removed.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169088687625
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE05334-D18B-49FE-9B39-E23C686A2C09}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6607 bytes

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: January 01, 2009, 11:08:32 PM »

Process Explorer.EXE killed successfully!
[Custom Items]
========== FILES ==========
File/Folder c:\windows\system32\drivers\TDSSypjq.sys not found.
File/Folder c:\windows\system32\TDSSkbnv.dll not found.
File/Folder c:\windows\system32\TDSSwryg.dat not found.
File/Folder c:\windows\system32\TDSScrrn.dll not found.
File/Folder c:\windows\system32\TDSSbvqi.dll not found.
File/Folder c:\windows\system32\TDSSvoxr.dll not found.
File/Folder c:\windows\system32\TDSSvouw.dll not found.
File/Folder c:\windows\system32\TDSSnmxh.log not found.
File/Folder c:\windows\system32\TDSSushc.dll not found.
File/Folder c:\windows\system32\TDSShhrl.log not found.
File/Folder c:\windows\system32\TDSSgqrr.log not found.
File/Folder c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys\ deleted successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\temp\etilqs_WsMIltWFUbiIEhPsS7DV scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.4.2 fix logfile created on 01012009_220455

Files moved on Reboot...
File C:\Documents and Settings\RAFAEL\Local Settings\temp\etilqs_WsMIltWFUbiIEhPsS7DV not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\RAFAEL\Local Settings\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: January 01, 2009, 10:23:24 PM »

Should I turn on Windows Firewall? Do I need to do anything with bad files that were put in Quarantine?

Here are your requests:

Avira AntiVir Personal
Report file date: Thursday, January 01, 2009 20:34

Scanning for 1140430 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: RAFAEL-0F450D52

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.1.33 1705984 Bytes 12/24/2008 02:33:38
ANTIVIR2.VDF : 7.1.1.34 2048 Bytes 12/24/2008 02:33:38
ANTIVIR3.VDF : 7.1.1.58 296448 Bytes 1/1/2009 02:33:40
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 1/2/2009 02:33:45
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 1/2/2009 02:33:44
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 1/2/2009 02:33:44
AEHELP.DLL : 8.1.2.0 119159 Bytes 1/2/2009 02:33:42
AEGEN.DLL : 8.1.1.8 323956 Bytes 1/2/2009 02:33:41
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 1/2/2009 02:33:40
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, G:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, January 01, 2009 20:34

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'V0270Mon.exe' - '1' Module(s) have been scanned
Scan process 'StartFX.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'CTSysVol.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
36 processes with 36 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '56' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Qoobox\Quarantine\C\Documents and Settings\RAFAEL\Application Data\gadcom\gadcom.exe.vir
[DETECTION] Is the TR/Agent.axoc Trojan
[NOTE] The file was moved to '49c180fb.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\RAFAEL\Application Data\SpeedRunner\SpeedRunner.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49c28114.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\RAFAEL\Application Data\SpeedRunner\SRUninstall.exe.vir
[DETECTION] Is the TR/Dldr.Agent.aldb Trojan
[NOTE] The file was moved to '49b280f6.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\RAFAEL\Application Data\SpeedRunner\_SpeedRunner_.exe.zip

Archive type: ZIP

--> SpeedRunner.exe
[DETECTION] Is the TR/Dldr.Agent.alda Trojan
[NOTE] The file was moved to '49cd80f7.qua'!
C:\Qoobox\Quarantine\C\Program Files\GetModule\GetModule32.exe.vir
[DETECTION] Is the TR/Click.MRV Trojan
[NOTE] The file was moved to '49d1810a.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\wpv401229907443.cpx.vir

Archive type: NSIS

--> ProgramFilesDir/GetModule32.exe
[DETECTION] Is the TR/Click.MRV Trojan
[NOTE] The file was moved to '49d38116.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000547.exe
[DETECTION] Is the TR/Click.MRV Trojan
[NOTE] The file was moved to '498d80e4.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000558.exe
[DETECTION] Is the TR/Agent.axoc Trojan
[NOTE] The file was moved to '480f6e9d.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000560.exe
[DETECTION] Is the TR/Dldr.Agent.aldb Trojan
[NOTE] The file was moved to '498d80e5.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000571.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '480f6e9e.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000637.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '498d80e8.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000638.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '480f6e91.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000639.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '498d80e9.qua'!
C:\System Volume Information\_restore{0D5FFE30-F6A9-45FB-A57F-4807E2FBC049}\RP2\A0000640.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '480f6e92.qua'!
Begin scan in 'G:\' <My Book>

End of the scan: Thursday, January 01, 2009 21:05
Used time: 30:45 Minute(s)

The scan has been done completely.

11893 Scanning directories
260207 Files were scanned
14 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
14 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
260192 Files not concerned
1192 Archives were scanned
2 Warnings
14 Notes

ComboFix 08-12-31.01 - RAFAEL 2009-01-01 20:25:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.621 [GMT -6:00]
Running from: c:\documents and settings\RAFAEL\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RAFAEL\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\TDSSypjq.sys
c:\windows\system32\TDSSbvqi.dll
c:\windows\system32\TDSScrrn.dll
c:\windows\system32\TDSSgqrr.log
c:\windows\system32\TDSShhrl.log
c:\windows\system32\TDSSkbnv.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSushc.dll
c:\windows\system32\TDSSvouw.dll
c:\windows\system32\TDSSvoxr.dll
c:\windows\system32\TDSSwryg.dat
.

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2008-12-31 09:52 . 2008-12-31 09:52   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-31 09:52 . 2008-12-31 09:52   <DIR>   d--------   c:\documents and settings\RAFAEL\Application Data\Malwarebytes
2008-12-31 09:52 . 2008-12-31 09:52   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 09:52 . 2008-12-03 19:59   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 09:52 . 2008-12-03 19:59   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-12-30 20:20 . 2008-12-30 20:20   726,008   --a------   c:\documents and settings\RAFAEL\gotomypc_437.exe
2008-12-30 12:23 . 2008-12-30 12:23   <DIR>   d--------   c:\program files\Trend Micro
2008-12-17 21:20 . 2008-12-17 21:20   <DIR>   d--------   c:\program files\UltraISO
2008-12-17 21:20 . 2008-12-17 21:20   <DIR>   d--------   c:\program files\Common Files\EZB Systems
2008-12-17 20:27 . 2008-12-17 20:27   23,600   --a------   c:\windows\system32\drivers\TVICHW32.SYS
2008-12-17 20:18 . 2008-12-17 20:18   0   --a------   c:\windows\ativpsrm.bin
2008-12-17 14:38 . 2008-12-17 22:04   522   --a------   C:\GSMRIAutomation.cfg
2008-12-17 05:48 . 2008-12-17 16:27   <DIR>   d--h-----   C:\MRI_PE_TEMP
2008-12-16 03:13 . 2008-12-17 05:48   <DIR>   d--hs----   C:\$RECYCLE.BIN
2008-12-16 02:41 . 2008-12-16 02:41   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Geek Squad

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 02:49   ---------   d-----w   c:\documents and settings\RAFAEL\Application Data\Skype
2009-01-01 00:47   ---------   d-----w   c:\documents and settings\RAFAEL\Application Data\skypePM
2008-12-30 19:02   ---------   d-----w   c:\program files\McAfee.com
2008-12-30 19:02   ---------   d-----w   c:\program files\McAfee
2008-12-30 19:02   ---------   d-----w   c:\documents and settings\All Users\Application Data\McAfee
2008-12-18 02:07   ---------   d-----w   c:\program files\Google
2008-12-18 02:03   ---------   d-----w   c:\documents and settings\All Users\Application Data\Visual Networks
2008-12-18 01:48   ---------   d-----w   c:\program files\Yahoo!
2008-12-18 01:47   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-11-28 20:37   ---------   d-----w   c:\program files\iTunes
2008-11-28 20:37   ---------   d-----w   c:\program files\iPod
2008-11-28 20:37   ---------   d-----w   c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 20:36   ---------   d-----w   c:\program files\QuickTime
2008-11-28 20:35   ---------   d-----w   c:\program files\Common Files\Apple
2008-11-26 01:28   ---------   d-----w   c:\program files\Common Files\AnswerWorks 4.0
2008-11-23 20:46   ---------   d-----w   c:\documents and settings\LocalService\Application Data\SACore
2008-11-18 01:25   ---------   d-----w   c:\documents and settings\RAFAEL\Application Data\ntr
2008-11-18 00:58   ---------   d-----w   c:\program files\Common Files\Scanner
2008-11-18 00:58   ---------   d-----w   c:\program files\CCleaner
2008-11-15 15:03   36,624   ------w   c:\windows\system32\drivers\pxhelp20.sys
2008-04-01 01:24   32   ----a-w   c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_13.11.44.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 18:00:09   32,768   --sha-w   c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-30 20:00:31   32,768   --sha-w   c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 18:00:09   16,384   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 20:00:31   16,384   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 20:00:31   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-17 00:13:38   149,200   ----a-w   c:\windows\system32\FNTCACHE.DAT
+ 2008-12-31 15:40:29   149,200   ----a-w   c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-08-16 24576]
"V0270Mon.exe"="c:\windows\V0270Mon.exe" [2006-09-26 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"CTHelper"="CTHELPER.EXE" [2004-03-10 c:\windows\system32\CTHELPER.EXE]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-02-28 16:15 503808 c:\program files\Orb Networks\Orb\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-06 17:37 21898024 c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 VF0270Dev;Live! Cam Optia;c:\windows\system32\DRIVERS\V0270Dev.sys [2008-03-31 225632]
R3 VF0270Vfx;VF0270 Video FX;c:\windows\system32\DRIVERS\V0270VFx.sys [2008-03-31 6912]
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://att.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {EDE05334-D18B-49FE-9B39-E23C686A2C09} = 4.2.2.1,4.2.2.2

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\RAFAEL\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.mail.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 20:27:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\*NULL*_   Â|Â·*NULL*]
@Owner=S-1-5-21-1482476501-1604221776-725345543-1003
"DisplayName"="?\11"
"DeviceDesc"="?\11"
"ProviderName"="?\11???\11\08"
"MFG"="??\09"
"ReinstallString"="8.162.0.0"
"DeviceInstanceIds"=multi:"c:\\dell\\drivers\\r106409\\driver\\2kxp_inf\\cx_25672.inf\00"

[HKEY_LOCAL_MACHINE\software\SigmaTel\GlobalState]
@Owner=Administrator
@Denied: (Full) (Guests)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (B 1 2 3 4 5) (S-1-5-4)

[HKEY_LOCAL_MACHINE\software\SigmaTel\GlobalState\STSysTray]
@Owner=Administrator
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-01 20:29:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 02:29:09
ComboFix2.txt 2009-01-02 00:50:49
ComboFix3.txt 2008-12-30 19:12:08

Pre-Run: 228,020,449,280 bytes free
Post-Run: 228,003,725,312 bytes free

212   --- E O F ---   2008-12-11 11:26:06

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: January 01, 2009, 10:02:39 PM »

I'm still here, just waiting for long Avira scan to finish...

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: January 01, 2009, 09:06:46 PM »

I just rebooted, then I checked IE and Firefox, no sign of Yoog!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: January 01, 2009, 08:55:42 PM »

Removed RON Tool Glo... from list.

I need free anti-virus.

user.js is a blank file now, the lines I deleted were the only ones in there.

OTScanIt2 log post gave error, attached.

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: January 01, 2009, 08:31:34 PM »

Or maybe it was this one you wanted:
http://www.virustotal.com/analisis/debbb50...e9b7623213f650d

Should I still be without AntiVirus while we're doing this or should I download one?

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: January 01, 2009, 08:27:54 PM »

I did delete the lines in the hidden folders. Here's the link for the other request...
http://www.virustotal.com/reanalisis.html?...829662f5629327a

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: January 01, 2009, 08:06:22 PM »

Happy New Year. Thanks for your help guestolo. Here's what you asked for...

ComboFix 08-12-31.01 - RAFAEL 2009-01-01 18:46:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.616 [GMT -6:00]
Running from: c:\documents and settings\RAFAEL\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RAFAEL\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll
c:\windows\system32\kfoirmjtzvrq.exe
c:\windows\Tasks\mvlzkmnr.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\kfoirmjtzvrq.exe
c:\windows\Tasks\mvlzkmnr.job

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KWWALPGR
-------\Service_kwwalpgr

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2008-12-31 09:52 . 2008-12-31 09:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 09:52 . 2008-12-31 09:52 <DIR> d-------- c:\documents and settings\RAFAEL\Application Data\Malwarebytes
2008-12-31 09:52 . 2008-12-31 09:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 09:52 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 09:52 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 20:20 . 2008-12-30 20:20 726,008 --a------ c:\documents and settings\RAFAEL\gotomypc_437.exe
2008-12-30 12:23 . 2008-12-30 12:23 <DIR> d-------- c:\program files\Trend Micro
2008-12-17 21:20 . 2008-12-17 21:20 <DIR> d-------- c:\program files\UltraISO
2008-12-17 21:20 . 2008-12-17 21:20 <DIR> d-------- c:\program files\Common Files\EZB Systems
2008-12-17 20:27 . 2008-12-17 20:27 23,600 --a------ c:\windows\system32\drivers\TVICHW32.SYS
2008-12-17 20:18 . 2008-12-17 20:18 0 --a------ c:\windows\ativpsrm.bin
2008-12-17 14:38 . 2008-12-17 22:04 522 --a------ C:\GSMRIAutomation.cfg
2008-12-17 05:48 . 2008-12-17 16:27 <DIR> d--h----- C:\MRI_PE_TEMP
2008-12-16 03:13 . 2008-12-17 05:48 <DIR> d--hs---- C:\$RECYCLE.BIN
2008-12-16 02:41 . 2008-12-16 02:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Geek Squad

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 02:49 --------- d-----w c:\documents and settings\RAFAEL\Application Data\Skype
2009-01-01 00:47 --------- d-----w c:\documents and settings\RAFAEL\Application Data\skypePM
2008-12-30 19:02 --------- d-----w c:\program files\McAfee.com
2008-12-30 19:02 --------- d-----w c:\program files\McAfee
2008-12-30 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-18 02:07 --------- d-----w c:\program files\Google
2008-12-18 02:03 --------- d-----w c:\documents and settings\All Users\Application Data\Visual Networks
2008-12-18 01:48 --------- d-----w c:\program files\Yahoo!
2008-12-18 01:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 20:37 --------- d-----w c:\program files\iTunes
2008-11-28 20:37 --------- d-----w c:\program files\iPod
2008-11-28 20:37 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 20:36 --------- d-----w c:\program files\QuickTime
2008-11-28 20:35 --------- d-----w c:\program files\Common Files\Apple
2008-11-26 01:28 --------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2008-11-23 20:46 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-18 01:25 --------- d-----w c:\documents and settings\RAFAEL\Application Data\ntr
2008-11-18 00:58 --------- d-----w c:\program files\Common Files\Scanner
2008-11-18 00:58 --------- d-----w c:\program files\CCleaner
2008-11-15 15:03 36,624 ------w c:\windows\system32\drivers\pxhelp20.sys
2008-04-01 01:24 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_13.11.44.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 18:00:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-30 20:00:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 18:00:09 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 20:00:31 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 20:00:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-17 00:13:38 149,200 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-31 15:40:29 149,200 ----a-w c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-08-16 24576]
"V0270Mon.exe"="c:\windows\V0270Mon.exe" [2006-09-26 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"CTHelper"="CTHELPER.EXE" [2004-03-10 c:\windows\system32\CTHELPER.EXE]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-02-28 16:15 503808 c:\program files\Orb Networks\Orb\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-06 17:37 21898024 c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 VF0270Dev;Live! Cam Optia;c:\windows\system32\DRIVERS\V0270Dev.sys [2008-03-31 225632]
R3 VF0270Vfx;VF0270 Video FX;c:\windows\system32\DRIVERS\V0270VFx.sys [2008-03-31 6912]
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://att.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {EDE05334-D18B-49FE-9B39-E23C686A2C09} = 4.2.2.1,4.2.2.2

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\RAFAEL\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - www.mail.yahoo.com
FF - prefs.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - component: c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll

[color=\"red\"]ATTENTION: FIREFOX POLICES IS IN FORCE [/color]
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 18:49:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\*NULL*_ Â|Â·*NULL*]
@Owner=S-1-5-21-1482476501-1604221776-725345543-1003
"DisplayName"="?\11"
"DeviceDesc"="?\11"
"ProviderName"="?\11???\11\08"
"MFG"="??\09"
"ReinstallString"="8.162.0.0"
"DeviceInstanceIds"=multi:"c:\\dell\\drivers\\r106409\\driver\\2kxp_inf\\cx_25672.inf\00"

[HKEY_LOCAL_MACHINE\software\SigmaTel\GlobalState]
@Owner=Administrator
@Denied: (Full) (Guests)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (B 1 2 3 4 5) (S-1-5-4)

[HKEY_LOCAL_MACHINE\software\SigmaTel\GlobalState\STSysTray]
@Owner=Administrator
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-01 18:50:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 00:50:45
ComboFix2.txt 2008-12-30 19:12:08

Pre-Run: 228,006,293,504 bytes free
Post-Run: 227,993,227,264 bytes free

223 --- E O F --- 2008-12-11 11:26:06

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Advanced Video FX Engine
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
Bonjour
CCleaner (remove only)
Creative Live! Cam Center
Creative Live! Cam Manager
Creative Live! Cam Optia Driver (1.01.02.00)
Creative Live! Cam Optia User's Guide (English)
Creative MediaSource
Creative Photo Calendar
Creative Photo Manager
Creative Software AutoUpdate
Creative System Information
Dell Resource CD
DellConnect
DriverAgent by eSupport.com
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
IKEA HomePlanner Kitchen
Intel® 537EP V9x DF PCI Modem
Intel® PRO Network Connections Drivers
iTunes
Java(tm) 6 Update 6
Malwarebytes' Anti-Malware
McAfee Uninstaller
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MobileMe Control Panel
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 4.1
Nero Suite
OCR Software by I.R.I.S 7.0
OpenOffice.org Installer 1.0
Orb
Picasa 2
PowerDVD 5.5
QuickBooks Pro 2006
QuickTime
RealPlayer
Rhapsody Player Engine
Rhapsody Player Engine
RON Tool Globaladsolution
Safari
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows XP (KB923789)
SightSpeed (remove only)
SigmaTel Audio
Skypeâ„¢ 3.6
Sound Blaster Audigy 2 ZS
UltraISO V7.65 SR-2
URGE
WD Diagnostics
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinZip 11.2

c:\windows\$ntservicepackuninstall$\winlogon.exe
Version: 5.1.2600.2180
Created: 11/16/2008 5:42:49 PM
Modified: 8/4/2004 4:00:00 AM
Size: 502,272 bytes
Attributes: Compressed

c:\windows\servicepackfiles\i386\winlogon.exe
Version: 5.1.2600.5512
Created: 9/24/2008 4:59:57 AM
Modified: 4/13/2008 6:12:39 PM
Size: 507,904 bytes
c:\windows\system32\dllcache\winlogon.exe
Version: 5.1.2600.5512
Created: 9/24/2008 4:59:57 AM
Modified: 4/13/2008 6:12:39 PM
Size: 507,904 bytes
Attributes: Archive Compressed

c:\windows\system32\winlogon.exe
Version: 5.1.2600.5512
Created: 9/24/2008 4:59:57 AM
Modified: 4/13/2008 6:12:39 PM
Size: 507,904 bytes
Attributes: Archive

c:\windows\system32\winlogon.old
Version: 5.1.2600.5512
Created: 8/4/2004 4:00:00 AM
Modified: 4/13/2008 6:12:39 PM
Size: 507,904 bytes
Attributes: Archive

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: December 31, 2008, 11:09:48 AM »

Sorry about that, I misunderstood. Here's the MBAM and HiJackThis Logs

Malwarebytes' Anti-Malware 1.31
Database version: 1582
Windows 5.1.2600 Service Pack 3

12/31/2008 9:56:31 AM
mbam-log-2008-12-31 (09-56-31).txt

Scan type: Quick Scan
Objects scanned: 54552
Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.band.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{998596b5-8c62-9857-df3b-7af18486ff59} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{998596b5-8c62-9857-df3b-7af18486ff59} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\RAFAEL\Application Data\Microsoft\Windows\ekqiy.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Webtools\webtools.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvvWnLe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nse10.dll (Adware.BHO) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:15 AM, on 12/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0270Mon.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0270Mon.exe] C:\WINDOWS\V0270Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.Email Removed.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169088687625
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE05334-D18B-49FE-9B39-E23C686A2C09}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6360 bytes

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: December 30, 2008, 02:18:35 PM »

Combofix log attached. So far desktop has not disappeared. Looking forward to getting rid of this stuff. Yoog Search still remains.
ComboFix 08-12-29.02 - RAFAEL 2008-12-30 13:07:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.648 [GMT -6:00]
Running from: c:\documents and settings\RAFAEL\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\RAFAEL\Application Data\gadcom
c:\documents and settings\RAFAEL\Application Data\gadcom\gadcom.exe
c:\documents and settings\RAFAEL\Application Data\GetModule
c:\documents and settings\RAFAEL\Application Data\GetModule\dicik.gz
c:\documents and settings\RAFAEL\Application Data\GetModule\kwdik.gz
c:\documents and settings\RAFAEL\Application Data\GetModule\ofadik.gz
c:\documents and settings\RAFAEL\Application Data\SpeedRunner
c:\documents and settings\RAFAEL\Application Data\SpeedRunner\config.cfg
c:\documents and settings\RAFAEL\Application Data\SpeedRunner\SpeedRunner.exe
c:\documents and settings\RAFAEL\Application Data\SpeedRunner\SRUninstall.exe
c:\documents and settings\RAFAEL\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\RAFAEL\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\RAFAEL\nah_log.dat
c:\program files\GetModule
c:\program files\GetModule\GetModule32.exe
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\GetPack26.exe
c:\program files\GetPack\trgtame.gz
c:\program files\GrandPack
c:\program files\GrandPack\GrandPack2.dll
c:\program files\GrandPack\qdrloader.exe
c:\program files\GrandPack\Uninstall.exe
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll
c:\windows\system32\~.exe
c:\windows\system32\AdNpoUtv.ini
c:\windows\system32\AdNpoUtv.ini2
c:\windows\system32\bszip.dll
c:\windows\system32\cbXOHBrS.dll
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\CPV.stt
c:\windows\system32\cont_globaladsolution-remove.exe
c:\windows\system32\lilivkgfkkiteiow.dll
c:\windows\system32\TDSSgqrr.log
c:\windows\system32\TDSSwryg.dat
c:\windows\system32\vtUopNdA.dll
c:\windows\system32\wpv401229907443.cpx
G:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://childhe.com
[color=\"RED\"] c:\windows\system32\winlogon.exe . . . is infected!![/color]

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-30 12:23 . 2008-12-30 12:23   <DIR>   d--------   c:\program files\Trend Micro
2008-12-29 09:14 . 2008-12-29 09:14   <DIR>   d--------   c:\program files\Webtools
2008-12-29 09:09 . 2008-12-29 09:09   47,593   --a------   c:\windows\system32\kfoirmjtzvrq.exe
2008-12-28 01:04 . 2008-12-28 01:04   45,056   --a------   c:\windows\system32\tuvvWnLe.dll
2008-12-17 21:20 . 2008-12-17 21:20   <DIR>   d--------   c:\program files\UltraISO
2008-12-17 21:20 . 2008-12-17 21:20   <DIR>   d--------   c:\program files\Common Files\EZB Systems
2008-12-17 20:27 . 2008-12-17 20:27   23,600   --a------   c:\windows\system32\drivers\TVICHW32.SYS
2008-12-17 20:18 . 2008-12-17 20:18   0   --a------   c:\windows\ativpsrm.bin
2008-12-17 14:38 . 2008-12-17 22:04   522   --a------   C:\GSMRIAutomation.cfg
2008-12-17 05:48 . 2008-12-17 16:27   <DIR>   d--h-----   C:\MRI_PE_TEMP
2008-12-16 03:13 . 2008-12-17 05:48   <DIR>   d--hs----   C:\$RECYCLE.BIN
2008-12-16 02:41 . 2008-12-16 02:41   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Geek Squad
2008-12-02 10:43 . 2008-12-02 10:43   668,160   --a------   c:\windows\system32\nse10.dll
2008-11-28 14:37 . 2008-11-28 14:37   <DIR>   d--------   c:\program files\iTunes
2008-11-28 14:37 . 2008-11-28 14:37   <DIR>   d--------   c:\program files\iPod
2008-11-28 14:37 . 2008-11-28 14:37   <DIR>   d--------   c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 14:36 . 2008-11-28 14:36   <DIR>   d--------   c:\program files\QuickTime
2008-11-17 18:58 . 2008-11-17 18:58   <DIR>   d--------   c:\program files\CCleaner
2008-11-17 18:48 . 2008-11-17 19:25   <DIR>   d--------   c:\documents and settings\RAFAEL\Application Data\ntr
2008-11-16 18:15 . 2004-08-04 04:00   221,184   --a------   c:\windows\system32\wmpns.dll
2008-11-16 17:57 . 2008-11-16 17:57   <DIR>   d--------   c:\windows\system32\scripting
2008-11-16 17:57 . 2008-11-16 17:57   <DIR>   d--------   c:\windows\system32\en
2008-11-16 17:57 . 2008-11-16 17:57   <DIR>   d--------   c:\windows\system32\bits
2008-11-16 17:57 . 2008-11-16 17:57   <DIR>   d--------   c:\windows\l2schemas
2008-11-16 17:52 . 2008-11-16 17:57   <DIR>   d--------   c:\windows\ServicePackFiles
2008-11-12 05:28 . 2008-10-24 05:21   455,296   -----c---   c:\windows\system32\dllcache\mrxsmb.sys
2008-11-04 10:30 . 2008-11-04 10:30   90,112   --a------   c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30   57,344   --a------   c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 19:02   ---------   d-----w   c:\program files\McAfee.com
2008-12-30 19:02   ---------   d-----w   c:\program files\McAfee
2008-12-30 19:02   ---------   d-----w   c:\documents and settings\All Users\Application Data\McAfee
2008-12-28 07:01   ---------   d-----w   c:\documents and settings\RAFAEL\Application Data\Skype
2008-12-28 06:05   ---------   d-----w   c:\documents and settings\RAFAEL\Application Data\skypePM
2008-12-18 02:07   ---------   d-----w   c:\program files\Google
2008-12-18 02:03   ---------   d-----w   c:\documents and settings\All Users\Application Data\Visual Networks
2008-12-18 01:48   ---------   d-----w   c:\program files\Yahoo!
2008-12-18 01:47   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-11-28 20:35   ---------   d-----w   c:\program files\Common Files\Apple
2008-11-26 01:28   ---------   d-----w   c:\program files\Common Files\AnswerWorks 4.0
2008-11-23 20:46   ---------   d-----w   c:\documents and settings\LocalService\Application Data\SACore
2008-11-18 00:58   ---------   d-----w   c:\program files\Common Files\Scanner
2008-11-15 15:03   36,624   ------w   c:\windows\system32\drivers\pxhelp20.sys
2008-04-01 01:24   32   ----a-w   c:\documents and settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2004-08-04 04:00 295424 b60c877d16d9c880b952fda04adf16e6   c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f   c:\windows\ServicePackFiles\i386\termsrv.dll
2008-11-27 12:31 295424 63999d0abd8dabfd76a9c07f6e104868   c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{998596b5-8c62-9857-df3b-7af18486ff59}]
2008-12-02 10:43   668160   --a------   c:\windows\system32\nse10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-09-06 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-08-16 24576]
"V0270Mon.exe"="c:\windows\V0270Mon.exe" [2006-09-26 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-20 185896]
"CTHelper"="CTHELPER.EXE" [2004-03-10 c:\windows\system32\CTHELPER.EXE]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-02-28 16:15 503808 c:\program files\Orb Networks\Orb\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-06 17:37 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 VF0270Dev;Live! Cam Optia;c:\windows\system32\DRIVERS\V0270Dev.sys [2008-03-31 225632]
R3 VF0270Vfx;VF0270 Video FX;c:\windows\system32\DRIVERS\V0270VFx.sys [2008-03-31 6912]
S3 kwwalpgr;kwwalpgr;\??\c:\docume~1\RAFAEL\LOCALS~1\Temp\kwwalpgr.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-30 c:\windows\Tasks\mvlzkmnr.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{24710402-7CAA-7B69-B6B8-283EAA963B84} - c:\windows\system32\lilivkgfkkiteiow.dll
BHO-{AD36848B-D019-49BB-9FAC-F545C5E513B8} - c:\windows\system32\vtUopNdA.dll
HKCU-Run-GetModule32 - c:\program files\GetModule\GetModule32.exe
HKCU-Run-GetPack26 - c:\program files\GetPack\GetPack26.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://att.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {EDE05334-D18B-49FE-9B39-E23C686A2C09} = 4.2.2.1,4.2.2.2

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\RAFAEL\Application Data\Mozilla\Firefox\Profiles\sicg66af.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - www.mail.yahoo.com
FF - prefs.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - component: c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll

[color=\"red\"]ATTENTION: FIREFOX POLICES IS IN FORCE [/color]
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 13:10:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-30 13:12:07 - machine was rebooted [RAFAEL]
ComboFix-quarantined-files.txt 2008-12-30 19:12:04

Pre-Run: 228,153,479,168 bytes free
Post-Run: 228,035,391,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

263   --- E O F ---   2008-12-11 11:26:06

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

« on: December 30, 2008, 01:42:02 PM »

Trying to fix my parents computer and after some searching I think I found the right place for some help. The McAfee AV software has expired, currently unprotected. Desktop disappears every few seconds and roughly every minute I get a pop-up on Firefox immediately followed by a pop-up in IE. That's when I saw that Yoog Search was default search. Please help!! Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:02 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0270Mon.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\GetModule\GetModule32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\RAFAEL\Application Data\gadcom\gadcom.exe
C:\Program Files\GetPack\GetPack26.exe
C:\Documents and Settings\RAFAEL\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\RAFAEL\Application Data\Microsoft\Windows\ekqiy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0270Mon.exe] C:\WINDOWS\V0270Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wgzfvlpphmf] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\lilivkgfkkiteiow.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [GetModule32] C:\Program Files\GetModule\GetModule32.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\RAFAEL\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [GetPack26] "C:\Program Files\GetPack\GetPack26.exe"
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\RAFAEL\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\RAFAEL\Application Data\Microsoft\Windows\ekqiy.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.Email Removed.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1169088687625
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE05334-D18B-49FE-9B39-E23C686A2C09}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9975 bytes

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - viejo1221

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!

Tech Clinic / Yoog, Pop-ups, Desktop disappears, Help!