Ran ComboFix, see log below. New Hijack This log follows.
ComboFix 08-11-11.01 - Matt & Trish 2008-11-18 19:55:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.234 [GMT -7:00]
Running from: c:\documents and settings\Matt & Trish\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\temp\tn3
c:\windows\IE4 Error Log.txt
c:\windows\mainms.vpi
c:\windows\megavid.cdt
c:\windows\muotr.so
c:\windows\system32\hljwugsf.bin
c:\windows\system32\KmlVDcfe.ini
c:\windows\system32\MSINET.oca
.
((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.
2008-11-15 14:10 . 2008-11-15 14:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-15 14:10 . 2008-11-15 14:10 <DIR> d-------- c:\documents and settings\Matt & Trish\Application Data\Malwarebytes
2008-11-15 14:10 . 2008-11-15 14:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-15 14:10 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-15 14:10 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-11-14 21:17 . 2008-11-14 21:17 664 --a------ c:\windows\SYSTEM32\d3d9caps.dat
2008-11-12 20:57 . 2008-10-24 04:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-11-12 20:56 . 2008-09-04 10:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-10-23 16:56 . 2008-10-15 09:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-19 08:58 . 2008-10-19 08:58 <DIR> d-------- c:\program files\iTunes
2008-10-19 08:58 . 2008-10-19 08:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-19 08:56 . 2008-10-19 08:56 <DIR> d-------- c:\program files\Bonjour
2008-10-19 08:55 . 2008-10-19 08:56 <DIR> d-------- c:\program files\QuickTime
2008-10-19 08:53 . 2008-10-19 08:58 <DIR> d----c--- c:\windows\SYSTEM32\DRVSTORE
2008-10-19 08:53 . 2008-10-19 08:55 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-19 08:53 . 2008-10-19 08:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 17:26 --------- d-----w c:\documents and settings\Matt & Trish\Application Data\SiteAdvisor
2008-11-17 20:17 --------- d-----w c:\documents and settings\Matt & Trish\Application Data\ZoomBrowser EX
2008-11-17 20:17 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-11-15 03:56 --------- d-----w c:\program files\a-squared Free
2008-11-12 14:58 --------- d-----w c:\documents and settings\Matt & Trish\Application Data\Move Networks
2008-11-11 23:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 01:26 --------- d-----w c:\documents and settings\Matt & Trish\Application Data\Canon
2008-10-19 15:58 --------- d-----w c:\program files\iPod
2008-10-19 15:54 --------- d-----w c:\program files\Apple Software Update
2007-12-30 04:43 836 ----a-w c:\documents and settings\Matt & Trish\Application Data\ViewerApp.dat
2008-07-12 19:16 80 --sh--r c:\windows\SYSTEM32\45C562A62E.dll
2008-06-02 00:33 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008060120080602\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 4662776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 36640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-25 19:06 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Matt & Trish^Start Menu^Programs^Startup^Palm Registration.lnk]
path=c:\documents and settings\Matt & Trish\Start Menu\Programs\Startup\Palm Registration.lnk
backup=c:\windows\pss\Palm Registration.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-08-25 11:52 339968 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\SYSTEM32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 06:51 306688 c:\program files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-08-13 00:05 122939 c:\windows\SYSTEM32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 15:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2007-08-03 22:33 582992 c:\progra~1\McAfee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2007-12-06 13:10 419152 c:\progra~1\McAfee.com\Agent\mcupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 07:50 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 17:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-07-31 14:40 208941 c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-09-12 21:28 1576176 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-07-31 14:40 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-12 10:24 106557 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotSync"="c:\program files\PalmSource\Desktop\HotSync.exe" -AllUsers
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Corporation\\Picture Package\\Picture Package Applications\\AutoVideo.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\CONFLICT.2\\pluswebagent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
Contents of the 'Scheduled Tasks' folder
2008-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-11-17 c:\windows\Tasks\At1.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At10.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At11.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At12.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At13.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At14.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At15.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At16.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At17.job
- c:\windows\system32\1h78abOf.exe []
2008-11-19 c:\windows\Tasks\At18.job
- c:\windows\system32\1h78abOf.exe []
2008-11-19 c:\windows\Tasks\At19.job
- c:\windows\system32\1h78abOf.exe []
2008-11-17 c:\windows\Tasks\At2.job
- c:\windows\system32\1h78abOf.exe []
2008-11-19 c:\windows\Tasks\At20.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At21.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At22.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At23.job
- c:\windows\system32\1h78abOf.exe []
2008-11-14 c:\windows\Tasks\At24.job
- c:\windows\system32\1h78abOf.exe []
2008-11-17 c:\windows\Tasks\At3.job
- c:\windows\system32\1h78abOf.exe []
2008-11-17 c:\windows\Tasks\At4.job
- c:\windows\system32\1h78abOf.exe []
2008-11-17 c:\windows\Tasks\At5.job
- c:\windows\system32\1h78abOf.exe []
2008-11-17 c:\windows\Tasks\At6.job
- c:\windows\system32\1h78abOf.exe []
2008-11-17 c:\windows\Tasks\At7.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At8.job
- c:\windows\system32\1h78abOf.exe []
2008-11-18 c:\windows\Tasks\At9.job
- c:\windows\system32\1h78abOf.exe []
2008-11-15 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (MATHERLY-Matt & Trish).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
2008-09-22 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
2008-09-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
2008-11-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -
BHO-{8E152D50-A74A-432E-9125-4F9F24F9BDB9} - c:\windows\system32\efcBrQHY.dll
Notify-fccbBQiF - fccbBQiF.dll
Notify-wvUljkkJ - wvUljkkJ.dll
MSConfigStartUp-bc79771c - c:\windows\system32\ymwmeqiw.dll
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MPSExe - c:\progra~1\mcafee.com\mps\mscifapp.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-RoboForm - c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page =
hxxp://www.yahoo.com/R0 -: HKLM-Main,Search Bar =
hxxp://us.rd.yahoo.com/customize/ie/def ... earch.htmlR1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.comO8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O15 -: Trusted Zone: *.ubs.com
O15 -: Trusted Zone: *.ubspainewebber.com
O15 -: Trusted Zone: *.ubspwmobile.com
O16 -: Java Mainframe Display (MFD) -
hxxps://www.wm-mobile.ubs.com/W2H/w2h/applet/wdmfd.cabc:\windows\Downloaded Program Files\Java Mainframe Display (MFD).osd
O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: PCGMC Client -
hxxps://www.wm-mobile.ubs.com/PCGMC/PCGMCClient.CABc:\windows\Downloaded Program Files\PCGMC Client.osd
O16 -: {138A4B11-6BBA-4EF3-B333-0515F67729DB} -
hxxps://www.wm-mobile.ubs.com/md/pluswebagentjava.cabc:\windows\Downloaded Program Files\pluswebagentjava.inf
O16 -: {18D29F69-AD28-450E-8EC4-AD3F8632D4FE} -
hxxps://www.wm-mobile.ubs.com/md/pluswebagent.cabc:\windows\Downloaded Program Files\CONFLICT.2\pluswebagent.inf
c:\windows\Downloaded Program Files\CONFLICT.2\pluswebagent.exe
O16 -: {24F7A9CC-4EEB-49A7-8592-95E66A7C24A8} -
hxxps://www.wm-mobile.ubs.com/md/classe ... shdown.cabc:\windows\Downloaded Program Files\sh.inf
O16 -: {2FCFDAB1-F134-11D2-97C6-00104B659322} -
hxxps://www.wm-mobile.ubs.com/md/classe ... ssdown.cabc:\windows\Downloaded Program Files\monclass.inf
O16 -: {3005838E-2A00-11D2-B701-006008D1E01C} -
hxxps://www.wm-mobile.ubs.com/md/Navigator.cabc:\windows\Downloaded Program Files\navigator.inf
c:\windows\Downloaded Program Files\axctlcont.dll
c:\windows\Downloaded Program Files\appletcontrol.dll
c:\windows\Downloaded Program Files\oleuidialogs.dll
c:\windows\Downloaded Program Files\webcontrol.dll
O16 -: {3D5F4B42-A6AD-4F31-BC6B-C4BA6AAEF08B} -
hxxps://www.wm-mobile.ubs.com/md/plugin ... /excel.cabc:\windows\Downloaded Program Files\excel.inf
c:\windows\Downloaded Program Files\SecFlgsR.xml
c:\windows\Downloaded Program Files\CompDict.xml
c:\windows\Downloaded Program Files\MDAuto.dll
O16 -: {766190C9-CF9B-11D5-92EA-00805FC7E991} -
hxxps://www.wm-mobile.ubs.com/md/classe ... mpdown.cabc:\windows\Downloaded Program Files\dyncomp.inf
O16 -: {77E94DB3-EF12-40BE-9AC5-96E2A140900E} -
hxxps://www.wm-mobile.ubs.com/md/jexitdown.cabc:\windows\Downloaded Program Files\jexit.inf
O16 -: {89F7D494-DA30-4207-9318-49D6E60BD805} -
hxxps://www.wm-mobile.ubs.com/md/webchart.cabc:\windows\Downloaded Program Files\CONFLICT.1\webchart.inf
c:\windows\Downloaded Program Files\CONFLICT.1\webchart.dll
c:\windows\Downloaded Program Files\CONFLICT.1\jdqactrl.dll
O16 -: {93972343-C012-11D4-A8E1-0060976A74AE} -
hxxps://www.wm-mobile.ubs.com/md/classe ... tedown.cabc:\windows\Downloaded Program Files\wfcquote.inf
O16 -: {B5C6E4C0-F9DB-11D2-B126-00104B0EB7AE} -
hxxps://www.wm-mobile.ubs.com/md/classe ... gsdown.cabc:\windows\Downloaded Program Files\dialogs.inf
O16 -: {C0966447-1276-46EF-A5BB-1D5BCB6E8935} -
hxxps://www.wm-mobile.ubs.com/CWM/pluswebsweeper.cabc:\windows\Downloaded Program Files\pluswebsweeper.inf
c:\windows\Downloaded Program Files\pwswpctl.dll
c:\windows\Downloaded Program Files\pwsweeper.exe
O16 -: {D439B6E0-1838-11D2-A461-00A0C968EE5F} -
hxxps://www.wm-mobile.ubs.com/md/classe ... ntdown.cabc:\windows\Downloaded Program Files\qqagent.inf
O16 -: {E041DA00-21AF-11D2-A465-00A0C968EE5F} -
hxxps://www.wm-mobile.ubs.com/md/classe ... ftdown.cabc:\windows\Downloaded Program Files\mlsoft.inf
O16 -: {F436C877-B085-4871-BADD-D23A6E630581} -
hxxps://www.wm-mobile.ubs.com/md/pluswebverdown.cabc:\windows\Downloaded Program Files\versions.inf
O16 -: {F822CC94-9D2F-4914-9CBB-8FBB9EDB1BF0} -
hxxps://www.wm-mobile.ubs.com/md/pwagentclient.cabc:\windows\Downloaded Program Files\pwagentclient.inf
c:\windows\Downloaded Program Files\pluswebclient.dll
O16 -: {FF2B96CA-23B8-4B6F-8B90-873770F0D537} -
hxxps://www.wm-mobile.ubs.com/md/plusweblocator.cabc:\windows\Downloaded Program Files\plusweblocator.inf
c:\windows\Downloaded Program Files\locator.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-11-18 20:01:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\windows\explorer.exe
-> c:\program files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\windows\SYSTEM32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-11-18 20:12:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-19 03:12:27
Pre-Run: 120,598,851,584 bytes free
Post-Run: 120,737,136,640 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
355 --- E O F --- 2008-11-17 04:03:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:43 PM, on 11/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ie/def ... earch.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://us.rd.yahoo.com/customize/ie/def ... .yahoo.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.ubs.com
O15 - Trusted Zone: *.ubspainewebber.com
O15 - Trusted Zone: *.ubspwmobile.com
O15 - Trusted IP range: 162.66.44.30
O15 - Trusted IP range: 162.66.195.101
O15 - Trusted IP range: 162.66.195.102
O15 - Trusted IP range: 162.66.195.103
O15 - Trusted IP range: 161.15.2.35
O15 - Trusted IP range: 161.15.2.36
O15 - Trusted IP range: 162.66.202.129
O15 - Trusted IP range: 162.66.202.130
O15 - Trusted IP range: 161.15.21.22
O15 - Trusted IP range: 161.15.21.23
O15 - Trusted IP range: 162.66.21.22
O15 - Trusted IP range: 162.66.44.31
O15 - Trusted IP range: 162.66.21.23
O15 - Trusted IP range: 161.15.44.25
O15 - Trusted IP range: 161.15.44.26
O15 - Trusted IP range: 162.66.135.133
O15 - Trusted IP range: 162.66.135.134
O15 - Trusted IP range: 162.66.190.59
O15 - Trusted IP range: 162.66.194.91
O15 - Trusted IP range: 162.66.194.92
O16 - DPF: Java Mainframe Display (MFD) -
https://www.wm-mobile.ubs.com/W2H/w2h/applet/wdmfd.cabO16 - DPF: PCGMC Client -
https://www.wm-mobile.ubs.com/PCGMC/PCGMCClient.CABO16 - DPF: {138A4B11-6BBA-4EF3-B333-0515F67729DB} (Reuters PlusWeb Agent Java Classes - 1.6.0.33) -
https://www.wm-mobile.ubs.com/md/pluswebagentjava.cabO16 - DPF: {18D29F69-AD28-450E-8EC4-AD3F8632D4FE} (qqagent Class) -
https://www.wm-mobile.ubs.com/md/pluswebagent.cabO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
http://housecall65.trendmicro.com/house ... hcImpl.cabO16 - DPF: {24F7A9CC-4EEB-49A7-8592-95E66A7C24A8} (Java ScrollingHeadlines Widget - 1.0.1.
-
https://www.wm-mobile.ubs.com/md/classe ... shdown.cabO16 - DPF: {2FCFDAB1-F134-11D2-97C6-00104B659322} (Java Monitor - 1.0.3.11) -
https://www.wm-mobile.ubs.com/md/classe ... ssdown.cabO16 - DPF: {3005838E-2A00-11D2-B701-006008D1E01C} (webctl Class) -
https://www.wm-mobile.ubs.com/md/Navigator.cabO16 - DPF: {3D5F4B42-A6AD-4F31-BC6B-C4BA6AAEF08B} (Reuters PlusWeb Excel Macro 1,5,0,9) -
https://www.wm-mobile.ubs.com/md/plugin ... /excel.cabO16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) -
http://www.linkedin.com/cab/LinkedInCon ... ontrol.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
http://download.mcafee.com/molbin/share ... insctl.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.onecare.live.com/resour ... se5036.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftup ... 2068012953O16 - DPF: {766190C9-CF9B-11D5-92EA-00805FC7E991} (Java MarketAtGlance - 1.0.0.10) -
https://www.wm-mobile.ubs.com/md/classe ... mpdown.cabO16 - DPF: {77E94DB3-EF12-40BE-9AC5-96E2A140900E} (Java jExit - 1.0.0.4) -
https://www.wm-mobile.ubs.com/md/jexitdown.cabO16 - DPF: {89F7D494-DA30-4207-9318-49D6E60BD805} (Reuters Webchart Class) -
https://www.wm-mobile.ubs.com/md/webchart.cabO16 - DPF: {93972343-C012-11D4-A8E1-0060976A74AE} (Java Quote Widget - 1.1.6.11) -
https://www.wm-mobile.ubs.com/md/classe ... tedown.cabO16 - DPF: {B5C6E4C0-F9DB-11D2-B126-00104B0EB7AE} (Java Dialogs - 1.6.1.6) -
https://www.wm-mobile.ubs.com/md/classe ... gsdown.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
http://download.mcafee.com/molbin/share ... cgdmgr.cabO16 - DPF: {C0966447-1276-46EF-A5BB-1D5BCB6E8935} (PWSweep Class) -
https://www.wm-mobile.ubs.com/CWM/pluswebsweeper.cabO16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) -
http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exeO16 - DPF: {D439B6E0-1838-11D2-A461-00A0C968EE5F} (Java QQagent - 1.0.6.05) -
https://www.wm-mobile.ubs.com/md/classe ... ntdown.cabO16 - DPF: {E041DA00-21AF-11D2-A465-00A0C968EE5F} (Java MLSOFT package) -
https://www.wm-mobile.ubs.com/md/classe ... ftdown.cabO16 - DPF: {F436C877-B085-4871-BADD-D23A6E630581} (Reuters PlusWeb Versions - 1,6,0,22) -
https://www.wm-mobile.ubs.com/md/pluswebverdown.cabO16 - DPF: {F822CC94-9D2F-4914-9CBB-8FBB9EDB1BF0} (PWAgent Class) -
https://www.wm-mobile.ubs.com/md/pwagentclient.cabO16 - DPF: {FF2B96CA-23B8-4B6F-8B90-873770F0D537} (PlusWebLocator Class) -
https://www.wm-mobile.ubs.com/md/plusweblocator.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
--
End of file - 11623 bytes