|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
|
|
LinkBack | Thread Tools |
11-27-2009, 11:43 AM
|
#1 (permalink) |
|
Registered User
Join Date: Dec 2006
Posts: 38
OS: WinXP
|
buyonlinedating.net scam (REPOSTED)
All of the sites I try to go to have had their URL changed to begin with some variant of buyonlinedating(dot)net. I also had an issue where a program called Personal Protector was downloaded, but I think I may have gotten rid of that.
As of right now, I'm not seeing anything else wrong with the computer, but if you guys catch anything else that's iffy, let me know. Below are the logs for my computer. Any help is much appreciated. NOTE: The log below is not for the computer I am using to post here, so I am able to do any instructions that are posted. ------------- DDS (Ver_09-11-24.02) - NTFSx86 Run by XXXX at 10:35:58.75 on Fri 11/27/2009 Internet Explorer: 7.0.6000.16916 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1917.831 [GMT -6:00] SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\Ati2evxx.exe C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\WLTRYSVC.EXE C:\Windows\System32\bcmwltry.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\aestsrv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\CSHelper.exe C:\Windows\system32\svchost.exe -k hpdevmgmt C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe C:\Windows\system32\rpcnet.exe C:\Windows\system32\STacSV.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\DRIVERS\xaudio.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\DellTPad\Apoint.exe C:\Windows\OEM02Mon.exe C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe C:\Windows\System32\WLTRAY.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Windows\PixArt\Pac207\Monitor.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Windows\System32\rundll32.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\DellTPad\ApMsgFwd.exe C:\Program Files\DellTPad\HidFind.exe C:\Program Files\DellTPad\Apntex.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\wuauclt.exe C:\Windows\servicing\TrustedInstaller.exe \\?\C:\Windows\system32\wbem\WMIADAP.EXE C:\Windows\System32\rundll32.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Shaver\Desktop\dds.scr ============== Pseudo HJT Report =============== uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com uStart Page = hxxp://www.foxnews.com/ uWindow Title = Internet Explorer provided by Dell uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071030 mStart Page = hxxp://www.yahoo.com/ mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071030 mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup uRun: [Aim6] uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [calc] rundll32.exe c:\users\shaver\ntuser.dll,_IWMPEvents@0 mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [Apoint] c:\program files\delltpad\Apoint.exe mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [<NO NAME>] mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe" mRun: [dscactivate] c:\dell\dsca.exe 3 mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0 mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe mPolicies-system: EnableLUA = 0 (0x0) IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL ================= FIREFOX =================== FF - ProfilePath - c:\users\shaver\appdata\roaming\mozilla\firefox\profiles\rjjj0976.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=logo FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q= FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll FF - plugin: c:\program files\mozilla firefox\plugins\npArtistScope42.dll FF - plugin: c:\program files\mozilla firefox\plugins\npArtistScopeDRM11.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - plugin: c:\users\shaver\appdata\roaming\move networks\plugins\npqmp071500000347.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2007-10-29 73728] R2 ATIWebPAM;ATI WebPAM;c:\program files\ati\webpam\jetty\extra\win32\Wrapper.exe [2003-9-29 110592] R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-7-25 266240] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-13 24652] R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-6-28 133104] S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-10-30 235520] S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2007-10-30 7424] S3 PAC207;SoC PC-Camera;c:\windows\system32\drivers\PFC027.SYS [2006-12-5 507136] =============== Created Last 30 ================ 2009-11-27 06:21:59 0 d-----w- c:\program files\Trend Micro 2009-11-27 06:07:02 0 d---a-w- c:\programdata\TEMP 2009-11-27 05:08:25 0 d-----w- c:\users\shaver\appdata\roaming\Malwarebytes 2009-11-27 05:08:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-27 05:08:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-27 05:08:16 0 d-----w- c:\programdata\Malwarebytes 2009-11-27 05:08:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-27 03:09:15 0 d-----w- c:\programdata\Microsoft PData 2009-11-25 08:16:31 2048 ----a-w- c:\windows\system32\tzres.dll 2009-11-24 23:05:12 1406464 ----a-w- c:\windows\system32\msxml6.dll 2009-11-24 23:05:12 1260032 ----a-w- c:\windows\system32\msxml3.dll 2009-11-24 23:05:11 2048 ----a-w- c:\windows\system32\msxml6r.dll 2009-11-24 23:05:11 2048 ----a-w- c:\windows\system32\msxml3r.dll 2009-11-24 23:05:10 713728 ----a-w- c:\windows\system32\timedate.cpl 2009-11-11 23:31:27 2031104 ----a-w- c:\windows\system32\win32k.sys 2009-11-11 23:31:11 321536 ----a-w- c:\windows\system32\WSDApi.dll 2009-11-05 01:35:33 0 d-----w- c:\program files\common files\DivX Shared 2009-11-05 01:35:32 0 d-----w- c:\program files\DivX 2009-11-04 06:10:29 1383424 ----a-w- c:\windows\system32\mshtml.tlb ==================== Find3M ==================== 2009-11-27 16:30:28 17408 ----a-w- c:\windows\system32\rpcnetp.exe 2009-11-27 16:30:26 56680 ----a-w- c:\windows\system32\rpcnet.dll 2009-11-16 05:57:52 17408 ----a-w- c:\windows\system32\rpcnetp.dll 2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-09-20 08:14:43 163400 ---ha-w- c:\windows\system32\mlfcache.dat 2009-09-18 03:30:28 86016 ----a-w- c:\windows\inf\infstor.dat 2009-09-18 03:30:28 51200 ----a-w- c:\windows\inf\infpub.dat 2009-09-18 03:30:27 86016 ----a-w- c:\windows\inf\infstrng.dat 2009-09-15 17:41:22 130378 ----a-w- c:\windows\hpoins13.dat 2009-09-10 17:40:11 4096 ----a-w- c:\windows\system32\dxmasf.dll 2009-09-10 17:39:44 7680 ----a-w- c:\windows\system32\spwmp.dll 2009-09-10 17:38:29 216576 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 15:29:54 8147968 ----a-w- c:\windows\system32\wmploc.DLL 2009-09-10 15:29:34 311296 ----a-w- c:\windows\system32\unregmp2.exe 2009-09-09 23:34:08 49152 ----a-w- c:\windows\system32\instw32.exe 2009-09-04 12:38:11 60928 ----a-w- c:\windows\system32\msasn1.dll 2009-08-31 15:21:17 292352 ----a-w- c:\windows\system32\psisdecd.dll 2009-08-31 15:17:39 1244672 ----a-w- c:\windows\system32\mcmde.dll 2009-08-31 15:16:28 428032 ----a-w- c:\windows\system32\EncDec.dll 2008-12-11 10:12:32 174 --sha-w- c:\program files\desktop.ini 2008-08-13 23:22:35 665600 ----a-w- c:\windows\inf\drvindex.dat 2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat 2007-10-30 03:28:46 80 --sha-r- c:\windows\CT4CET.bin 2009-02-13 07:13:01 24064 --sha-w- c:\windows\system32\calc.dll 2009-01-26 22:05:22 16384 --sha-w- c:\windows\temp\cookies\index.dat 2009-01-26 22:05:22 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat 2009-01-26 22:05:22 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat 2007-10-30 10:55:37 8192 --sha-w- c:\windows\users\default\NTUSER.DAT ============= FINISH: 10:37:07.99 =============== Last edited by thunderstix33; 11-27-2009 at 11:45 AM. Reason: Changing title |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
11-28-2009, 06:31 AM
|
#3 (permalink) |
|
Analyst, Security Team
Join Date: Jan 2009
Location: Canada
Posts: 3,059
OS: XP sp3
|
Re: buyonlinedating.net scam (REPOSTED)
Hi,
Please do the following: Download Combofix from either of the links below. You must rename it to combo.com before saving it. Save it to your desktop. Change the save as file type to "all files" **Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
Link 1 Link 2 -----------------------------------------------------------
-----------------------------------------------------------
__________________
 ASAP & UNITE Member |
|
|
|
|
11-28-2009, 01:15 PM
|
#4 (permalink) |
|
Registered User
Join Date: Dec 2006
Posts: 38
OS: WinXP
|
Re: buyonlinedating.net scam (REPOSTED)
ComboFix 09-11-27.07 - Shaver 11/28/2009 13:48.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1917.997 [GMT -6:00] Running from: c:\users\Shaver\Desktop\combo.com.exe SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500 c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500 c:\$recycle.bin\S-1-5-21-3758722250-649579731-3220627272-500 c:\users\Shaver\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll c:\users\Shaver\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.lnk c:\users\Shaver\ntuser.dll c:\windows\system32\calc.dll c:\windows\system32\config\systemprofile\ntuser.dll . ((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 ))))))))))))))))))))))))))))))) . 2009-11-27 16:40 . 2009-11-27 16:41 -------- d-----w- c:\programdata\WinZip 2009-11-27 06:21 . 2009-11-27 06:21 -------- d-----w- c:\program files\Trend Micro 2009-11-27 05:08 . 2009-11-27 05:08 -------- d-----w- c:\users\Shaver\AppData\Roaming\Malwarebytes 2009-11-27 05:08 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-27 05:08 . 2009-11-27 05:08 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-27 05:08 . 2009-11-27 05:08 -------- d-----w- c:\programdata\Malwarebytes 2009-11-27 05:08 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-27 03:09 . 2009-11-27 05:14 -------- d-----w- c:\programdata\Microsoft PData 2009-11-25 08:16 . 2009-10-29 07:59 2048 ----a-w- c:\windows\system32\tzres.dll 2009-11-24 23:05 . 2009-08-10 13:05 1406464 ----a-w- c:\windows\system32\msxml6.dll 2009-11-24 23:05 . 2009-08-10 13:05 1260032 ----a-w- c:\windows\system32\msxml3.dll 2009-11-24 23:05 . 2009-08-10 13:05 2048 ----a-w- c:\windows\system32\msxml6r.dll 2009-11-24 23:05 . 2009-08-10 13:05 2048 ----a-w- c:\windows\system32\msxml3r.dll 2009-11-11 23:31 . 2009-08-14 14:01 2031104 ----a-w- c:\windows\system32\win32k.sys 2009-11-11 23:31 . 2009-08-10 13:08 321536 ----a-w- c:\windows\system32\WSDApi.dll 2009-11-05 01:35 . 2009-11-05 01:35 -------- d-----w- c:\program files\Common Files\DivX Shared 2009-11-05 01:35 . 2009-11-05 01:35 4096 d-----w- c:\program files\DivX . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-28 20:01 . 2008-08-13 21:48 17408 ----a-w- c:\windows\system32\rpcnetp.exe 2009-11-28 20:01 . 2008-08-13 22:07 56680 ----a-w- c:\windows\system32\rpcnet.dll 2009-11-28 08:50 . 2008-11-26 01:12 4096 d-----w- c:\users\Shaver\AppData\Roaming\Skype 2009-11-27 05:32 . 2009-06-13 04:03 4096 d-----w- c:\program files\AIMTunes 2009-11-16 05:57 . 2008-08-13 21:50 17408 ----a-w- c:\windows\system32\rpcnetp.dll 2009-11-12 14:50 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail 2009-11-05 01:36 . 2007-10-30 03:40 4096 d-----w- c:\program files\Google 2009-11-03 02:42 . 2009-10-02 19:51 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-10-21 03:52 . 2009-10-21 03:50 4096 d-----w- c:\program files\iTunes 2009-10-21 03:50 . 2009-10-21 03:50 -------- d-----w- c:\program files\iPod 2009-10-21 03:50 . 2008-09-14 20:27 -------- d-----w- c:\program files\Common Files\Apple 2009-10-21 03:33 . 2009-10-21 03:33 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe 2009-09-20 08:14 . 2009-09-20 08:14 163400 ---ha-w- c:\windows\system32\mlfcache.dat 2009-09-15 17:41 . 2009-09-15 17:35 130378 ----a-w- c:\windows\hpoins13.dat 2009-09-14 09:50 . 2009-10-13 21:00 130048 ----a-w- c:\windows\system32\drivers\srv2.sys 2009-09-10 17:40 . 2009-10-28 12:50 4096 ----a-w- c:\windows\system32\dxmasf.dll 2009-09-10 17:39 . 2009-10-28 12:50 7680 ----a-w- c:\windows\system32\spwmp.dll 2009-09-10 17:38 . 2009-10-13 21:01 216576 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 15:29 . 2009-10-28 12:50 8147968 ----a-w- c:\windows\system32\wmploc.DLL 2009-09-10 15:29 . 2009-10-28 12:50 311296 ----a-w- c:\windows\system32\unregmp2.exe 2009-09-09 23:34 . 2008-01-22 01:43 49152 ----a-w- c:\windows\system32\instw32.exe 2009-09-04 12:38 . 2009-10-13 21:00 60928 ----a-w- c:\windows\system32\msasn1.dll 2009-08-31 15:21 . 2009-10-13 21:01 292352 ----a-w- c:\windows\system32\psisdecd.dll 2009-08-31 15:17 . 2009-10-13 21:01 1244672 ----a-w- c:\windows\system32\mcmde.dll 2009-08-31 15:16 . 2009-10-13 21:01 428032 ----a-w- c:\windows\system32\EncDec.dll 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll 2007-10-30 03:28 . 2007-10-30 03:28 80 --sha-r- c:\windows\CT4CET.bin 2007-10-30 10:55 . 2007-10-30 10:45 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-07-17 23:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-08-13 1232896] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-10-30 1006264] "Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744] "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-29 36864] "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-28 405504] "DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320] "dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-29 50688] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360] QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3758722250-649579731-3220627272-1000] "EnableNotificationsRef"=dword:00000002 R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [10/29/2007 9:01 PM 73728] R2 ATIWebPAM;ATI WebPAM;c:\program files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe [9/29/2003 7:30 AM 110592] R2 CSHelper;CopySafe Helper Service;c:\windows\System32\CSHelper.exe [7/25/2009 10:19 AM 266240] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/13/2008 4:03 PM 24652] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/28/2009 3:50 PM 133104] S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [10/30/2007 4:55 AM 235520] S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [10/30/2007 4:55 AM 7424] S3 PAC207;SoC PC-Camera;c:\windows\System32\drivers\PFC027.SYS [12/5/2006 10:34 AM 507136] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2009-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-28 21:50] 2009-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-28 21:50] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.foxnews.com/ mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\users\Shaver\AppData\Roaming\Mozilla\Firefox\Profiles\rjjj0976.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=logo FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q= FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npArtistScope42.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npArtistScopeDRM11.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - plugin: c:\users\Shaver\AppData\Roaming\Move Networks\plugins\npqmp071500000347.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - HKCU-Run-Aim6 - (no file) AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe verbose AddRemove-{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD} - c:\program files\DellTPad\Uninstap.exe ADDREMOVE ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-28 14:05 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(5220) c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe c:\program files\DellTPad\ApMsgFwd.exe c:\program files\DellTPad\HidFind.exe c:\program files\DellTPad\Apntex.exe c:\windows\ehome\ehmsas.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\rpcnet.exe c:\program files\ATI\WebPAM\_jvm\bin\java.exe c:\windows\system32\STacSV.exe c:\windows\system32\DRIVERS\xaudio.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\program files\iPod\bin\iPodService.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe c:\windows\servicing\TrustedInstaller.exe . ************************************************************************** . Completion time: 2009-11-28 14:10 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-28 20:10 Pre-Run: 63,033,946,112 bytes free Post-Run: 63,136,763,904 bytes free - - End Of File - - 0E1ADFE3C9AE6E6A46C75C8C01DAB3DB After Combo Fix ran, a warning screen continues to pop up with every program or file I try to run that says "Illegal operation attempted on a registry key that has been marked for deletion. This even happened when I tried to reopen the log posted above. Is it supposed to do that? |
|
|
|
|
11-28-2009, 01:51 PM
|
#5 (permalink) |
|
Analyst, Security Team
Join Date: Jan 2009
Location: Canada
Posts: 3,059
OS: XP sp3
|
Re: buyonlinedating.net scam (REPOSTED)
It happens sometimes, just reboot a couple of times, that will take care of it.
While I am analyzing your log can you please tell me how your computer is running now and if there are any more outstanding issues. thanks ~CB
__________________
ASAP & UNITE Member |
|
|
|
|
11-28-2009, 02:11 PM
|
#7 (permalink) |
|
Analyst, Security Team
Join Date: Jan 2009
Location: Canada
Posts: 3,059
OS: XP sp3
|
Re: buyonlinedating.net scam (REPOSTED)
Hi,
Please do the following:
Please do the same for the following files: c:\windows\system32\rpcnetp.exe c:\windows\system32\rpcnetp.dll
__________________
ASAP & UNITE Member |
|
|
|
|
12-05-2009, 09:32 AM
|
#8 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: USA
Posts: 8,171
OS: XP SP3
|
Re: buyonlinedating.net scam (REPOSTED)
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:
http://www.techsupportforum.com/secu...oval-help.html
__________________
My services are free. However, you can donate to TSF to help keep it running.  Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
| Thread Tools | |
|
|
