I'm Going Through The Same Problem As Someone Was Going Through Before With Hearing Ads And Clicking Noises With Out A Browser Being Opened I Downloaded Combo Whatever Its Call These Were The Results
ComboFix 10-07-26.04 - Owner 07/27/2010 11:06:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.251 [GMT -4]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system\WINSPOOL.DRV
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\msgsvc.dll . . . is infected!!
.
MBR is infected with the Whistler Bootkit !!
((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.
2010-07-27 04:21 . 2010-07-27 04:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Yahoo
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Toolbar4
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-07-27 03:55 . 2010-07-27 03:55 -------- d-----w- C:\N360_BACKUP
2010-07-16 18:10 . 2010-07-16 18:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Unity
2010-07-05 18:05 . 2010-07-05 18:05 -------- d-----w- c:\program files\Audacity
2010-06-29 12:38 . 2010-06-29 12:38 -------- d-----w- c:\documents and settings\Owner\Application Data\IMVU Previewer
2010-06-29 12:32 . 2010-06-29 12:32 -------- d-----w- C:\3dsmax7
2010-06-29 01:40 . 2010-07-02 13:07 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2010-06-29 01:39 . 2010-06-29 01:39 -------- d-----w- c:\documents and settings\Owner\.thumbnails
2010-06-29 01:12 . 2010-07-02 13:08 -------- d-----w- c:\documents and settings\Owner\.gimp-2.6
2010-06-29 01:11 . 2010-06-29 01:11 -------- d-----w- c:\program files\GIMP-2.0
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-27 15:00 . 2010-01-19 08:19 -------- d-----w- c:\program files\Common Files\AOL
2010-07-27 14:52 . 2010-06-04 23:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Toolbar4
2010-07-27 14:31 . 2010-05-26 07:15 -------- d-----w- c:\documents and settings\Owner\Application Data\IMVU
2010-07-27 06:53 . 2010-01-04 20:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 05:56 . 2010-01-04 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-24 23:27 . 2010-06-04 23:48 -------- d-----w- c:\program files\CamStudio
2010-06-15 20:02 . 2010-06-15 13:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-15 13:55 . 2010-06-15 13:55 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-15 13:55 . 2010-06-15 13:55 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-15 13:55 . 2010-06-15 13:55 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-15 13:55 . 2010-06-15 13:55 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-15 13:55 . 2010-06-15 13:55 -------- d-----w- c:\program files\Symantec
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\program files\Norton Security Suite
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\program files\Windows Sidebar
2010-06-15 13:54 . 2010-06-15 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\program files\NortonInstaller
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-15 13:54 . 2010-01-06 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-14 14:31 . 2010-01-04 20:25 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 02:37 . 2010-03-03 02:45 -------- d-----w- c:\program files\Logitech
2010-06-11 02:36 . 2010-06-11 02:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Leadertech
2010-06-11 02:36 . 2010-03-03 02:45 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-06-11 02:31 . 2010-03-03 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2010-06-04 07:00 . 2010-01-04 20:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-31 12:59 . 2010-05-31 12:59 -------- d-----w- c:\documents and settings\Owner\Application Data\FoxyTunes
2010-05-31 12:59 . 2010-05-31 12:59 -------- d-----w- c:\program files\FoxyTunes
2010-05-06 10:41 . 2001-08-23 09:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 16:04 . 2001-08-23 09:00 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-01-04 20:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-01-04 20:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2010-1-4 128000]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [6/15/2010 10:37 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [6/15/2010 10:37 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [7/12/2010 7:27 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [6/15/2010 10:37 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [6/15/2010 10:37 PM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [6/15/2010 10:37 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/23/2010 12:17 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100723.001\IDSXpx86.sys [7/23/2010 10:58 PM 331640]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/4/2010 4:41 PM 38224]
.
Contents of the 'Scheduled Tasks' folder
2010-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{90b49673-5506-483e-b92b-ca0265bd9ca8}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{90b49673-5506-483e-b92b-ca0265bd9ca8}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-mcmscsvc
SafeBoot-MCODS
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-27 11:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
c:\program files\Internet Explorer\IEXPLORE.EXE [1108] 0x852FCDA0
c:\program files\Internet Explorer\IEXPLORE.EXE [2100] 0x84C6B8D0
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"=""c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe" /s "N360" /m "c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,33,86,3e,4d,61,b4,41,ab,8f,99,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,33,86,3e,4d,61,b4,41,ab,8f,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3888)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2010-07-27 11:30:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-27 15:30
Pre-Run: 251,974,479,872 bytes free
Post-Run: 252,020,326,400 bytes free
- - End Of File - - E9E3CEAAF5920ABC8098D0D481DA93A2
After That I'm Still Hearing Ads And Clicking Noises What's My Next Step?
ComboFix 10-07-26.04 - Owner 07/27/2010 11:06:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.251 [GMT -4]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system\WINSPOOL.DRV
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\msgsvc.dll . . . is infected!!
.
MBR is infected with the Whistler Bootkit !!
((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.
2010-07-27 04:21 . 2010-07-27 04:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Yahoo
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Toolbar4
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-07-27 03:55 . 2010-07-27 03:55 -------- d-----w- C:\N360_BACKUP
2010-07-16 18:10 . 2010-07-16 18:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Unity
2010-07-05 18:05 . 2010-07-05 18:05 -------- d-----w- c:\program files\Audacity
2010-06-29 12:38 . 2010-06-29 12:38 -------- d-----w- c:\documents and settings\Owner\Application Data\IMVU Previewer
2010-06-29 12:32 . 2010-06-29 12:32 -------- d-----w- C:\3dsmax7
2010-06-29 01:40 . 2010-07-02 13:07 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2010-06-29 01:39 . 2010-06-29 01:39 -------- d-----w- c:\documents and settings\Owner\.thumbnails
2010-06-29 01:12 . 2010-07-02 13:08 -------- d-----w- c:\documents and settings\Owner\.gimp-2.6
2010-06-29 01:11 . 2010-06-29 01:11 -------- d-----w- c:\program files\GIMP-2.0
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-27 15:00 . 2010-01-19 08:19 -------- d-----w- c:\program files\Common Files\AOL
2010-07-27 14:52 . 2010-06-04 23:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Toolbar4
2010-07-27 14:31 . 2010-05-26 07:15 -------- d-----w- c:\documents and settings\Owner\Application Data\IMVU
2010-07-27 06:53 . 2010-01-04 20:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 05:56 . 2010-01-04 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-24 23:27 . 2010-06-04 23:48 -------- d-----w- c:\program files\CamStudio
2010-06-15 20:02 . 2010-06-15 13:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-15 13:55 . 2010-06-15 13:55 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-15 13:55 . 2010-06-15 13:55 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-15 13:55 . 2010-06-15 13:55 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-15 13:55 . 2010-06-15 13:55 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-15 13:55 . 2010-06-15 13:55 -------- d-----w- c:\program files\Symantec
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\program files\Norton Security Suite
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\program files\Windows Sidebar
2010-06-15 13:54 . 2010-06-15 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\program files\NortonInstaller
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-15 13:54 . 2010-01-06 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-14 14:31 . 2010-01-04 20:25 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 02:37 . 2010-03-03 02:45 -------- d-----w- c:\program files\Logitech
2010-06-11 02:36 . 2010-06-11 02:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Leadertech
2010-06-11 02:36 . 2010-03-03 02:45 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-06-11 02:31 . 2010-03-03 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2010-06-04 07:00 . 2010-01-04 20:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-31 12:59 . 2010-05-31 12:59 -------- d-----w- c:\documents and settings\Owner\Application Data\FoxyTunes
2010-05-31 12:59 . 2010-05-31 12:59 -------- d-----w- c:\program files\FoxyTunes
2010-05-06 10:41 . 2001-08-23 09:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 16:04 . 2001-08-23 09:00 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-01-04 20:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-01-04 20:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2010-1-4 128000]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [6/15/2010 10:37 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [6/15/2010 10:37 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [7/12/2010 7:27 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [6/15/2010 10:37 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [6/15/2010 10:37 PM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [6/15/2010 10:37 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/23/2010 12:17 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100723.001\IDSXpx86.sys [7/23/2010 10:58 PM 331640]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/4/2010 4:41 PM 38224]
.
Contents of the 'Scheduled Tasks' folder
2010-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{90b49673-5506-483e-b92b-ca0265bd9ca8}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{90b49673-5506-483e-b92b-ca0265bd9ca8}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-mcmscsvc
SafeBoot-MCODS
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-27 11:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
c:\program files\Internet Explorer\IEXPLORE.EXE [1108] 0x852FCDA0
c:\program files\Internet Explorer\IEXPLORE.EXE [2100] 0x84C6B8D0
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"=""c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe" /s "N360" /m "c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,33,86,3e,4d,61,b4,41,ab,8f,99,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,33,86,3e,4d,61,b4,41,ab,8f,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3888)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2010-07-27 11:30:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-27 15:30
Pre-Run: 251,974,479,872 bytes free
Post-Run: 252,020,326,400 bytes free
- - End Of File - - E9E3CEAAF5920ABC8098D0D481DA93A2
After That I'm Still Hearing Ads And Clicking Noises What's My Next Step?