Jump to content

Internet security 2010


Recommended Posts

Hi and welcome

 

This machine has quite a bit of infection.

Has your Antivirus protection been on and updated??

 

Please resume all work on your computer with this topic in the HJT forum.

 

You may want to print out these instructions or save to notepad/wordpad while all windows will have to be closed.

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.212.127.226 ossecure2009.microsoft.com

O1 - Hosts: 91.212.127.226 os-secure2009.com

O1 - Hosts: 91.212.127.226 www.os-secure2009.com

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: gwprimawega - {a8eeebd5-9962-5197-5172-d056c9db9f81} - C:\WINDOWS\system32\0tH9lPJDt_5nI2_.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

 

O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe

O4 - HKCU\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\Ali\LOCALS~1\Temp\cgnux.exe

O4 - HKCU\..\Run: [COM+ Manager] "C:\Documents and Settings\Ali\.COMMgr\complmgr.exe"

O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\Ali\LOCALS~1\Temp\services.exe

O4 - HKCU\..\Run: [LREC75DND7] C:\DOCUME~1\Ali\LOCALS~1\Temp\c.exe

O4 - HKCU\..\Run: [internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe

O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Ali\Application Data\SystemProc\lsass.exe

 

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O20 - Winlogon Notify: jkkIYsSi - jkkIYsSi.dll (file missing)

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

Download OTM by OldTimer Here & save it to your desktop.

  • Double click on OTM.exe to run it
  • Copy & paste the contents inside the Code box below beginning with :Files into --->> Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error

:Files
C:\DOCUME~1\Ali\LOCALS~1\Temp\services.exe
C:\Documents and Settings\Ali\.COMMgr\complmgr.exe
C:\WINDOWS\system32\winupdate86.exe
C:\WINDOWS\system32\0tH9lPJDt_5nI2_.dll
C:\DOCUME~1\Ali\LOCALS~1\Temp\c.exe
C:\DOCUME~1\Ali\LOCALS~1\Temp\cgnux.exe
C:\DOCUME~1\Ali\LOCALS~1\Temp\install.exe
C:\Program Files\InternetSecurity2010
%SystemRoot%\system32\drivers\etc\hosts
:reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COM+ Manager"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winupdate86.exe"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ygua8e7yhuiesfha876yfauy8fe"=-
"asg984jgkfmgasi8ug98jgkfgfb"=-
"LREC75DND7"=-
"Internet Security 2010"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"RTHDBPL"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="" 
:Commands
[purity]
[emptytemp]
[Reboot]
  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Download the HostsXpert 4.3 - Hosts File Manager.

 

http://www.funkytoad.com/index.php?option=...=13&Itemid=

 

* Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert

* Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home

* Click "Make Hosts Writable?" in the upper corner (If available).

 

* Next Click Restore Microsoft's Hosts files and then click OK.

* Click the X to exit the program.

* Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

How To: Download and Extract the HOSTS file

http://www.mvps.org/winhelp2002/hosts2.htm

 

HOSTS File - Frequently Asked Questions

http://www.mvps.org/winhelp2002/hostsfaq.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

In your next reply post:

OTM log

new HJT log

 

 

Are there any improvements with your computer?

Link to post
Share on other sites

Hi Juliet,

I've fixed what you told me to on hijackthis and internet security 2010 has gone.

I copied in the text into OTM and as you suggested may happen, i had to restart, so here's the log file:

 

All processes killed

========== FILES ==========

C:\DOCUME~1\Ali\LOCALS~1\Temp\services.exe moved successfully.

C:\Documents and Settings\Ali\.COMMgr\complmgr.exe moved successfully.

C:\WINDOWS\system32\winupdate86.exe moved successfully.

File/Folder C:\WINDOWS\system32\0tH9lPJDt_5nI2_.dll not found.

C:\DOCUME~1\Ali\LOCALS~1\Temp\c.exe moved successfully.

C:\DOCUME~1\Ali\LOCALS~1\Temp\cgnux.exe moved successfully.

C:\DOCUME~1\Ali\LOCALS~1\Temp\install.exe moved successfully.

C:\Program Files\InternetSecurity2010 folder moved successfully.

C:\WINDOWS\system32\drivers\etc\hosts moved successfully.

========== REGISTRY ==========

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\COM+ Manager not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\winupdate86.exe not found.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ygua8e7yhuiesfha876yfauy8fe not found.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\asg984jgkfmgasi8ug98jgkfgfb not found.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LREC75DND7 not found.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Internet Security 2010 not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\RTHDBPL not found.

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\"AppInit_DLLs"|"" /E : value set successfully!

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: Administrator

->Temp folder emptied: 32768 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Ali

->Temp folder emptied: 150691649 bytes

->Temporary Internet Files folder emptied: 83238293 bytes

->Java cache emptied: 30624437 bytes

->FireFox cache emptied: 38329976 bytes

 

User: All Users

 

User: Default User

->Temp folder emptied: 32768 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 70855 bytes

 

User: NetworkService

->Temp folder emptied: 1163778 bytes

->Temporary Internet Files folder emptied: 85486345 bytes

 

User: Owner

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 39138 bytes

%systemroot%\System32 .tmp files removed: 23292921 bytes

Windows Temp folder emptied: 1134220 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 12991566 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 20060444 bytes

RecycleBin emptied: 23246641 bytes

 

Total Files Cleaned = 449.00 mb

 

 

OTM by OldTimer - Version 3.1.4.0 log created on 01072010_214413

 

Files moved on Reboot...

File C:\WINDOWS\temp\JETE5AC.tmp not found!

File C:\WINDOWS\temp\Perflib_Perfdata_728.dat not found!

 

Registry entries deleted on Reboot...

 

Should I just go onto the next stage or do you have any other suggestions as to what else I should do?

 

PS MY norton 360 expired between christmas and new year so I don't know if I've covered since then. I have now ordered v3.0 so I will have antivirus re-installed shortly

Edited by Juliet
Link to post
Share on other sites

Should I just go onto the next stage or do you have any other suggestions as to what else I should do?

You should had completed the entire fix.

 

 

Are there any improvements with your computer?

 

 

NEXT**

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.

The below scan can take up to an hour or longer, so please be patient.

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

 

 

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/d...n=1260122209224

Other available links

Kaspersky Online Scanner or from here

http://www.kaspersky.com/virusscanner

 

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition

    files.

  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)

    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:

Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in

your reply.

 

Animated tutorial

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

 

(Note.. for Internet Explorer 7 users:

If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

 

 

In your next reply post:

 

Kaspersky log

New HJT log taken after the above scans have run

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Link to post
Share on other sites

I haven't tried surfing at all so i don't know about whether I'm still getting pop-ups or redirected to the wrong website, but there's no internet security(apart from the start menu) or red cross in the bottom right corner which seems good.

 

Here's the Kaspersky Scan:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Friday, January 8, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Friday, January 08, 2010 07:48:45

Records in database: 3325935

--------------------------------------------------------------------------------

 

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

 

Scan area - My Computer:

C:\

D:\

E:\

 

Scan statistics:

Objects scanned: 105259

Threats found: 11

Infected objects found: 81

Suspicious objects found: 0

Scan duration: 11:48:35

 

 

File name / Threat / Threats count

ati2evxx.exe\kbdsock.dll/ati2evxx.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

C:\WINDOWS\system32\kbdsock.dll/C:\WINDOWS\system32\kbdsock.dll Infected: Trojan.Win32.Agent.deot 31

c:\windows\system32\sshnas.dll/c:\windows\system32\sshnas.dll Infected: Trojan.Win32.FraudPack.ajrf 4

CCSVCHST.EXE\kbdsock.dll/CCSVCHST.EXE\kbdsock.dll Infected: Trojan.Win32.Agent.deot 2

explorer.exe\kbdsock.dll/explorer.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

spoolsv.exe\kbdsock.dll/spoolsv.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

monitor.exe\kbdsock.dll/monitor.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

hpwuSchd2.exe\kbdsock.dll/hpwuSchd2.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

hpotdd01.exe\kbdsock.dll/hpotdd01.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

QTTask.exe\kbdsock.dll/QTTask.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

iTunesHelper.exe\kbdsock.dll/iTunesHelper.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

sprtcmd.exe\kbdsock.dll/sprtcmd.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

ctfmon.exe\kbdsock.dll/ctfmon.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

msmsgs.exe\kbdsock.dll/msmsgs.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

NMBgMonitor.exe\kbdsock.dll/NMBgMonitor.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

acrotray.exe\kbdsock.dll/acrotray.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

AppleMobileDeviceService.exe\kbdsock.dll/AppleMobileDeviceService.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

AluSchedulerSvc.exe\kbdsock.dll/AluSchedulerSvc.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

IAANTmon.exe\kbdsock.dll/IAANTmon.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

jqs.exe\kbdsock.dll/jqs.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

MDM.EXE\kbdsock.dll/MDM.EXE\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

sprtsvc.exe\kbdsock.dll/sprtsvc.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

tgsrvc.exe\kbdsock.dll/tgsrvc.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

SpySweeper.exe\kbdsock.dll/SpySweeper.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

iPodService.exe\kbdsock.dll/iPodService.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

iexplore.exe\kbdsock.dll/iexplore.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 3

WinRAR.exe\kbdsock.dll/WinRAR.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

Acrobat.exe\kbdsock.dll/Acrobat.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

WISPTIS.EXE\kbdsock.dll/WISPTIS.EXE\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

msnmsgr.exe\kbdsock.dll/msnmsgr.exe\kbdsock.dll Infected: Trojan.Win32.Agent.deot 1

C:\Documents and Settings\Ali\Application Data\SystemProc\lsass.exe Infected: Trojan.Win32.Swisyn.twi 1

C:\Documents and Settings\Ali\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{087AD7A3-C010-4FAC-8511-B0DA327F5994} Infected: Trojan.Win32.Qhost.ka 1

C:\Documents and Settings\Ali\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9C2D0797-7A3F-40FC-813F-4CE9E41C393F} Infected: Trojan.Win32.Qhost.ka 1

C:\Documents and Settings\Ali\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{CF55BCDD-475C-499B-82B8-728AFC7B450E} Infected: Trojan.Win32.Qhost.ka 1

C:\Documents and Settings\Ali\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{FE00FBED-79A1-4B5E-9619-15E598B715D7} Infected: Trojan.Win32.Qhost.ka 1

C:\WINDOWS\SYSTEM32\critical_warning.html Infected: Trojan.JS.Hoax.b 1

C:\WINDOWS\SYSTEM32\sshnas.dll Infected: Trojan.Win32.FraudPack.ajrf 1

C:\WINDOWS\SYSTEM32\winhelper86.dll Infected: Trojan.Win32.BHO.adcn 1

C:\WINDOWS\SYSTEM32\winlogon86.exe Infected: Trojan-Downloader.Win32.FraudLoad.gij 1

C:\WINDOWS\SYSTEM32\winupdate .exe Infected: Trojan-Downloader.Win32.FraudLoad.fwn 1

C:\ydbkaxo.exe Infected: Trojan-Downloader.Win32.FraudLoad.gij 1

C:\_OTM\MovedFiles\01072010_214413\C_Documents and Settings\Ali\.COMMgr\complmgr.exe Infected: Trojan.Win32.Scar.bbjy 1

C:\_OTM\MovedFiles\01072010_214413\C_DOCUME~1\Ali\LOCALS~1\Temp\c.exe Infected: Packed.Win32.Krap.ag 1

C:\_OTM\MovedFiles\01072010_214413\C_Program Files\InternetSecurity2010\IS2010.exe Infected: Trojan.Win32.FraudPack.ajsf 1

C:\_OTM\MovedFiles\01072010_214413\C_WINDOWS\system32\winupdate86.exe Infected: Trojan-Downloader.Win32.FraudLoad.gij 1

 

Selected area has been scanned.

 

and here's the latest hijackthis log run after the scan:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:22:53, on 10/01/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\TalkTalk\bin\sprtsvc.exe

C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe

C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\TalkTalk\bin\sprtcmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll

O1 - Hosts: [internet Media][AS12008][204.69.234.0 - 204.69.234.255]

O2 - BHO: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {a8eeebd5-9962-5197-5172-d056c9db9f81} - (no file)

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O3 - Toolbar: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [ulead AutoDetector] "C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe"

O4 - HKLM\..\Run: [ulead Photo Express Calendar Checker] "C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"

O4 - HKLM\..\Run: [ppmate] "C:\Program Files\PPMate\PPMate\ppmate.exe" -autoplay

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k

O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...448/mcfscan.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

--

End of file - 13492 bytes

Edited by Juliet
Link to post
Share on other sites

We need to run another scan or two.

 

Even if you had downloaded and run MBAM (Malwarebytes' Anti-Malware) I want you to at least update it and run a new scan.

 

 

Please download Malwarebytes' Anti-Malware to your desktop.....Posted Image

 

Additional Link

Here also

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.

* You can also access the log by doing the following:

 

o Click on the Malwarebytes' Anti-Malware icon to launch the program.

o Click on the Logs tab.

o Click on the log at the bottom of those listed to highlight it.

o Click Open.

 

Tutorial if needed

http://thespykiller.co.uk/index.php/topic,5946.0.html

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

 

 

 

In your next reply post:

Malwarebytes' Anti-Malware log

New HJT log

Link to post
Share on other sites

Here are my MBAM report and also my latest hjk log. What do you think?

I'm still not running any antivirus but I expect my norton 360 to be delivered tomorrow.

 

Malwarebytes' Anti-Malware 1.44

Database version: 3537

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

11/01/2010 00:23:26

mbam-log-2010-01-11 (00-23-26).txt

 

Scan type: Quick Scan

Objects scanned: 123962

Time elapsed: 9 minute(s), 7 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 7

Registry Values Infected: 4

Registry Data Items Infected: 10

Folders Infected: 0

Files Infected: 17

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

c:\WINDOWS\SYSTEM32\sshnas.dll (Trojan.Downloader) -> Delete on reboot.

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\LREC75DND7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\E8WECRKKMV (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

 

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Rootkit.Agent) -> Data: c:\windows\system32\kbdsock.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Rootkit.Agent) -> Data: system32\kbdsock.dll -> Quarantined and deleted successfully.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

c:\WINDOWS\SYSTEM32\sshnas.dll (Trojan.Downloader) -> Delete on reboot.

C:\ydbkaxo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\mshlps.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\winupdate .exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\winhelper86.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\stxvmt.sys (Rootkit.Agent) -> Delete on reboot.

C:\Documents and Settings\Ali\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ali\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ali\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\flags.ini (Malware.Trace) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\kbdsock.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:31:38, on 11/01/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\TalkTalk\bin\sprtsvc.exe

C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe

C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\TalkTalk\bin\sprtcmd.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll

O1 - Hosts: [internet Media][AS12008][204.69.234.0 - 204.69.234.255]

O2 - BHO: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {a8eeebd5-9962-5197-5172-d056c9db9f81} - (no file)

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O3 - Toolbar: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [ulead AutoDetector] "C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe"

O4 - HKLM\..\Run: [ulead Photo Express Calendar Checker] "C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"

O4 - HKLM\..\Run: [ppmate] "C:\Program Files\PPMate\PPMate\ppmate.exe" -autoplay

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k

O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...448/mcfscan.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

--

End of file - 13387 bytes

Edited by Juliet
Link to post
Share on other sites

I'm still not running any antivirus but I expect my norton 360 to be delivered tomorrow.

I see an older Norton on the machine which is fine but, if it can't update to the latest virus definitions then this computer needs to stay off the internet till you can get an updated or new subscription on here.

You'll be reinfected.

 

The kaspersky scan showed a password keylogger on your computer.

MBAM has found it and quarantined it....So I'm very glad we ran that scanner.

 

What we need to do for this:

 

one or more of the identified infections is a password stealing Trojan. If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:

 

* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

* From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

 

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear

 

 

 

What I would like for you to, after you get your new antivirus on the computer, run a New Kaspersky scan and post the log it's creates.

I would like to get verification MBAM has removed all the infection.

Link to post
Share on other sites

[Luckily I don't use this computer for online banking, but like most people I have bought things online.

It will be very hard to remember all the sites that I have used and bought, is there some sort of tool I can download to find them?

Do I need to contact all the websites or just those that I know I've used recently and also should I notify stores that I've bought items from or just change my password on that site?

 

I think the risk of having my passwords stolen is smaller than if I stored them normally, as I have used Norton to store my passwords rather than just on the computer, but I have still contacted my bank just in case.

Link to post
Share on other sites

[Luckily I don't use this computer for online banking, but like most people I have bought things online.

It will be very hard to remember all the sites that I have used and bought, is there some sort of tool I can download to find them?

Do I need to contact all the websites or just those that I know I've used recently and also should I notify stores that I've bought items from or just change my password on that site?

 

I think the risk of having my passwords stolen is smaller than if I stored them normally, as I have used Norton to store my passwords rather than just on the computer, but I have still contacted my bank just in case.

 

I don't think it's necessary to contact all the 'sites' where purchases were made but rather what payment method was used.

Be it credit card, debit card,paypal, or other available ways.

Those methods or financial institutions are the ones that need to be notified of a security breech.

I'm thinking mostly your Bank, or to contact Paypal?

Link to post
Share on other sites
  • 3 weeks later...

Right, it's been a while since I've had a chance to get back on here but here's a copy of my latest kaspersky scan and also an hjt log now tha I've got norton 360 installed.

My computer seems to be running fine apart from google which goes to random pages instead of what i search for. What's next?

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Wednesday, January 27, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, January 26, 2010 23:22:11

Records in database: 3374802

--------------------------------------------------------------------------------

 

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

 

Scan area - My Computer:

C:\

D:\

 

Scan statistics:

Objects scanned: 104384

Threats found: 2

Infected objects found: 5

Suspicious objects found: 0

Scan duration: 11:32:43

 

 

File name / Threat / Threats count

C:\Documents and Settings\Ali\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{087AD7A3-C010-4FAC-8511-B0DA327F5994} Infected: Trojan.Win32.Qhost.ka 1

C:\Documents and Settings\Ali\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9C2D0797-7A3F-40FC-813F-4CE9E41C393F} Infected: Trojan.Win32.Qhost.ka 1

C:\Documents and Settings\Ali\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{CF55BCDD-475C-499B-82B8-728AFC7B450E} Infected: Trojan.Win32.Qhost.ka 1

C:\Documents and Settings\Ali\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{FE00FBED-79A1-4B5E-9619-15E598B715D7} Infected: Trojan.Win32.Qhost.ka 1

C:\Program Files\Trend Micro\HijackThis\backups\backup-20100107-214052-489.dll Infected: not-a-virus:AdWare.Win32.EZula.fl 1

 

Selected area has been scanned.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:16:26, on 27/01/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Application Updater\ApplicationUpdater.exe

C:\Program Files\AskBarDis\bar\bin\AskService.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe

C:\Program Files\TalkTalk\bin\sprtsvc.exe

C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\jre6\bin\java.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\SearchSettings.dll

O1 - Hosts: [internet Media][AS12008][204.69.234.0 - 204.69.234.255]

O2 - BHO: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {a8eeebd5-9962-5197-5172-d056c9db9f81} - (no file)

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\SearchSettings.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll

O3 - Toolbar: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [ulead AutoDetector] "C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe"

O4 - HKLM\..\Run: [ulead Photo Express Calendar Checker] "C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"

O4 - HKLM\..\Run: [ppmate] "C:\Program Files\PPMate\PPMate\ppmate.exe" -autoplay

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k

O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk

O4 - HKLM\..\Run: [searchSettings] C:\Program Files\Search Settings\SearchSettings.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...448/mcfscan.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe

O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe

O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe

O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

 

--

End of file - 12988 bytes

Link to post
Share on other sites

Welcome back

 

 

Click Start>Control Panel>Add or Remove programs and uninstall the following:

 

Search Settings 1.2

 

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O4 - HKLM\..\Run: [searchSettings] C:\Program Files\Search Settings\SearchSettings.exe

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

OTM has been updated to a newer version. I want you to delete/uninstall the version you have now and download the newest.

 

Download OTM by OldTimer Here & save it to your desktop.

  • Double click on OTM.exe to run it
  • Copy & paste the contents inside the Code box below beginning with :Files into --->> Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error

:Files
c:\program files\search settings
C:\Program Files\Trend Micro\HijackThis\backups\backup-20100107-214052-489.dll
:Commands
[purity]
[emptytemp]
[Reboot]
  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

 

Download ComboFix from either of these locations:

Link 1

Link 2

 

 

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

 

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • NORTON 360

    • Right-click the Norton 360 icon in the system tray and select Open Tasks and

      Settings Window

      .
    • On the right side, under Settings, click on Change advanced settings.
    • Next, click on the Virus & Spyware Protection Settings.
    • Uncheck Turn on Auto-Protect and select Apply.
    • You will be asked to select a time for Norton to reactivate.
    • Choose Until I turn it back on.
    • You can re-enable after the malware has been removed from your machine.

    **************************

  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

 

 

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.

Don't select to run the Recovery Console as we don't need it.

By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

 

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

If there are internet issues afterward:

 

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

 

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

 

 

 

In your next reply post:

OTM log

ComboFix.txt

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Link to post
Share on other sites

Right then here are my logs. Everything seems ok although I had to manually reboot after combofix told me not to as the computer wasn't doing anything for about 30 mins and my computer always comes up with a hardware malfunction error saying

NMI: Parity Check/Memort Parity Error

.

 

Google searching seems to be ok though.

 

OTM:

 

All processes killed

========== FILES ==========

File/Folder c:\program files\search settings not found.

C:\Program Files\Trend Micro\HijackThis\backups\backup-20100107-214052-489.dll moved successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Ali

->Temp folder emptied: 95265501 bytes

->Temporary Internet Files folder emptied: 11851402 bytes

->Java cache emptied: 140308 bytes

->FireFox cache emptied: 2898088 bytes

 

User: All Users

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 33855 bytes

 

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

User: Owner

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 2818852 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 20616386 bytes

RecycleBin emptied: 196717338 bytes

 

Total Files Cleaned = 315.00 mb

 

 

OTM by OldTimer - Version 3.1.7.0 log created on 01282010_181248

 

Files moved on Reboot...

File C:\WINDOWS\temp\AskBarDis\upgrade\UpgradeData.xml not found!

File C:\WINDOWS\temp\AskBarDis\RSS\1\Featured.xml not found!

File C:\WINDOWS\temp\AskBarDis\RSS\1\ForYou.xml not found!

File C:\WINDOWS\temp\AskBarDis\RSS\1\Notifications.xml not found!

File C:\WINDOWS\temp\AskBarDis\RSS\1\WhatsHot.xml not found!

File C:\WINDOWS\temp\AskBarDis\RSS\1\WhatsNew.xml not found!

File C:\WINDOWS\temp\JET507.tmp not found!

File C:\WINDOWS\temp\Perflib_Perfdata_dc4.dat not found!

C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I5WZUZXQ\google_co_uk[2].txt moved successfully.

 

Registry entries deleted on Reboot...

 

ComboFix

 

ComboFix 10-01-27.06 - Ali 28/01/2010 19:00:40.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1164 [GMT 0:00]

Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe

AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Ali\Application Data\iniasd.txt

c:\documents and settings\Ali\Application Data\inst.exe

c:\documents and settings\Ali\Application Data\SystemProc

c:\documents and settings\Ali\Local Settings\Application Data\ojibefaki.bat

c:\documents and settings\All Users\Application Data\epyq.inf

c:\program files\Dealio Toolbar

c:\program files\Dealio Toolbar\FF\chrome.manifest

c:\program files\Dealio Toolbar\FF\chrome\content\chevron.js

c:\program files\Dealio Toolbar\FF\chrome\content\chevron.xul

c:\program files\Dealio Toolbar\FF\chrome\content\login.js

c:\program files\Dealio Toolbar\FF\chrome\content\login.xul

c:\program files\Dealio Toolbar\FF\chrome\content\parser.js

c:\program files\Dealio Toolbar\FF\chrome\content\RssTickerWidget.js

c:\program files\Dealio Toolbar\FF\chrome\content\searchbox.js

c:\program files\Dealio Toolbar\FF\chrome\content\searchbox.xul

c:\program files\Dealio Toolbar\FF\chrome\content\widgichevron.js

c:\program files\Dealio Toolbar\FF\chrome\content\widgicomm.js

c:\program files\Dealio Toolbar\FF\chrome\content\widgihandling.js

c:\program files\Dealio Toolbar\FF\chrome\content\widgilisteners.js

c:\program files\Dealio Toolbar\FF\chrome\content\widgitoolbarplugin.js

c:\program files\Dealio Toolbar\FF\chrome\content\widgitoolbarplugin.xul

c:\program files\Dealio Toolbar\FF\chrome\content\widgiui.js

c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\searchbox.dtd

c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\widgitoolbarplugin.dtd

c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\widgitoolbarplugin.properties

c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\yahoo-search.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\amazon.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\apple.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\barnes.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\bestbuy.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\chevron.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\dealio_logo.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\dealio_logo_hover.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\ebay.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\icon_settings.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\macys.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\newegg.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\overstock.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\search-button-hover.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\search-button.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\search-chevron-hover.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\search-chevron.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\search_amazon.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\search_dealio.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\search_ebay.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\search_yahoo.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\searchbox.css

c:\program files\Dealio Toolbar\FF\chrome\skin\separator.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\target.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\walmart.gif

c:\program files\Dealio Toolbar\FF\chrome\skin\widgitoolbarplugin.css

c:\program files\Dealio Toolbar\FF\components\config.ini

c:\program files\Dealio Toolbar\FF\components\dealioToolbarFF.dll

c:\program files\Dealio Toolbar\FF\components\IFBHOHelperWidgiToolbar.xpt

c:\program files\Dealio Toolbar\FF\components\IFBHOWidgiToolbar.xpt

c:\program files\Dealio Toolbar\FF\install.rdf

c:\program files\Dealio Toolbar\IE\4.0.2\config.ini

c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll

c:\program files\Dealio Toolbar\Res\amazon.gif

c:\program files\Dealio Toolbar\Res\apple.gif

c:\program files\Dealio Toolbar\Res\barnes.gif

c:\program files\Dealio Toolbar\Res\bestbuy.gif

c:\program files\Dealio Toolbar\Res\dealio_logo.gif

c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif

c:\program files\Dealio Toolbar\Res\ebay.gif

c:\program files\Dealio Toolbar\Res\icon_settings.gif

c:\program files\Dealio Toolbar\Res\macys.gif

c:\program files\Dealio Toolbar\Res\newegg.gif

c:\program files\Dealio Toolbar\Res\overstock.gif

c:\program files\Dealio Toolbar\Res\search-button-hover.gif

c:\program files\Dealio Toolbar\Res\search-button.gif

c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif

c:\program files\Dealio Toolbar\Res\search-chevron.gif

c:\program files\Dealio Toolbar\Res\search_amazon.gif

c:\program files\Dealio Toolbar\Res\search_dealio.gif

c:\program files\Dealio Toolbar\Res\search_ebay.gif

c:\program files\Dealio Toolbar\Res\search_yahoo.gif

c:\program files\Dealio Toolbar\Res\target.gif

c:\program files\Dealio Toolbar\Res\walmart.gif

c:\program files\Dealio Toolbar\Res\widgets.xml

c:\program files\Dealio Toolbar\WidgiHelper.exe

c:\recycler\NPROTECT

C:\s

c:\windows\dembat.tm

c:\windows\emdat.tm

c:\windows\EventSystem.log

c:\windows\g32.txt

c:\windows\gui

c:\windows\gui\drw43300.txt

c:\windows\gui\drw43300.vdb

c:\windows\gui\drw43301.txt

c:\windows\gui\drw43301.vdb

c:\windows\gui\drw43302.txt

c:\windows\gui\drw43302.vdb

c:\windows\gui\drw43303.txt

c:\windows\gui\drw43303.vdb

c:\windows\gui\drw43304.txt

c:\windows\gui\drw43304.vdb

c:\windows\gui\drw43305.txt

c:\windows\gui\drw43305.vdb

c:\windows\gui\drw43306.txt

c:\windows\gui\drw43306.vdb

c:\windows\gui\drw43307.txt

c:\windows\gui\drw43307.vdb

c:\windows\gui\drw43308.txt

c:\windows\gui\drw43308.vdb

c:\windows\gui\drw43309.txt

c:\windows\gui\drw43309.vdb

c:\windows\gui\drw43310.txt

c:\windows\gui\drw43310.vdb

c:\windows\gui\drw43311.txt

c:\windows\gui\drw43311.vdb

c:\windows\gui\drw43312.txt

c:\windows\gui\drw43312.vdb

c:\windows\gui\drw43313.txt

c:\windows\gui\drw43313.vdb

c:\windows\gui\drw43314.txt

c:\windows\gui\drw43314.vdb

c:\windows\gui\drw43315.txt

c:\windows\gui\drw43315.vdb

c:\windows\gui\drw43316.txt

c:\windows\gui\drw43316.vdb

c:\windows\gui\drw43317.txt

c:\windows\gui\drw43317.vdb

c:\windows\gui\drw43318.txt

c:\windows\gui\drw43318.vdb

c:\windows\gui\drw43319.txt

c:\windows\gui\drw43319.vdb

c:\windows\gui\drw43320.txt

c:\windows\gui\drw43320.vdb

c:\windows\gui\drw43321.txt

c:\windows\gui\drw43321.vdb

c:\windows\gui\drw43322.txt

c:\windows\gui\drw43322.vdb

c:\windows\gui\drw43323.txt

c:\windows\gui\drw43323.vdb

c:\windows\gui\drw43324.txt

c:\windows\gui\drw43324.vdb

c:\windows\gui\drw43325.txt

c:\windows\gui\drw43325.vdb

c:\windows\gui\drw43326.txt

c:\windows\gui\drw43326.vdb

c:\windows\gui\drw43327.txt

c:\windows\gui\drw43327.vdb

c:\windows\gui\drw43328.txt

c:\windows\gui\drw43328.vdb

c:\windows\gui\drw43329.txt

c:\windows\gui\drw43329.vdb

c:\windows\gui\drw43330.txt

c:\windows\gui\drw43330.vdb

c:\windows\gui\drw43331.txt

c:\windows\gui\drw43331.vdb

c:\windows\gui\drw43332.txt

c:\windows\gui\drw43332.vdb

c:\windows\gui\drw43333.txt

c:\windows\gui\drw43333.vdb

c:\windows\gui\drw43334.txt

c:\windows\gui\drw43334.vdb

c:\windows\gui\drw43335.txt

c:\windows\gui\drw43335.vdb

c:\windows\gui\drw43336.txt

c:\windows\gui\drw43336.vdb

c:\windows\gui\drw43337.txt

c:\windows\gui\drw43337.vdb

c:\windows\gui\drw43338.txt

c:\windows\gui\drw43338.vdb

c:\windows\gui\drw43339.txt

c:\windows\gui\drw43339.vdb

c:\windows\gui\drw43340.txt

c:\windows\gui\drw43340.vdb

c:\windows\gui\drw43341.txt

c:\windows\gui\drw43341.vdb

c:\windows\gui\drw43342.txt

c:\windows\gui\drw43342.vdb

c:\windows\gui\drw43343.txt

c:\windows\gui\drw43343.vdb

c:\windows\gui\drw43344.txt

c:\windows\gui\drw43344.vdb

c:\windows\gui\drw43345.txt

c:\windows\gui\drw43345.vdb

c:\windows\gui\drw43346.txt

c:\windows\gui\drw43346.vdb

c:\windows\gui\drw43347.txt

c:\windows\gui\drw43347.vdb

c:\windows\gui\drw43348.txt

c:\windows\gui\drw43348.vdb

c:\windows\gui\drw43349.txt

c:\windows\gui\drw43349.vdb

c:\windows\gui\drw43350.txt

c:\windows\gui\drw43350.vdb

c:\windows\gui\drw43351.txt

c:\windows\gui\drw43351.vdb

c:\windows\gui\drw43352.txt

c:\windows\gui\drw43352.vdb

c:\windows\gui\drw43353.txt

c:\windows\gui\drw43353.vdb

c:\windows\gui\drw43354.txt

c:\windows\gui\drw43354.vdb

c:\windows\gui\drw43355.txt

c:\windows\gui\drw43355.vdb

c:\windows\gui\drw43356.txt

c:\windows\gui\drw43356.vdb

c:\windows\gui\drw43357.txt

c:\windows\gui\drw43357.vdb

c:\windows\gui\drw43358.txt

c:\windows\gui\drw43358.vdb

c:\windows\gui\drw43359.txt

c:\windows\gui\drw43359.vdb

c:\windows\gui\drw43360.txt

c:\windows\gui\drw43360.vdb

c:\windows\gui\drw43361.txt

c:\windows\gui\drw43361.vdb

c:\windows\gui\drw43362.txt

c:\windows\gui\drw43362.vdb

c:\windows\gui\drw43363.txt

c:\windows\gui\drw43363.vdb

c:\windows\gui\drw43364.txt

c:\windows\gui\drw43364.vdb

c:\windows\gui\drw43365.txt

c:\windows\gui\drw43365.vdb

c:\windows\gui\drweb32.dll

c:\windows\gui\DrWeb32.key

c:\windows\gui\drwebase.vdb

c:\windows\gui\drwnasty.txt

c:\windows\gui\drwnasty.vdb

c:\windows\gui\drwrisky.txt

c:\windows\gui\drwrisky.vdb

c:\windows\gui\drwtoday.txt

c:\windows\gui\drwtoday.vdb

c:\windows\gui\dwebio16.dll

c:\windows\gui\dwebio32.dll

c:\windows\gui\dwebllio.dll

c:\windows\gui\dwn43301.txt

c:\windows\gui\dwn43301.vdb

c:\windows\gui\dwn43302.txt

c:\windows\gui\dwn43302.vdb

c:\windows\gui\dwn43303.txt

c:\windows\gui\dwn43303.vdb

c:\windows\gui\dwn43304.txt

c:\windows\gui\dwn43304.vdb

c:\windows\gui\dwn43305.txt

c:\windows\gui\dwn43305.vdb

c:\windows\gui\dwntoday.txt

c:\windows\gui\dwntoday.vdb

c:\windows\gui\dwr43301.txt

c:\windows\gui\dwr43301.vdb

c:\windows\gui\dwrtoday.txt

c:\windows\gui\dwrtoday.vdb

c:\windows\gui\gui.exe

c:\windows\gui\gui.list

c:\windows\gui\rar.exe

c:\windows\ilagowe.scr

c:\windows\system32\11478.exe

c:\windows\system32\11942.exe

c:\windows\system32\12382.exe

c:\windows\system32\14604.exe

c:\windows\system32\153.exe

c:\windows\system32\15724.exe

c:\windows\system32\16827.exe

c:\windows\system32\18467.exe

c:\windows\system32\19169.exe

c:\windows\system32\23281.exe

c:\windows\system32\24464.exe

c:\windows\system32\26500.exe

c:\windows\system32\26962.exe

c:\windows\system32\28145.exe

c:\windows\system32\292.exe

c:\windows\system32\29358.exe

c:\windows\system32\2995.exe

c:\windows\system32\32391.exe

c:\windows\system32\3902.exe

c:\windows\system32\4827.exe

c:\windows\system32\491.exe

c:\windows\system32\5436.exe

c:\windows\system32\5705.exe

c:\windows\system32\6334.exe

c:\windows\system32\9961.exe

c:\windows\system32\cds.txt

c:\windows\system32\ctfmon .exe

c:\windows\system32\drivers\etc\hosts.tim

c:\windows\system32\drivers\npf.sys

c:\windows\system32\dumphive.exe

c:\windows\system32\dz1.txt

c:\windows\system32\kjs

c:\windows\system32\p1.txt

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\r24.txt

c:\windows\system32\sirenacm(2).dll

c:\windows\system32\SrchSTS.exe

c:\windows\system32\STEC3.sys

c:\windows\system32\Sys

c:\windows\system32\Sys\norton-db.001

c:\windows\system32\Sys\norton-db.002

c:\windows\system32\tmp.reg

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

c:\windows\system32\xma

c:\windows\trace

c:\windows\trace\trace.txt

c:\windows\zyfob._sy

 

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected

Restored copy from - Kitty ate it :P

c:\windows\system32\grpconv.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

 

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_NPF

-------\Legacy_SSHNAS

-------\Legacy_STEC3

-------\Service_NPF

-------\Service_STEC3

 

 

((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))

.

 

2010-01-28 19:09 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2010-01-28 19:09 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2010-01-28 19:09 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe

2010-01-27 18:24 . 2010-01-27 18:24 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-25 21:14 . 2010-01-25 21:14 -------- d-----w- c:\windows\system32\N360_BACKUP

2010-01-21 23:16 . 2010-01-21 23:16 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe

2010-01-21 22:11 . 2010-01-21 22:11 -------- d-----w- c:\program files\AskBarDis

2010-01-18 18:38 . 2010-01-18 18:38 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater

2010-01-18 18:38 . 2010-01-18 18:38 -------- d-----w- c:\program files\Application Updater

2010-01-15 04:05 . 2010-01-15 04:05 -------- d-----w- c:\program files\Norton Support

2010-01-15 04:04 . 2010-01-15 04:04 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\Symantec

2010-01-14 20:16 . 2010-01-14 20:14 107368 ----a-r- c:\windows\system32\GEARAspi.dll

2010-01-14 17:57 . 2010-01-14 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

2010-01-14 17:56 . 2010-01-14 17:56 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\Downloaded Installations

2010-01-14 17:56 . 2009-08-22 08:13 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2010-01-14 17:56 . 2010-01-14 20:14 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-01-14 17:56 . 2010-01-14 20:14 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-01-14 17:56 . 2010-01-14 20:14 -------- d-----w- c:\program files\Symantec

2010-01-14 17:55 . 2010-01-28 18:14 -------- d-----w- c:\windows\system32\drivers\N360

2010-01-14 17:55 . 2010-01-14 17:55 -------- d-----w- c:\program files\Norton 360

2010-01-14 17:45 . 2010-01-14 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2010-01-14 17:44 . 2010-01-14 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-01-12 22:29 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-01-10 18:21 . 2010-01-10 18:21 27883 ----a-w- c:\windows\system32\0ILPNBLKEB.dat

2010-01-10 18:21 . 2010-01-10 18:21 1860 ----a-w- c:\windows\system32\0PLT01VMT.dat

2010-01-10 18:21 . 2010-01-10 18:21 27883 ----a-w- c:\windows\system32\SVMGTJ7062.dat

2010-01-10 18:21 . 2010-01-10 18:21 1860 ----a-w- c:\windows\system32\S1049S0YF.dat

2010-01-07 21:44 . 2010-01-07 21:44 -------- d-----w- C:\_OTM

2010-01-06 08:09 . 2010-01-06 08:09 -------- d-----w- c:\program files\Trend Micro

2010-01-05 00:16 . 2010-01-05 00:16 118256 ----a-w- c:\windows\system32\qpPAUr_-g.exe

2010-01-05 00:14 . 2010-01-07 21:44 -------- d-sh--w- c:\documents and settings\Ali\.COMMgr

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-26 22:58 . 2009-04-26 15:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-25 21:23 . 2009-04-26 15:49 117760 ----a-w- c:\documents and settings\Ali\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-01-25 21:21 . 2009-04-26 15:46 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-01-25 21:10 . 2010-01-25 21:09 52224 ----a-w- c:\documents and settings\Ali\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-01-25 20:10 . 2006-05-18 22:19 -------- d-----w- c:\documents and settings\Ali\Application Data\Azureus

2010-01-24 21:08 . 2010-01-24 21:08 8406648 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe

2010-01-24 20:58 . 2010-01-24 20:58 10309448 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\chr\ChromeInstaller.exe

2010-01-24 20:55 . 2010-01-24 20:55 64000 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll

2010-01-24 20:55 . 2010-01-24 20:55 52288 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll

2010-01-24 20:55 . 2010-01-24 20:55 50688 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll

2010-01-24 20:55 . 2010-01-24 20:55 114688 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\RUP\inst_config\compat.dll

2010-01-21 22:12 . 2006-05-18 22:19 -------- d-----w- c:\program files\Azureus

2010-01-20 19:19 . 2009-02-23 18:13 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-14 20:14 . 2010-01-14 17:56 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-01-14 20:14 . 2010-01-14 17:56 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-01-14 20:14 . 2010-01-14 17:58 554352 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

2010-01-14 20:14 . 2008-01-29 12:01 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-01-14 18:16 . 2005-03-06 22:25 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-01-14 17:56 . 2010-01-14 17:56 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll

2010-01-14 17:56 . 2010-01-14 17:56 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll

2010-01-14 17:55 . 2010-01-14 17:55 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll

2010-01-14 17:55 . 2008-01-02 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-01-14 17:55 . 2009-08-01 07:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-01-14 17:51 . 2005-03-06 22:25 -------- d-----w- c:\documents and settings\Ali\Application Data\Symantec

2010-01-07 16:07 . 2009-04-26 15:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 16:07 . 2009-04-26 15:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-06 00:34 . 2007-04-17 12:16 -------- d-----w- c:\documents and settings\Ali\Application Data\dvdcss

2009-12-21 19:14 . 2004-08-04 05:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-15 18:40 . 2009-12-15 18:38 17245680 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\rp\RealPlayerSPGold.exe

2009-11-21 15:51 . 2008-08-20 07:26 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-10-10 00:39 . 2009-10-10 00:39 18250 ----a-w- c:\program files\Common Files\bewoharav.pif

2006-03-15 12:30 . 2006-03-15 12:30 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe

2005-01-04 14:52 . 2005-01-04 14:50 227190984 ----a-w- c:\program files\OfficeSTD.exe

2009-03-31 21:47 . 2009-01-28 20:32 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2005-02-13 20:42 . 2005-02-13 20:42 56 --sh--r- c:\windows\SYSTEM32\4C805BE81C.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2009-04-02 12:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

 

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

 

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 90112]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-25 2002160]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]

"Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 45056]

"Ulead Photo Express Calendar Checker"="c:\program files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 69632]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]

"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"ppmate"="c:\program files\PPMate\PPMate\ppmate.exe" [2006-11-23 1495123]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]

"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-1-24 113664]

AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2004-11-24 156784]

NETGEAR WG311v2 Smart Configuration.lnk - c:\program files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 450560]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-01-25 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\PPMate\\PPMate\\ppmate.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\SymEFA.sys [28/01/2010 05:14 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\BHDrvx86.sys [28/01/2010 05:14 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\cchpx86.sys [28/01/2010 05:14 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100125.001\IDSXpx86.sys [28/01/2010 02:12 329592]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [22/12/2008 10:06 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [22/12/2008 10:05 74480]

R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [08/01/2010 00:51 380928]

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [21/01/2010 22:11 464264]

R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [21/01/2010 22:11 234888]

R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [23/02/2009 18:12 54752]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [28/01/2010 05:13 117640]

R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 08:33 202016]

R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 13:42 148768]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [20/01/2010 00:39 102448]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [22/12/2008 10:06 7408]

S1 M9207;DigiO2 DVB-T USB Receiver;c:\windows\system32\DRIVERS\M9207BDA.sys --> c:\windows\system32\DRIVERS\M9207BDA.sys [?]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\SYSTEM32\FsUsbExDisk.Sys [06/12/2008 14:35 36512]

S3 gkmixern;gkmixern;\??\c:\docume~1\Ali\LOCALS~1\Temp\gkmixern.sys --> c:\docume~1\Ali\LOCALS~1\Temp\gkmixern.sys [?]

.

Contents of the 'Scheduled Tasks' folder

 

2010-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/ig?hl=en

uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} - hxxp://www.tvkoo.com/update/KooPlayer.ocx

FF - ProfilePath - c:\documents and settings\Ali\Application Data\Mozilla\Firefox\Profiles\emib82yk.default\

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

 

BHO-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll

BHO-{a8eeebd5-9962-5197-5172-d056c9db9f81} - (no file)

Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll

ActiveSetup-{1A43B51D-2671-4bcc-89F0-9BC42DB29016} - fow64.dll

AddRemove-360Share Pro - c:\program files\360Share Pro\bt-uninst.exe

AddRemove-HijackThis - c:\documents and settings\Ali\Local Settings\Temporary Internet Files\Content.IE5\T2XU0AWK\HijackThis.exe

AddRemove-LimeWire - c:\program files\LimeWire\uninstall.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-28 19:13

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-3974528393-405583803-1727344631-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

 

[HKEY_USERS\S-1-5-21-3974528393-405583803-1727344631-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.

R%]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

 

[HKEY_USERS\S-1-5-21-3974528393-405583803-1727344631-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.

R%\OpenWithList]

@Class="Shell"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(1528)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

 

- - - - - - - > 'explorer.exe'(1192)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Intel\Intel Application Accelerator\iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-01-28 19:22:24 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-28 19:22

ComboFix2.txt 2006-12-17 20:18

 

Pre-Run: 13,333,274,624 bytes free

Post-Run: 13,537,193,984 bytes free

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

 

- - End Of File - - 518830A26292CBFE15E51552E95F8E3C

 

What's next?

Edited by Juliet
Link to post
Share on other sites

I forgot to mention, I currently have updates that my computer can't install. I don't know if this is related but these are the details.

 

Security Update for Microsoft Office Excel 2003 (KB973475)

Security Update for Microsoft Office 2003 (KB974554)

Link to post
Share on other sites

Ok both my browsers no longer work and I have had to write this from another computer.

My firefox opens and then I can't type anything at all.

My IE opens ok but when I click on anything it opens up a new tab and as a result I couldn't answer without going to a different pc. Also when I maximise the IE window, I lose the menus,toolbars and address at the top and also the toolbar at the bottom. What do you suggest?

Link to post
Share on other sites

Ok both my browsers no longer work and I have had to write this from another computer.

My firefox opens and then I can't type anything at all.

My IE opens ok but when I click on anything it opens up a new tab and as a result I couldn't answer without going to a different pc. Also when I maximise the IE window, I lose the menus,toolbars and address at the top and also the toolbar at the bottom. What do you suggest?

 

For Firefox, try to minimize and maximize the window then try typing in the address bar again?

Do you have that problem when running in the Firefox SafeMode?

http://support.mozilla.com/en-US/kb/Safe+Mode

 

 

This sounds as if your Norton could be blocking here.

 

Also, have you rebooted again?

 

Can you disable Norton long enough to see if you can connect,??

 

Everything seems ok although I had to manually reboot after combofix told me not to as the computer wasn't doing anything for about 30 mins

It was still running, as stated in the disclaimer on a heavily infected machine scan times can take longer, and it's very possible Norton was interfering to.

 

Google searching seems to be ok though

Good to know. What was done in between the time you ran the scan till the browser stopped?

 

 

* Close all instances of Internet Explorer except for one.

* Right-click on a link in the page and select: "Open in New Window"

* Close the first browser window using the [ X ] (upper right corner)

* Resize the window manually by dragging the sides to the desired size.

Note: Do NOT click the Maximize button, you must do it manually.

* Hold down the Ctrl key and click the Close button (upper right)

 

 

Your machine is still infected, the logs show more malicious files.

 

We need to run ComboFix again.

 

Then if we can get a browser working we need to have a few files scanned.

 

 

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File::

c:\docume~1\Ali\LOCALS~1\Temp\gkmixern.sys

Driver::

gkmixern

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

If there are internet issues afterward:

 

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

 

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

 

 

Please post the ComboFix log

Link to post
Share on other sites

ComboFix 10-01-29.04 - Ali 29/01/2010 20:20:19.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1058 [GMT 0:00]

Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ali\Desktop\CFScript.txt

AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

 

FILE ::

"c:\docume~1\Ali\LOCALS~1\Temp\gkmixern.sys"

.

PEV Error: ProgramsFolder

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_GKMIXERN

-------\Service_gkmixern

 

 

((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-29 )))))))))))))))))))))))))))))))

.

 

2010-01-28 19:09 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2010-01-28 19:09 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2010-01-28 19:09 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe

2010-01-28 19:09 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe

2010-01-27 18:24 . 2010-01-27 18:24 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-25 21:14 . 2010-01-25 21:14 -------- d-----w- c:\windows\system32\N360_BACKUP

2010-01-21 22:11 . 2010-01-21 22:11 -------- d-----w- c:\program files\AskBarDis

2010-01-18 18:38 . 2010-01-18 18:38 -------- d-----w- c:\program files\Application Updater

2010-01-15 04:05 . 2010-01-15 04:05 -------- d-----w- c:\program files\Norton Support

2010-01-15 04:04 . 2010-01-15 04:04 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\Symantec

2010-01-14 20:16 . 2010-01-14 20:14 107368 ----a-r- c:\windows\system32\GEARAspi.dll

2010-01-14 17:57 . 2010-01-14 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

2010-01-14 17:56 . 2010-01-14 17:56 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\Downloaded Installations

2010-01-14 17:56 . 2009-08-22 08:13 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2010-01-14 17:56 . 2010-01-14 20:14 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-01-14 17:56 . 2010-01-14 20:14 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-01-14 17:56 . 2010-01-14 20:14 -------- d-----w- c:\program files\Symantec

2010-01-14 17:55 . 2010-01-28 18:14 -------- d-----w- c:\windows\system32\drivers\N360

2010-01-14 17:55 . 2010-01-14 17:55 -------- d-----w- c:\program files\Norton 360

2010-01-14 17:45 . 2010-01-14 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2010-01-14 17:44 . 2010-01-14 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-01-12 22:29 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-01-10 18:21 . 2010-01-10 18:21 27883 ----a-w- c:\windows\system32\0ILPNBLKEB.dat

2010-01-10 18:21 . 2010-01-10 18:21 1860 ----a-w- c:\windows\system32\0PLT01VMT.dat

2010-01-10 18:21 . 2010-01-10 18:21 27883 ----a-w- c:\windows\system32\SVMGTJ7062.dat

2010-01-10 18:21 . 2010-01-10 18:21 1860 ----a-w- c:\windows\system32\S1049S0YF.dat

2010-01-07 21:44 . 2010-01-07 21:44 -------- d-----w- C:\_OTM

2010-01-06 08:09 . 2010-01-06 08:09 -------- d-----w- c:\program files\Trend Micro

2010-01-05 00:16 . 2010-01-05 00:16 118256 ----a-w- c:\windows\system32\qpPAUr_-g.exe

2010-01-05 00:14 . 2010-01-07 21:44 -------- d-sh--w- c:\documents and settings\Ali\.COMMgr

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-26 22:58 . 2009-04-26 15:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-25 21:23 . 2009-04-26 15:49 117760 ----a-w- c:\documents and settings\Ali\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-01-25 21:21 . 2009-04-26 15:46 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-01-25 21:10 . 2010-01-25 21:09 52224 ----a-w- c:\documents and settings\Ali\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-01-25 20:10 . 2006-05-18 22:19 -------- d-----w- c:\documents and settings\Ali\Application Data\Azureus

2010-01-24 21:08 . 2010-01-24 21:08 8406648 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe

2010-01-24 20:58 . 2010-01-24 20:58 10309448 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\chr\ChromeInstaller.exe

2010-01-24 20:55 . 2010-01-24 20:55 64000 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll

2010-01-24 20:55 . 2010-01-24 20:55 52288 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll

2010-01-24 20:55 . 2010-01-24 20:55 50688 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll

2010-01-24 20:55 . 2010-01-24 20:55 114688 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\RUP\inst_config\compat.dll

2010-01-21 22:12 . 2006-05-18 22:19 -------- d-----w- c:\program files\Azureus

2010-01-20 19:19 . 2009-02-23 18:13 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-14 20:14 . 2010-01-14 17:56 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-01-14 20:14 . 2010-01-14 17:56 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-01-14 20:14 . 2010-01-14 17:58 554352 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

2010-01-14 20:14 . 2008-01-29 12:01 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-01-14 18:16 . 2005-03-06 22:25 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-01-14 17:56 . 2010-01-14 17:56 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll

2010-01-14 17:56 . 2010-01-14 17:56 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll

2010-01-14 17:55 . 2010-01-14 17:55 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll

2010-01-14 17:55 . 2008-01-02 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-01-14 17:55 . 2009-08-01 07:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-01-14 17:51 . 2005-03-06 22:25 -------- d-----w- c:\documents and settings\Ali\Application Data\Symantec

2010-01-07 16:07 . 2009-04-26 15:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 16:07 . 2009-04-26 15:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-06 00:34 . 2007-04-17 12:16 -------- d-----w- c:\documents and settings\Ali\Application Data\dvdcss

2009-12-21 19:14 . 2004-08-04 05:00 916480 ------w- c:\windows\system32\wininet.dll

2009-12-15 18:40 . 2009-12-15 18:38 17245680 ----a-w- c:\documents and settings\Ali\Application Data\Real\Update\setup\rp\RealPlayerSPGold.exe

2009-11-21 15:51 . 2008-08-20 07:26 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-10-10 00:39 . 2009-10-10 00:39 18250 ----a-w- c:\program files\Common Files\bewoharav.pif

2006-03-15 12:30 . 2006-03-15 12:30 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe

2005-01-04 14:52 . 2005-01-04 14:50 227190984 ----a-w- c:\program files\OfficeSTD.exe

2009-03-31 21:47 . 2009-01-28 20:32 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2005-02-13 20:42 . 2005-02-13 20:42 56 --sh--r- c:\windows\SYSTEM32\4C805BE81C.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2009-04-02 12:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

 

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

 

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 90112]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]

"Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 45056]

"Ulead Photo Express Calendar Checker"="c:\program files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 69632]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]

"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"ppmate"="c:\program files\PPMate\PPMate\ppmate.exe" [2006-11-23 1495123]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]

"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-1-24 113664]

AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2004-11-24 156784]

NETGEAR WG311v2 Smart Configuration.lnk - c:\program files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 450560]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-01-25 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\PPMate\\PPMate\\ppmate.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\SymEFA.sys [28/01/2010 05:14 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\BHDrvx86.sys [28/01/2010 05:14 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\cchpx86.sys [28/01/2010 05:14 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100125.001\IDSXpx86.sys [28/01/2010 02:12 329592]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [22/12/2008 10:06 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [22/12/2008 10:05 74480]

R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [08/01/2010 00:51 380928]

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [21/01/2010 22:11 464264]

R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [21/01/2010 22:11 234888]

R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [23/02/2009 18:12 54752]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [28/01/2010 05:13 117640]

R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 08:33 202016]

R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 13:42 148768]

S1 M9207;DigiO2 DVB-T USB Receiver;c:\windows\system32\DRIVERS\M9207BDA.sys --> c:\windows\system32\DRIVERS\M9207BDA.sys [?]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\SYSTEM32\FsUsbExDisk.Sys [06/12/2008 14:35 36512]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [22/12/2008 10:06 7408]

.

Contents of the 'Scheduled Tasks' folder

 

2010-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/ig?hl=en

uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} - hxxp://www.tvkoo.com/update/KooPlayer.ocx

FF - ProfilePath - c:\documents and settings\Ali\Application Data\Mozilla\Firefox\Profiles\emib82yk.default\

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-29 20:29

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-3974528393-405583803-1727344631-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

 

[HKEY_USERS\S-1-5-21-3974528393-405583803-1727344631-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.

R%]

@Class="Shell"

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

 

[HKEY_USERS\S-1-5-21-3974528393-405583803-1727344631-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.

R%\OpenWithList]

@Class="Shell"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(1528)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

 

- - - - - - - > 'explorer.exe'(1128)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Intel\Intel Application Accelerator\iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-01-29 20:37:52 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-29 20:37

ComboFix2.txt 2010-01-28 19:22

ComboFix3.txt 2006-12-17 20:18

 

Pre-Run: 13,490,040,832 bytes free

Post-Run: 13,456,924,672 bytes free

 

- - End Of File - - 0D2397B998D3CCACC1FAD7C2CAC22491

 

Both browsers seem to be ok now. The problem came up when I was trying to stream a tv show and the connection dropped out so I tried rebooting and that was when the browsers started playing up.

Do you have any other recommendations?

Link to post
Share on other sites

Both browsers seem to be ok now. The problem came up when I was trying to stream a tv show and the connection dropped out so I tried rebooting and that was when the browsers started playing up.

Do you have any other recommendations?

Glad to hear the browsers work again....wheww!

 

 

I see several files that I can't find any information on, to be safe I think we should have them scanned out.

 

Go to My Computer->Tools->Folder Options->View tab:

  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)
Please go to: VirusTotal
  • Posted Image

     

     

  • Click the Browse button and search for the following file: c:\program files\Common Files\bewoharav.pif
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

 

Also please have the next file scanned.

c:\windows\system32\qpPAUr_-g.exe

c:\windows\system32\0ILPNBLKEB.dat

c:\windows\system32\0PLT01VMT.dat

c:\windows\system32\SVMGTJ7062.dat

c:\windows\system32\S1049S0YF.dat

 

In your next reply post:

Info for requested files

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Link to post
Share on other sites

Here are those scan reports in order:

 

a-squared 4.5.0.50 2010.01.30 -

AhnLab-V3 5.0.0.2 2010.01.30 -

AntiVir 7.9.1.154 2010.01.29 -

Antiy-AVL 2.0.3.7 2010.01.28 -

Authentium 5.2.0.5 2010.01.30 -

Avast 4.8.1351.0 2010.01.30 -

AVG 9.0.0.730 2010.01.29 -

BitDefender 7.2 2010.01.30 -

CAT-QuickHeal 10.00 2010.01.30 -

ClamAV 0.96.0.0-git 2010.01.30 -

Comodo 3759 2010.01.30 -

DrWeb 5.0.1.12222 2010.01.30 -

eSafe 7.0.17.0 2010.01.28 -

eTrust-Vet 35.2.7271 2010.01.29 -

F-Prot 4.5.1.85 2010.01.29 -

F-Secure 9.0.15370.0 2010.01.29 -

Fortinet 4.0.14.0 2010.01.30 -

GData 19 2010.01.30 -

Ikarus T3.1.1.80.0 2010.01.30 -

Jiangmin 13.0.900 2010.01.28 -

K7AntiVirus 7.10.960 2010.01.29 -

Kaspersky 7.0.0.125 2010.01.30 -

McAfee 5876 2010.01.29 -

McAfee+Artemis 5876 2010.01.29 -

McAfee-GW-Edition 6.8.5 2010.01.30 -

Microsoft 1.5406 2010.01.30 -

NOD32 4819 2010.01.30 -

Norman 6.04.03 2010.01.30 -

nProtect 2009.1.8.0 2010.01.30 -

Panda 10.0.2.2 2010.01.29 -

PCTools 7.0.3.5 2010.01.30 -

Prevx 3.0 2010.01.30 -

Rising 22.32.05.04 2010.01.30 -

Sophos 4.50.0 2010.01.30 -

Sunbelt 3.2.1858.2 2010.01.30 -

Symantec 20091.2.0.41 2010.01.30 -

TheHacker 6.5.1.0.172 2010.01.30 -

TrendMicro 9.120.0.1004 2010.01.30 -

VBA32 3.12.12.1 2010.01.29 -

ViRobot 2010.1.30.2164 2010.01.30 -

VirusBuster 5.0.21.0 2010.01.29 -

Additional information

File size: 18250 bytes

MD5...: 65e8207eef37ef22ee03cfb1133a6505

SHA1..: efa38571dc190dc99aadec99d5fec1516a86d258

SHA256: 0c69f0972de1a1ab791b531a09494984fabc3ed987c18cb6d5ee0e8736b9de59

ssdeep: 384:GIWwqKWBBiaiNC5/FsfjILt8Q3JUkUegzksrj2La/ecS6X4pF63uITLb:fHn

ERiEpFLWSJUzz5ec+F5ITLb

 

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Unknown!

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

 

 

File qpPAUr_-g.exe received on 2010.01.30 10:24:28 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

 

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.01.30 -

AhnLab-V3 5.0.0.2 2010.01.30 -

AntiVir 7.9.1.154 2010.01.29 TR/Agent.118256

Antiy-AVL 2.0.3.7 2010.01.28 -

Authentium 5.2.0.5 2010.01.30 -

Avast 4.8.1351.0 2010.01.30 -

AVG 9.0.0.730 2010.01.29 Generic16.AQYI

BitDefender 7.2 2010.01.30 -

CAT-QuickHeal 10.00 2010.01.30 -

ClamAV 0.96.0.0-git 2010.01.30 -

Comodo 3759 2010.01.30 -

DrWeb 5.0.1.12222 2010.01.30 -

eSafe 7.0.17.0 2010.01.28 Win32.TrojanHorse

eTrust-Vet 35.2.7271 2010.01.29 -

F-Prot 4.5.1.85 2010.01.29 -

F-Secure 9.0.15370.0 2010.01.29 -

Fortinet 4.0.14.0 2010.01.30 -

GData 19 2010.01.30 -

Ikarus T3.1.1.80.0 2010.01.30 -

Jiangmin 13.0.900 2010.01.28 -

K7AntiVirus 7.10.960 2010.01.29 -

Kaspersky 7.0.0.125 2010.01.30 -

McAfee 5876 2010.01.29 -

McAfee+Artemis 5876 2010.01.29 Artemis!509FD9D3E6B0

McAfee-GW-Edition 6.8.5 2010.01.30 Trojan.Agent.118256

Microsoft 1.5406 2010.01.30 -

NOD32 4819 2010.01.30 -

Norman 6.04.03 2010.01.30 -

nProtect 2009.1.8.0 2010.01.30 -

Panda 10.0.2.2 2010.01.29 -

PCTools 7.0.3.5 2010.01.30 -

Prevx 3.0 2010.01.30 High Risk Cloaked Malware

Rising 22.32.05.04 2010.01.30 -

Sophos 4.50.0 2010.01.30 Troj/FakeAV-ANM

Sunbelt 3.2.1858.2 2010.01.30 Trojan.Win32.Generic!BT

Symantec 20091.2.0.41 2010.01.30 Reser.Reputation.1

TheHacker 6.5.1.0.172 2010.01.30 -

TrendMicro 9.120.0.1004 2010.01.30 -

VBA32 3.12.12.1 2010.01.29 -

ViRobot 2010.1.30.2164 2010.01.30 -

VirusBuster 5.0.21.0 2010.01.29 -

Additional information

File size: 118256 bytes

MD5...: 509fd9d3e6b08762782b9d3a5e55197f

SHA1..: 02ea38d4b444e162cc45bc6449a1eb89591623a7

SHA256: 19e8918b9d609dc42e829f4d38271602de6145f64d33e2d0de89c631fe3d378c

ssdeep: 3072:vQIURTXJ2ceAMP/SZCNCz77q1/amx4Dkcbyw:vsYmMP/SZPupaK4Dkgb

 

PEiD..: -

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x323c

timedatestamp.....: 0x4a2ae2a2 (Sat Jun 06 21:41:54 2009)

machinetype.......: 0x14c (I386)

 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x5a5a 0x5c00 6.42 0bc2ffd32265a08d72b795b18265828d

.rdata 0x7000 0x1190 0x1200 5.18 f179218a059068529bdb4637ef5fa28e

.data 0x9000 0x1af98 0x400 4.71 975304d6dd6c4a4f076b15511e2bbbc0

.ndata 0x24000 0xb000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

.rsrc 0x2f000 0x48d0 0x4a00 5.87 4cc3f89c214e350e27ed0f562ca7c749

 

( 8 imports )

> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA

> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow

> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject

> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation

> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA

> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create

> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance

> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

 

( 0 exports )

 

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable MS Visual C++ (generic) (65.2%)

Win32 Executable Generic (14.7%)

Win32 Dynamic Link Library (generic) (13.1%)

Generic Win/DOS Executable (3.4%)

DOS Executable Generic (3.4%)

<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=946B7326F072257BCD2201D33F4F7B008DCD3D0D' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=946B7326F072257BCD2201D33F4F7B008DCD3D0D</a>

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

 

packers (F-Prot): NSIS

 

File 0PLT01VMT.dat received on 2010.01.30 10:39:50 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

 

 

Result: 0/41 (0%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 40 and 57 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:

 

 

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.01.30 -

AhnLab-V3 5.0.0.2 2010.01.30 -

AntiVir 7.9.1.154 2010.01.29 -

Antiy-AVL 2.0.3.7 2010.01.28 -

Authentium 5.2.0.5 2010.01.30 -

Avast 4.8.1351.0 2010.01.30 -

AVG 9.0.0.730 2010.01.29 -

BitDefender 7.2 2010.01.30 -

CAT-QuickHeal 10.00 2010.01.30 -

ClamAV 0.96.0.0-git 2010.01.30 -

Comodo 3759 2010.01.30 -

DrWeb 5.0.1.12222 2010.01.30 -

eSafe 7.0.17.0 2010.01.28 -

eTrust-Vet 35.2.7271 2010.01.29 -

F-Prot 4.5.1.85 2010.01.29 -

F-Secure 9.0.15370.0 2010.01.29 -

Fortinet 4.0.14.0 2010.01.30 -

GData 19 2010.01.30 -

Ikarus T3.1.1.80.0 2010.01.30 -

Jiangmin 13.0.900 2010.01.28 -

K7AntiVirus 7.10.960 2010.01.29 -

Kaspersky 7.0.0.125 2010.01.30 -

McAfee 5876 2010.01.29 -

McAfee+Artemis 5876 2010.01.29 -

McAfee-GW-Edition 6.8.5 2010.01.30 -

Microsoft 1.5406 2010.01.30 -

NOD32 4819 2010.01.30 -

Norman 6.04.03 2010.01.30 -

nProtect 2009.1.8.0 2010.01.30 -

Panda 10.0.2.2 2010.01.29 -

PCTools 7.0.3.5 2010.01.30 -

Prevx 3.0 2010.01.30 -

Rising 22.32.05.04 2010.01.30 -

Sophos 4.50.0 2010.01.30 -

Sunbelt 3.2.1858.2 2010.01.30 -

Symantec 20091.2.0.41 2010.01.30 -

TheHacker 6.5.1.0.172 2010.01.30 -

TrendMicro 9.120.0.1004 2010.01.30 -

VBA32 3.12.12.1 2010.01.29 -

ViRobot 2010.1.30.2164 2010.01.30 -

VirusBuster 5.0.21.0 2010.01.29 -

Additional information

File size: 1860 bytes

MD5...: 283658b52c62981e9f068752113d4784

SHA1..: d7afe79066761b0588eb9492c83c20cc26139988

SHA256: 1250ed57e36e54e9e2375141596921d1ae2bdca1e507e5e2cf6e5784524d5637

ssdeep: 24:JGqalxV+JpDJtxk8IpmLcilBk9bcBkMhoE8yeRlg74ESWoEF4k4aJGZ6MrdLs

0I:ApTqDbLNsMhoE8yAlGSWoECiC6Mrdw0I

 

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

pdfid.: -

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

 

trid..: Unknown!

 

File SVMGTJ7062.dat received on 2010.01.30 10:43:11 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

 

 

Result: 0/41 (0%)

Loading server information...

Your file is queued in position: 9.

Estimated start time is between 90 and 128 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:

 

 

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.01.30 -

AhnLab-V3 5.0.0.2 2010.01.30 -

AntiVir 7.9.1.154 2010.01.29 -

Antiy-AVL 2.0.3.7 2010.01.28 -

Authentium 5.2.0.5 2010.01.30 -

Avast 4.8.1351.0 2010.01.30 -

AVG 9.0.0.730 2010.01.29 -

BitDefender 7.2 2010.01.30 -

CAT-QuickHeal 10.00 2010.01.30 -

ClamAV 0.96.0.0-git 2010.01.30 -

Comodo 3759 2010.01.30 -

DrWeb 5.0.1.12222 2010.01.30 -

eSafe 7.0.17.0 2010.01.28 -

eTrust-Vet 35.2.7271 2010.01.29 -

F-Prot 4.5.1.85 2010.01.29 -

F-Secure 9.0.15370.0 2010.01.29 -

Fortinet 4.0.14.0 2010.01.30 -

GData 19 2010.01.30 -

Ikarus T3.1.1.80.0 2010.01.30 -

Jiangmin 13.0.900 2010.01.28 -

K7AntiVirus 7.10.960 2010.01.29 -

Kaspersky 7.0.0.125 2010.01.30 -

McAfee 5876 2010.01.29 -

McAfee+Artemis 5876 2010.01.29 -

McAfee-GW-Edition 6.8.5 2010.01.30 -

Microsoft 1.5406 2010.01.30 -

NOD32 4819 2010.01.30 -

Norman 6.04.03 2010.01.30 -

nProtect 2009.1.8.0 2010.01.30 -

Panda 10.0.2.2 2010.01.29 -

PCTools 7.0.3.5 2010.01.30 -

Prevx 3.0 2010.01.30 -

Rising 22.32.05.04 2010.01.30 -

Sophos 4.50.0 2010.01.30 -

Sunbelt 3.2.1858.2 2010.01.30 -

Symantec 20091.2.0.41 2010.01.30 -

TheHacker 6.5.1.0.172 2010.01.30 -

TrendMicro 9.120.0.1004 2010.01.30 -

VBA32 3.12.12.1 2010.01.29 -

ViRobot 2010.1.30.2164 2010.01.30 -

VirusBuster 5.0.21.0 2010.01.29 -

Additional information

File size: 27883 bytes

MD5...: eb02ebf7bede16f21c3a2dcbe802f092

SHA1..: b92f07abccda13096d71db6e6647d390260be06c

SHA256: 56363494d191f85d8e24b60def531d203509c678bca8093d85904309d4dbf719

ssdeep: 384:L9SPcClUvWAl2HIEocQuxNc9GIt4qDmmLt0yJm7xi8vsZl4rXO8JD/HL1R1Y

:L9S1U+AsIELNuRDh+xihu+8/zY

 

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Unknown!

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

 

 

File S1049S0YF.dat received on 2010.01.30 10:47:55 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

 

 

Result: 0/41 (0%)

Loading server information...

Your file is queued in position: 4.

Estimated start time is between 70 and 100 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:

 

 

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.01.30 -

AhnLab-V3 5.0.0.2 2010.01.30 -

AntiVir 7.9.1.154 2010.01.29 -

Antiy-AVL 2.0.3.7 2010.01.28 -

Authentium 5.2.0.5 2010.01.30 -

Avast 4.8.1351.0 2010.01.30 -

AVG 9.0.0.730 2010.01.29 -

BitDefender 7.2 2010.01.30 -

CAT-QuickHeal 10.00 2010.01.30 -

ClamAV 0.96.0.0-git 2010.01.30 -

Comodo 3759 2010.01.30 -

DrWeb 5.0.1.12222 2010.01.30 -

eSafe 7.0.17.0 2010.01.28 -

eTrust-Vet 35.2.7271 2010.01.29 -

F-Prot 4.5.1.85 2010.01.29 -

F-Secure 9.0.15370.0 2010.01.29 -

Fortinet 4.0.14.0 2010.01.30 -

GData 19 2010.01.30 -

Ikarus T3.1.1.80.0 2010.01.30 -

Jiangmin 13.0.900 2010.01.28 -

K7AntiVirus 7.10.960 2010.01.29 -

Kaspersky 7.0.0.125 2010.01.30 -

McAfee 5876 2010.01.29 -

McAfee+Artemis 5876 2010.01.29 -

McAfee-GW-Edition 6.8.5 2010.01.30 -

Microsoft 1.5406 2010.01.30 -

NOD32 4819 2010.01.30 -

Norman 6.04.03 2010.01.30 -

nProtect 2009.1.8.0 2010.01.30 -

Panda 10.0.2.2 2010.01.29 -

PCTools 7.0.3.5 2010.01.30 -

Prevx 3.0 2010.01.30 -

Rising 22.32.05.04 2010.01.30 -

Sophos 4.50.0 2010.01.30 -

Sunbelt 3.2.1858.2 2010.01.30 -

Symantec 20091.2.0.41 2010.01.30 -

TheHacker 6.5.1.0.172 2010.01.30 -

TrendMicro 9.120.0.1004 2010.01.30 -

VBA32 3.12.12.1 2010.01.29 -

ViRobot 2010.1.30.2164 2010.01.30 -

VirusBuster 5.0.21.0 2010.01.29 -

Additional information

File size: 1860 bytes

MD5...: 0c00ae408418d8e82e337f256922e014

SHA1..: 9bd6baecee71420d94fecf525c3e8fd4888aed96

SHA256: 4c6cbc0f9275a18e6583ee82e3cbe3b23d83e3dba462e43b69eff12b53d17fdb

ssdeep: 24:JGqaqJpDJtxk8IpmLcilBk9bcBkMhoE8yeRlg74ESWoEF4k4aJGZ6MrdLs0I:

A6DbLNsMhoE8yAlGSWoECiC6Mrdw0I

 

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Unknown!

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

I had to send it over SSL I think because of my Norton.

Looks like there may be more work to do. What's next?

Link to post
Share on other sites

My norton did a search and brought back a high risk of Backdoor.Tidservl!inf with the details being:

 

c:\qoobox\quarantine\c\windows\system32\drivers\iastor.sys.vir

 

I assume the first part means that it's quarantined but should I check this file on virustotal as well?

Link to post
Share on other sites

Don't worry about that Norton alert, it will be removed when we do final clean up which is just around the corner now.

 

 

As I see just one of those files I requested scanned came back bad.

 

  • Double click on OTM.exe to run it
  • Copy & paste the contents inside the Code box below beginning with :Files into --->> Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error

:Files
c:\windows\system32\qpPAUr_-g.exe
:Commands
[Reboot]
  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

 

 

 

In your next reply post:

OTM log

new HJT log

Link to post
Share on other sites

Great. I'm glad that you can see an end to this coming soon. Here's my OTM and HJT logs.

Looking good?

 

========== FILES ==========

c:\windows\system32\qpPAUr_-g.exe moved successfully.

========== COMMANDS ==========

 

OTM by OldTimer - Version 3.1.7.0 log created on 01302010_174258

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:46:59, on 30/01/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Application Updater\ApplicationUpdater.exe

C:\Program Files\AskBarDis\bar\bin\AskService.exe

C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe

C:\Program Files\TalkTalk\bin\sprtsvc.exe

C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe

C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\TalkTalk\bin\sprtcmd.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.DLL

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [ulead AutoDetector] "C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe"

O4 - HKLM\..\Run: [ulead Photo Express Calendar Checker] "C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"

O4 - HKLM\..\Run: [ppmate] "C:\Program Files\PPMate\PPMate\ppmate.exe" -autoplay

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...448/mcfscan.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe

O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe

O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe

O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

 

--

End of file - 12161 bytes

Link to post
Share on other sites

Great. I'm glad that you can see an end to this coming soon. Here's my OTM and HJT logs.

Looking good?

Yes, looking good.

 

please uninstall the Ask Toolbar via software > add&remove programs since this one is not recommended.

 

 

 

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

 

Go to Start > Run > copy and paste the full text path in the run box

 

Start > Run & typing in ComboFix /Uninstall

 

Note the space between the x and the /U, it needs to be there.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

 

 

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Your good to go, good job!

 

 

Please take the time to read over a few of my preventive tips.

 

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Firefox 3

The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

 

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

 

How to prevent Malware: Created by Miekiemoes

 

Here are some additional utilities that will further enhance your safety.

# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

 

Scan your computer regularly for malware

Scan on a regular basis to keep your computer clean, free software such as Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware-

Please note that these products can also be run as free without a licience as a scan on demand scanner.

 

Backup regularly

 

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

 

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

 

Avoid P2P

 

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

 

Please read this article 'Safe Computing Practices'.

So how did I get infected in the first place.

 

Secure My Computer: A Layered Approach

 

Strong passwords: How to create and use them

 

Free Antivirus-AntiSpyware-Firewall Software

 

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

 

Slow Computer May Not Be Malware Related, Help! My computer is slow!

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

 

 

PC Safety and Security--What Do I Need?

http://www.techsupportforum.com/security-c...-do-i-need.html

 

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

This site offers people who have been (or are) victims of malware the opportunity to document their story.

 

Extra note:

Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
×
×
  • Create New...