We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide

Hijack this help please

callistris
callistris Posts: 656 Forumite
Part of the Furniture
in Techie Stuff
I'm trying to sort out a laptop at work which has been infected.

A full scan with malwarebytes detected 3 trojans which have all been quarantined.
A Scan with Avira came back clear.
A Scan with SAS has detected 5 problems called 'browser hijacker.deskbar'

Which so far I've been unable to remove, they were quarantined but after rescanning they still show up in the scan results and not in quarantine:confused:


Below is a log from hijack this for the experts to take a look at please to see if anything untoward is there.

Thanks in advance for your help:D


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:06:45, on 31/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Interwise\Participant\pull.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Service ADVISOR\SUIR\LightweightIDOL.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.deere.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{32BE4059-4986-49B9-BEC5-D5378F96759C}: NameServer = 212.23.3.100,212.23.6.100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Update Service (gupdate1c98ecf471a7ce4) (gupdate1c98ecf471a7ce4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LightweightIDOL - Unknown owner - C:\Program Files\Service ADVISOR\SUIR\LightweightIDOL.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: XBaseMS-Service - Transaction Software, D 81829 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

--
End of file - 9568 bytes
«1

Comments

  • Browntoa
    Browntoa Posts: 49,620 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    this needs to go

    O15 - Trusted Zone: *.deere.com (HKLM)
    Ex forum ambassador

    Long term forum member
  • Browntoa
    Browntoa Posts: 49,620 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    post the malwarebyte log for me
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    Ex forum ambassador

    Long term forum member
  • callistris
    callistris Posts: 656 Forumite
    Part of the Furniture
    Browntoa wrote: »
    this needs to go

    O15 - Trusted Zone: *.deere.com (HKLM)

    I can't remove this as its needed for work, its on all the work laptops.
  • callistris
    callistris Posts: 656 Forumite
    Part of the Furniture
    Browntoa wrote: »
    post the malwarebyte log for me
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.


    As requested

    Malwarebytes' Anti-Malware 1.39
    Database version: 2421
    Windows 5.1.2600 Service Pack 3

    30/07/2009 12:52:41
    mbam-log-2009-07-30 (12-52-41).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 132345
    Time elapsed: 43 minute(s), 47 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\inf\stalport.inf (Trojan.Agent) -> Quarantined and deleted successfully.
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    This looks very dodgy but id guess its from work? ~
    C:\Program Files\Service ADVISOR\SUIR\LightweightIDOL.exe

    Please run COMBOFIX

    Follow the simple instructions it gives
    Post the COMPLETE log it creates here (Split into sections if need be)

    If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
    :idea:
  • Browntoa
    Browntoa Posts: 49,620 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    callistris wrote: »
    I can't remove this as its needed for work, its on all the work laptops.

    was not sure what that was , always remove them unless I know what they are ;)
    Ex forum ambassador

    Long term forum member
  • callistris
    callistris Posts: 656 Forumite
    Part of the Furniture
    The combofix log as requested

    ComboFix 09-07-29.04 - User 31/07/2009 15:20.1.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.639 [GMT 1:00]
    Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\SGPSA
    c:\program files\SGPSA\BHO.dll

    .
    ((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
    .

    2009-12-12 05:27 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
    2009-12-11 21:54 . 2009-12-11 21:54
    d
    w- c:\program files\Common Files\Borland Shared
    2009-12-11 21:53 . 2005-11-13 22:40 89360 ----a-w- c:\windows\system32\VB5DB.DLL
    2009-12-11 21:53 . 2004-03-17 10:21 49152 ----a-w- c:\windows\system32\PMSResources.dll
    2009-12-11 21:53 . 1999-03-26 00:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
    2009-12-11 21:51 . 2009-12-11 22:33
    d
    w- c:\program files\ProQuestMS
    2009-12-11 21:35 . 2009-07-30 18:03
    d
    w- c:\program files\Spybot - Search & Destroy
    2009-12-11 21:35 . 2009-07-30 18:03
    d
    w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-12-11 21:30 . 2009-07-30 11:04 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2009-12-11 21:12 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
    2009-12-11 19:58 . 2009-02-14 18:09
    d
    w- c:\documents and settings\User\Local Settings\Application Data\Google
    2009-12-11 19:57 . 2009-02-12 10:50
    d
    w- c:\program files\CCleaner
    2009-12-11 19:54 . 2009-12-11 19:54
    d
    w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-12-11 19:52 . 2009-12-11 19:52
    d
    w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
    2009-12-11 19:52 . 2009-07-30 11:56
    d
    w- c:\program files\SUPERAntiSpyware
    2009-12-11 19:52 . 2009-12-11 19:52
    d
    w- c:\program files\Common Files\Wise Installation Wizard
    2009-12-11 19:51 . 2009-12-11 19:51
    d
    w- c:\documents and settings\User\Application Data\Malwarebytes
    2009-12-11 19:51 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-11 19:51 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-11 19:51 . 2009-12-11 19:51
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-12-11 19:51 . 2009-07-30 11:04
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-11 19:21 . 2006-10-16 07:19 194362 ----a-w- c:\windows\system32\drivers\windrvr6.sys
    2009-12-11 19:19 . 2002-04-12 10:23 1044480 ----a-w- c:\windows\system32\ROBOEX32.DLL
    2009-12-11 19:19 . 2000-08-04 11:25 49152 ----a-w- c:\windows\system32\INETWH32.dll
    2009-12-11 19:16 . 2006-05-24 16:10 455600 ----a-r- c:\documents and settings\All Users\Application Data\Service ADVISOR\Media\setup.exe
    2009-12-11 19:15 . 2009-05-12 12:40
    d
    w- c:\documents and settings\All Users\Application Data\Service ADVISOR
    2009-12-11 19:15 . 2008-01-10 20:57 552214 ----a-r- c:\documents and settings\All Users\Application Data\Service ADVISOR\Media\ISSetup.dll
    2009-12-11 19:15 . 2006-05-17 15:21 373680 ----a-r- c:\documents and settings\All Users\Application Data\Service ADVISOR\Media\_setup.dll
    2009-12-11 19:15 . 2009-06-04 15:32 19641 ----a-w- c:\windows\unins000.dat
    2009-12-11 19:14 . 2008-01-31 12:07 61511 ----a-w- c:\windows\system32\JDTrimHTML.dll
    2009-12-11 19:09 . 2009-12-11 19:09
    d
    w- c:\documents and settings\All Users\Application Data\InstallShield
    2009-12-11 19:09 . 2009-07-24 07:44
    d
    w- C:\jdlm
    2009-12-11 19:06 . 2009-02-13 23:30
    d
    w- c:\documents and settings\User\Local Settings\Application Data\Adobe
    2009-12-11 19:06 . 2009-12-11 19:06
    d
    w- c:\program files\Common Files\Adobe
    2009-12-11 19:05 . 2009-12-11 19:05
    d
    w- c:\temp\AdobeInstall
    2009-12-11 19:05 . 2009-05-12 12:54
    d
    w- C:\Temp
    2009-12-11 19:05 . 2009-12-11 19:05
    d
    w- c:\program files\Java
    2009-12-11 19:05 . 2009-12-11 19:05
    d
    w- c:\program files\Common Files\Java
    2009-12-11 19:04 . 2009-12-11 19:04
    d
    w- c:\documents and settings\User\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
    2009-12-11 19:01 . 2009-12-11 19:01
    d
    w- c:\program files\Microsoft.NET
    2009-12-11 18:54 . 2009-12-11 18:54
    d
    w- C:\JDINST
    2009-12-11 18:53 . 2009-05-12 11:46
    d
    w- C:\JDIS Install Logs
    2009-07-30 12:16 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2009-07-30 12:16 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-07-30 12:16 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2009-07-30 12:16 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2009-07-30 12:15 . 2009-07-30 12:15
    d
    w- c:\program files\Avira
    2009-07-30 12:15 . 2009-07-30 12:15
    d
    w- c:\documents and settings\All Users\Application Data\Avira
    2009-07-19 10:56 . 2009-07-19 10:56
    d
    w- c:\program files\Search Guard PlusU
    2009-07-19 10:56 . 2009-07-19 10:56
    d
    w- c:\program files\Search Guard Plus
    2009-07-19 10:56 . 2009-07-19 10:56
    d
    w- C:\users
    2009-07-19 09:25 . 2009-07-19 09:25
    d
    w- c:\documents and settings\User\Local Settings\Application Data\Temp

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-11 19:09 . 2009-01-26 09:22
    d
    w- c:\program files\Common Files\InstallShield
    2009-07-29 14:38 . 2009-02-14 18:01
    d
    w- c:\documents and settings\All Users\Application Data\Google Updater
    2009-07-01 08:47 . 2009-05-12 12:40
    d
    w- c:\program files\Service ADVISOR
    2009-06-30 13:02 . 2009-06-30 10:32
    d
    w- c:\documents and settings\User\Application Data\U3
    2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
    2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-06-29 16:12 . 2004-08-04 12:00 17408
    w- c:\windows\system32\corpol.dll
    2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
    2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2009-06-04 15:32 . 2004-06-26 19:00 691545 ----a-w- c:\windows\unins000.exe
    2009-06-04 15:32 . 2009-02-12 10:19 78298 ----a-w- c:\windows\unins002.dat
    2009-06-04 15:32 . 2009-02-12 10:19 684377 ----a-w- c:\windows\unins002.exe
    2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
    2009-05-12 13:01 . 2009-05-12 13:01 117760 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{3FE7D2BF-DB37-429A-B47E-5DE073404A42}\IconTmpl.50919BAA_6A87_4FF2_9F31_77666E9D001A.exe
    2009-05-12 12:13 . 2009-05-12 12:13 3584 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2009-05-12 12:02 . 2009-12-11 19:32 49328 ----a-w- c:\windows\unins001.dat
    2009-05-12 12:02 . 2009-12-11 19:32 684377 ----a-w- c:\windows\unins001.exe
    2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-30 1830128]
    "Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-11 133104]
    "ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2007-06-19 101144]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-06-19 84760]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2007-06-19 125720]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 177456]
    "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
    "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-06-08 131072]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-11-16 88209]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
    Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
    BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-6-2 565309]
    Push Client.LNK - c:\program files\Interwise\Participant\pull.exe [2009-2-19 894192]
    Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Service ADVISOR\\xvds\\xVDSMgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\NetMeeting\\conf.exe"=
    "c:\\Program Files\\Service ADVISOR\\xvds\\xVDS.exe"=

    R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [29/11/2005 17:56 36768]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [15/01/2009 17:17 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15/01/2009 17:17 55024]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/07/2009 13:15 108289]
    R2 LightweightIDOL;LightweightIDOL;c:\program files\Service ADVISOR\SUIR\LightweightIDOL.exe [12/05/2009 13:40 4145152]
    R2 XBaseMS-Service;XBaseMS-Service;c:\program files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe [12/02/2009 09:48 401408]
    R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [26/01/2009 10:33 88192]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21/10/2005 12:19 36352]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/01/2009 17:17 7408]
    S2 gupdate1c98ecf471a7ce4;Google Update Service (gupdate1c98ecf471a7ce4);c:\program files\Google\Update\GoogleUpdate.exe [14/02/2009 19:08 133104]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-07-31 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-14 10:45]

    2009-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 18:08]

    2009-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 18:08]

    2009-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1844237615-839522115-1003Core.job
    - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-11 21:33]

    2009-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1844237615-839522115-1003UA.job
    - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-11 21:33]
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-IfxWlxEN - (no file)


    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    Trusted Zone: deere.com
    TCP: {32BE4059-4986-49B9-BEC5-D5378F96759C} = 212.23.3.100,212.23.6.100
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-07-31 15:26
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    LOCKED REGISTRY KEYS

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid]
    @DACL=(02 0000)
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32]
    @DACL=(02 0000)
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib]
    @DACL=(02 0000)
    @="{4509D3CC-B642-4745-B030-645B79522C6D}"
    "Version"="1.0"
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'winlogon.exe'(1400)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2009-07-31 15:27
    ComboFix-quarantined-files.txt 2009-07-31 14:27

    Pre-Run: 43,236,511,744 bytes free
    Post-Run: 43,269,890,048 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    206 --- E O F --- 2009-07-30 07:44
  • callistris
    callistris Posts: 656 Forumite
    Part of the Furniture
    *Bumping*

    In case it was missed before;)
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Sorry ~ I thought id replied to this a few days ago

    Log looks fine :)

    If you want another check ~
    run a KASPERSKY ONLINE SCAN (click to scan 'MY COMPUTER')
    http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html?n=1245225406761
    Please post the complete log it creates (This only SCANS it DOESNT delete anything, so we'd need to see anything it finds)
    The scan will likely take anywhere from 5 to 12 hours to complete!
    :idea:
  • callistris
    callistris Posts: 656 Forumite
    Part of the Furniture
    5hours and 47mins later and the kaspersky online scan has finished, 1 threat was found as listed below.

    Tuesday, August 4, 2009
    Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Program database last update: Tuesday, August 04, 2009 11:19:18
    Records in database: 2579522


    Scan settings
    Scan using the following database extended
    Scan archives yes
    Scan mail databases yes

    Scan area My Computer
    C:\
    D:\

    Scan statistics
    Files scanned 386697
    Threat name 1
    Infected objects 1
    Suspicious objects 0
    Duration of the scan 05:47:08

    File name Threat name Threats count
    D:\Support\VNC336\vnc-3.3.6-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1

    The selected area was scanned.

    :confused:
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 353.5K Banking & Borrowing
  • 254.2K Reduce Debt & Boost Income
  • 455.1K Spending & Discounts
  • 246.6K Work, Benefits & Business
  • 603K Mortgages, Homes & Bills
  • 178.1K Life & Family
  • 260.6K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 37.7K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture