We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
AV Security Suite -Hijack this Log -Advice Please
Options
Comments
-
Open notepad and copy/paste the text in RED below
File::
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{BBC00322-99CD-F401-0E9F-0370F6B55A41}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{EF69577A-068F-7F88-F35A-87DCBE8EFE99}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{50A40C93-A490-A527-5F23-2A8193BEC341}-msng.exe
c:\users\kathryn\AppData\Local\Esahohoqusi.dat
c:\users\kathryn\AppData\Local\Xbapovunikanu.bin
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{BE9BD4B0-05B4-7C28-28E6-29E1AEA8A192}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{6B2E65D5-80E8-6790-0F92-83D565DC6C98}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{D844F33E-331D-E335-AA1D-5C68AB0C3634}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{2B293B42-D0FA-F590-12E1-DB273A204FCC}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{1BEE6EAD-F03D-E99C-3BDA-EF12E44462B4}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{99D38118-FD4F-78A3-FE33-F6DC57F97D47}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{29A53854-608B-D412-25FB-D1E78174D8BE}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{3CEF0BC1-9645-CEBD-E8CC-1A642489BA6F}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{B387A174-979B-0B88-AF7B-4E54B5E2126F}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{19018DD1-F1CE-5802-101F-F0166EDAADDC}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F7FB516C-22C8-7B62-28C3-6CEF2A6FCA51}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{A09497D8-F4C6-53AE-9931-1F4E98ED9575}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{9700E7DE-F3DD-6C80-50FD-0EE4FCAF8915}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{A2A60282-81BA-0525-4C04-1F45E2452AF3}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{B31E8FC5-44E2-31B1-FBB4-B36E6BFFB39D}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{D626955E-4C22-4246-D2F5-498E27568941}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{4983FA7F-A668-5E5E-3F5A-C55DD43C26A6}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{8FF262C2-776A-0CE0-B4CA-B5B7AEBF4A1E}-msng.exe
c:\windows\WLXPGSS.SCR
Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.:idea:0 -
ComboFix 10-06-14.03 - kathryn 15/06/2010 16:00:11.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.1020 [GMT 1:00]
Running from: c:\users\kathryn\Downloads\ComboFix.exe
Command switches used :: c:\users\kathryn\Documents\CFScript.txt
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FILE ::
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{19018DD1-F1CE-5802-101F-F0166EDAADDC}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{1BEE6EAD-F03D-E99C-3BDA-EF12E44462B4}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{29A53854-608B-D412-25FB-D1E78174D8BE}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{2B293B42-D0FA-F590-12E1-DB273A204FCC}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{3CEF0BC1-9645-CEBD-E8CC-1A642489BA6F}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{4983FA7F-A668-5E5E-3F5A-C55DD43C26A6}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{50A40C93-A490-A527-5F23-2A8193BEC341}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{6B2E65D5-80E8-6790-0F92-83D565DC6C98}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{8FF262C2-776A-0CE0-B4CA-B5B7AEBF4A1E}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{9700E7DE-F3DD-6C80-50FD-0EE4FCAF8915}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{99D38118-FD4F-78A3-FE33-F6DC57F97D47}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{A09497D8-F4C6-53AE-9931-1F4E98ED9575}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{A2A60282-81BA-0525-4C04-1F45E2452AF3}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{B31E8FC5-44E2-31B1-FBB4-B36E6BFFB39D}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{B387A174-979B-0B88-AF7B-4E54B5E2126F}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{BBC00322-99CD-F401-0E9F-0370F6B55A41}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{BE9BD4B0-05B4-7C28-28E6-29E1AEA8A192}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{D626955E-4C22-4246-D2F5-498E27568941}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{D844F33E-331D-E335-AA1D-5C68AB0C3634}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{EF69577A-068F-7F88-F35A-87DCBE8EFE99}-msng.exe"
"c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F7FB516C-22C8-7B62-28C3-6CEF2A6FCA51}-msng.exe"
"c:\users\kathryn\AppData\Local\Esahohoqusi.dat"
"c:\users\kathryn\AppData\Local\Xbapovunikanu.bin"
"c:\windows\WLXPGSS.SCR"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{19018DD1-F1CE-5802-101F-F0166EDAADDC}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{1BEE6EAD-F03D-E99C-3BDA-EF12E44462B4}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{29A53854-608B-D412-25FB-D1E78174D8BE}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{2B293B42-D0FA-F590-12E1-DB273A204FCC}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{3CEF0BC1-9645-CEBD-E8CC-1A642489BA6F}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{4983FA7F-A668-5E5E-3F5A-C55DD43C26A6}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{50A40C93-A490-A527-5F23-2A8193BEC341}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{6B2E65D5-80E8-6790-0F92-83D565DC6C98}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{8FF262C2-776A-0CE0-B4CA-B5B7AEBF4A1E}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{9700E7DE-F3DD-6C80-50FD-0EE4FCAF8915}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{99D38118-FD4F-78A3-FE33-F6DC57F97D47}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{A09497D8-F4C6-53AE-9931-1F4E98ED9575}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{A2A60282-81BA-0525-4C04-1F45E2452AF3}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{B31E8FC5-44E2-31B1-FBB4-B36E6BFFB39D}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{B387A174-979B-0B88-AF7B-4E54B5E2126F}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{BBC00322-99CD-F401-0E9F-0370F6B55A41}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{BE9BD4B0-05B4-7C28-28E6-29E1AEA8A192}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{D626955E-4C22-4246-D2F5-498E27568941}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{D844F33E-331D-E335-AA1D-5C68AB0C3634}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{EF69577A-068F-7F88-F35A-87DCBE8EFE99}-msng.exe
c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F7FB516C-22C8-7B62-28C3-6CEF2A6FCA51}-msng.exe
c:\users\kathryn\AppData\Local\Esahohoqusi.dat
c:\users\kathryn\AppData\Local\Xbapovunikanu.bin
c:\windows\WLXPGSS.SCR
.
((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))
.
2010-06-15 15:06 . 2010-06-15 15:06
d
w- c:\users\kathryn\AppData\Local\temp
2010-06-15 15:06 . 2010-06-15 15:06
d
w- c:\users\Public\AppData\Local\temp
2010-06-15 15:06 . 2010-06-15 15:06
d
w- c:\users\Default\AppData\Local\temp
2010-06-15 07:20 . 2010-06-15 07:20 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{16690A2B-0ADD-136F-61D8-317E200FAB0D}-msng.exe
2010-06-14 16:44 . 2010-06-15 12:35
d
w- c:\users\kathryn\AppData\Roaming\QuickScan
2010-06-14 16:43 . 2010-05-31 15:34 702120 ----a-w- c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-06-14 16:43 . 2010-05-31 15:34 868456 ----a-w- c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-06-13 11:57 . 2010-06-13 11:57
d
w- c:\users\kathryn\AppData\Local\BlinkBox
2010-06-13 11:56 . 2010-06-13 11:56
d
w- c:\program files\blinkbox
2010-06-12 17:26 . 2010-06-02 10:37 80896 ----a-w- c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
2010-06-12 17:26 . 2010-06-02 10:37 50176 ----a-w- c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
2010-06-12 13:11 . 2010-06-12 13:11 200704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{2CF69BAE-9266-833C-11C2-A92DB433F8ED}-msng.exe
2010-06-12 12:41 . 2010-06-12 12:41
d
w- c:\users\kathryn\AppData\Roaming\Malwarebytes
2010-06-12 12:41 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-12 12:41 . 2010-06-12 12:41
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-06-12 12:41 . 2010-06-12 12:41
d
w- c:\programdata\Malwarebytes
2010-06-12 12:41 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-12 12:34 . 2010-06-12 12:34
d
w- c:\program files\Trend Micro
2010-06-09 17:16 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-05-28 18:50 . 2010-05-28 18:50
d
w- c:\program files\Microsoft SQL Server Compact Edition
2010-05-28 18:49 . 2010-05-28 18:49
d
w- c:\program files\Microsoft
2010-05-26 21:08 . 2010-05-26 21:08
d
w- c:\programdata\WindowsSearch
2010-05-26 15:19 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-21 20:48 . 2010-05-21 21:01
d
w- c:\programdata\Norton
2010-05-21 20:48 . 2010-05-21 20:48
d
w- c:\programdata\Symantec
2010-05-21 20:48 . 2010-05-21 20:48
d
w- c:\programdata\NortonInstaller
2010-05-20 19:10 . 2010-05-20 19:10
d
w- c:\windows\system32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 13:39 . 2009-08-09 18:48 1 ----a-w- c:\users\kathryn\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-12 15:12 . 2010-04-24 15:55
d
w- c:\program files\Defraggler
2010-06-10 07:19 . 2006-11-02 11:18
d
w- c:\program files\Windows Mail
2010-06-10 07:18 . 2009-09-07 19:05
d
w- c:\program files\Lx_cats
2010-06-07 16:20 . 2009-10-26 07:59
d
w- c:\program files\Microsoft Silverlight
2010-05-30 17:57 . 2008-02-22 11:29
d
w- c:\program files\Google
2010-05-28 18:51 . 2009-06-10 09:20
d
w- c:\program files\Windows Live
2010-05-26 17:06 . 2010-06-09 17:17 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-09 17:17 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 13:14 . 2009-10-08 19:51 221568
w- c:\windows\system32\MpSigStub.exe
2010-05-07 11:55 . 2010-05-07 11:55 255472 ----a-w- c:\users\kathryn\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-05-04 05:59 . 2010-06-09 17:17 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-09 17:17 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-09 17:17 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-09 17:17 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-02 12:54 . 2009-05-07 14:18
d
w- c:\programdata\Kaspersky Lab
2010-05-02 12:42 . 2008-02-22 10:44
d
w- c:\program files\Java
2010-05-02 12:38 . 2010-05-02 12:38
d
w- c:\program files\Microsoft Security Essentials
2010-04-21 17:48 . 2008-02-22 11:29
d
w- c:\program files\Picasa2
2010-04-21 17:45 . 2009-04-22 16:11 1766 ----a-w- c:\users\kathryn\AppData\Roaming\wklnhst.dat
2010-04-16 21:12 . 2010-04-16 21:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-12 16:29 . 2010-05-02 12:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-05 17:01 . 2010-06-09 17:17 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-03-28 19:35 . 2010-03-28 19:35 31 ---ha-w- c:\windows\UKCpInfo.sys
2010-03-21 15:16 . 2010-03-21 15:16 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-06-15_12.00.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-06-15 13:29 45658 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-06-15 13:29 74890 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-04-22 15:44 . 2010-06-15 11:23 10276 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2641201609-788405178-2231458804-1000_UserData.bin
+ 2009-04-22 15:44 . 2010-06-15 13:29 10276 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2641201609-788405178-2231458804-1000_UserData.bin
+ 2009-04-22 15:37 . 2010-06-15 13:27 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-04-22 15:37 . 2010-06-15 11:21 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-04-22 15:37 . 2010-06-15 11:21 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-22 15:37 . 2010-06-15 13:27 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-22 15:37 . 2010-06-15 13:27 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-04-22 15:37 . 2010-06-15 11:21 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-06-25 15:31 . 2010-06-15 13:27 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-06-25 15:31 . 2010-06-13 09:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-25 15:31 . 2010-06-15 13:27 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-25 15:31 . 2010-06-13 09:34 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-25 15:31 . 2010-06-15 13:27 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-25 15:31 . 2010-06-13 09:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-15 13:02 . 2010-06-15 13:02 21504 c:\windows\Installer\3d85b.msi
- 2010-06-15 11:21 . 2010-06-15 11:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-15 13:27 . 2010-06-15 13:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-06-15 11:21 . 2010-06-15 11:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-06-15 13:27 . 2010-06-15 13:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-04-22 15:53 . 2010-06-15 08:21 2421200 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-04-22 15:53 . 2010-06-15 13:26 2421200 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-29 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"googletalk"="c:\users\kathryn\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Google Update"="c:\users\kathryn\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-07-08 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-22 1836544]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"lxctmon.exe"="c:\program files\Lexmark 5400 Series\lxctmon.exe" [2006-11-22 291760]
"Lexmark 5400 Series Fax Server"="c:\program files\Lexmark 5400 Series\fm3032.exe" [2006-11-22 304048]
"EzPrint"="c:\program files\Lexmark 5400 Series\ezprint.exe" [2006-11-22 82864]
"LXCTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 245810]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
c:\users\kathryn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):cf,7c,a9,99,43,ec,c9,01
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 136176]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-29 937984]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-08-31 20352]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 17:57]
2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 17:57]
2010-03-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2641201609-788405178-2231458804-1000Core1cac66b30c20a4f.job
- c:\users\kathryn\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-08 18:36]
.
.
Supplementary Scan
.
uStart Page = hxxp://google.co.uk/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:49336
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?!!!!!Toshibaukbholink-21&site=home
Trusted Zone: northernbank.co.uk\ebanking
DPF: {2665693B-C4F3-434B-83DB-7574CF50C8B7} - hxxp://www.kaspersky.co.uk/downloads/misc/kasperskylicensefinder.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://ebanking.northernbank.co.uk/html/activex/e-Safekey/NB/e-Safekey.cab
FF - ProfilePath - c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\
FF - component: c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
FF - component: c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
FF - component: c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\kathryn\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
FF - plugin: c:\users\kathryn\AppData\Roaming\Mozilla\Firefox\Profiles\4op1bes9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\kathryn\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-15 16:06
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????T]r{?????V???V???V?0 V?X
scanning hidden files ...
scan completed successfully
hidden files: 00 -
THE REST OF LOG BELOW.
---- LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-06-15 16:09:44
ComboFix-quarantined-files.txt 2010-06-15 15:09
ComboFix2.txt 2010-06-15 13:18
ComboFix3.txt 2010-06-15 12:03
Pre-Run: 40,951,709,696 bytes free
Post-Run: 40,814,329,856 bytes free
- - End Of File - - 57FE2870BF58749DE9539E7EE703D0420 -
Download CCLEANER
http://www.piriform.com/ccleaner/download/slim
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
reboot
Hows it running now?:idea:0 -
Download CCLEANER
http://www.piriform.com/ccleaner/download/slim
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
reboot
Hows it running now?
Will run CLEANER scan shortly. Thanks a lot alieEnRIK. Computer seems fine now, no security alert at boot up and all looks Good.
Was getting a bit of a sweaty brow doing all that, did not have a clue what was going on with the Combofix stuff!!!. I trust what I was doing was not too risky (do I want to know??)
Anyway will let you know how I get on.
What was the most serious issue?. Sorry not totally PC minded.
Thanks again and good luck.0 -
Most serious ones I can see were a few trojans (I dont think theyre were related to the "msng.exe" ones):idea:0
-
Good to hear it's all fixed.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.1K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244.1K Work, Benefits & Business
- 599.1K Mortgages, Homes & Bills
- 177K Life & Family
- 257.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards