please could someone check this hijack/malwarebytes log

DaveG247 · 20 July 2010 at 8:56PM

Hi all,

Got a few problems with my mates laptop appear it may have had a rogue virus checker. Ran malware bytes which found a few infected files, restarted the machine but avast and windows defender still wont update and were still having a problem with google searches which send us to different sites.

Please would someone be able to check the Hijack this and malwarebyytes logs

Thanks
Dave

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:50:03, on 20/07/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Presario&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Presario&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ferifiij] C:\Windows\system32\config\systemprofile\AppData\Local\yypypcbrt\urcmhlptssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ferifiij] C:\Windows\system32\config\systemprofile\AppData\Local\yypypcbrt\urcmhlptssd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: PMBDeviceInfoProvider - Sony Corporation - C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9367 bytes

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4332
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928
20/07/2010 20:41:08
mbam-log-2010-07-20 (20-41-08).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 265971
Time elapsed: 57 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkjsxwtw (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\Erica&Nick\AppData\Local\vginybhuv\pihbrjxtssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

aliEnRIK · 20 July 2010 at 9:00PM

Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download

DaveG247 · 20 July 2010 at 9:23PM

Hi ran COMBOFIX here's the log

ComboFix 10-07-20.01 - Erica&Nick 20/07/2010 21:10:51.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.1978.1188 [GMT 1:00]
Running from: c:\users\Erica&Nick\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\windows\system32\drivers\ql40xx.sys was found and disinfected
Restored copy from - Kitty had a snack

.
((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.
2010-07-20 20:18 . 2010-07-20 20:18

d

w- c:\users\Erica&Nick\AppData\Local\temp
2010-07-20 20:18 . 2010-07-20 20:18

d

w- c:\users\Default\AppData\Local\temp
2010-07-20 18:48 . 2010-07-20 18:48 388096 ----a-r- c:\users\Erica&Nick\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-20 18:48 . 2010-07-20 18:48

d

w- c:\program files\Trend Micro
2010-07-20 18:41 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 18:41 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 17:48 . 2010-07-20 19:41

d

w- c:\users\Erica&Nick\AppData\Local\vginybhuv
2010-07-11 13:44 . 2010-07-11 13:44

d

w- c:\program files\iPod
2010-07-11 13:44 . 2010-07-11 13:44

d

w- c:\program files\iTunes
2010-07-11 13:41 . 2010-07-11 13:41

d

w- c:\program files\Bonjour
2010-07-03 12:27 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-06-29 19:50 . 2010-07-11 16:05 52224 ----a-w- c:\users\Erica&Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-29 19:50 . 2010-07-11 16:08 117760 ----a-w- c:\users\Erica&Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-29 19:41 . 2010-06-29 19:41

d

w- c:\program files\SUPERAntiSpyware
2010-06-29 19:41 . 2010-06-29 19:41

d

w- c:\users\Erica&Nick\AppData\Roaming\SUPERAntiSpyware.com
2010-06-29 19:40 . 2010-06-29 19:40

d

w- c:\program files\Common Files\Wise Installation Wizard
2010-06-25 18:13 . 2010-06-25 18:13

d

w- c:\users\Erica&Nick\AppData\Roaming\Sony Corporation
2010-06-25 18:10 . 2007-07-19 17:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2010-06-25 18:07 . 2010-06-25 18:07

d

w- c:\program files\Sony
2010-06-21 20:54 . 2010-06-21 21:11

d

w- c:\users\Erica&Nick\AppData\Local\mwqxwbrjx
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 18:41 . 2010-06-19 20:21

d

w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 19:04 . 2010-02-12 20:34 154468 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-11 17:14 . 2009-05-28 20:45

d

w- c:\program files\Spybot - Search & Destroy
2010-07-11 14:06 . 2008-10-28 12:14

d--h--w- c:\program files\InstallShield Installation Information
2010-07-11 14:05 . 2008-10-28 13:17

d

w- c:\program files\CyberLink
2010-07-11 13:44 . 2010-02-12 11:17

d

w- c:\program files\Common Files\Apple
2010-07-04 19:26 . 2009-05-04 15:44

d

w- c:\users\Erica&Nick\AppData\Roaming\Skype
2010-07-04 15:01 . 2009-06-14 17:44

d

w- c:\documents and settings\releaseengineer\Application Data\skypePM
2010-06-28 20:57 . 2009-05-04 14:12 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2009-05-04 14:13 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2009-05-04 14:13 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2009-05-04 14:13 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2009-05-04 14:12 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-06-28 20:32 . 2009-05-04 14:13 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-25 20:47 . 2009-06-06 11:26

d

w- c:\users\Erica&Nick\AppData\Roaming\vlc
2010-06-22 10:30 . 2009-05-11 07:08 5972 ----a-w- c:\users\Erica&Nick\AppData\Local\d3d9caps.dat
2010-06-20 14:53 . 2010-06-19 14:00

d

w- c:\program files\Ask.com
2010-06-20 14:52 . 2010-02-14 09:46

d

w- c:\program files\NCH Software
2010-06-20 12:10 . 2009-05-08 19:00

d

w- c:\users\Erica&Nick\AppData\Roaming\LimeWire
2010-06-19 21:57 . 2009-05-04 14:12

d

w- c:\program files\Alwil Software
2010-06-19 20:21 . 2010-06-19 20:21

d

w- c:\users\Erica&Nick\AppData\Roaming\Malwarebytes
2010-06-19 19:49 . 2010-06-19 19:04

d

w- c:\program files\Common Files\AVSMedia
2010-06-19 19:49 . 2010-06-19 19:03

d

w- c:\program files\AVS4YOU
2010-06-19 19:19 . 2010-06-19 19:19

d

w- c:\program files\SourceTec
2010-06-19 19:15 . 2010-06-19 19:15

d

w- c:\users\Erica&Nick\AppData\Roaming\NCH Software
2010-06-19 19:05 . 2010-06-19 19:05

d

w- c:\users\Erica&Nick\AppData\Roaming\AVS4YOU
2010-06-12 07:49 . 2006-11-02 11:18

d

w- c:\program files\Windows Mail
2010-06-02 03:55 . 2010-06-25 20:07 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 03:55 . 2010-06-25 20:07 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 03:55 . 2010-06-25 20:07 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-05-31 14:35 . 2010-02-16 19:40

d

w- c:\program files\MSECache
2010-05-26 17:06 . 2010-06-11 15:48 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 15:49 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-26 10:41 . 2010-06-25 20:07 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 10:41 . 2010-06-25 20:07 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-26 10:41 . 2010-06-25 20:07 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 10:41 . 2010-06-25 20:07 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 10:41 . 2010-06-25 20:07 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-21 13:14 . 2009-10-03 18:46 221568

w- c:\windows\system32\MpSigStub.exe
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 05:59 . 2010-06-11 16:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-11 16:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-11 16:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-11 16:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-11 11:34 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 14:13 . 2010-05-26 15:22 2048 ----a-w- c:\windows\system32\tzres.dll
2008-10-28 12:40 . 2008-10-28 12:30 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-10 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-10 170520]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-09 148888]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-02-28 74408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2009-11-04 597792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 14:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-11-19 22:29 623960 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-07-10 22:27 145944 ----a-w- c:\windows\System32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 12:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2008-11-17 14:11 1805552 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2008-06-14 01:11 210216

w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2008-06-14 01:11 210216

w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2008-10-07 03:42 210216

w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):54,67,da,18,25,41,ca,01
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 o1394bul;o1394bul;c:\users\ERICA&~1\AppData\Local\Temp\o1394bul.sys [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe [2008-02-19 537256]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder
2010-03-25 c:\windows\Tasks\CreateChoiceProcessTask.job
- c:\windows\System32\browserchoice.exe [2010-03-25 10:32]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.tiscali.co.uk
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.

LOCKED REGISTRY KEYS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-07-20 21:21:05
ComboFix-quarantined-files.txt 2010-07-20 20:21
Pre-Run: 88,463,421,440 bytes free
Post-Run: 88,448,438,272 bytes free
- - End Of File - - 161F8690349E33EDD3C515A629800504

aliEnRIK · 20 July 2010 at 9:46PM

TICK and FIX these in hijack ~
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [ferifiij] C:\Windows\system32\config\systemprofile\AppData\L ocal\yypypcbrt\urcmhlptssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ferifiij] C:\Windows\system32\config\systemprofile\AppData\L ocal\yypypcbrt\urcmhlptssd.exe (User 'Default user')
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)

Use the Norton removal tool
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

Then id say your good to go

DaveG247 · 20 July 2010 at 10:04PM

Thanks

Ticked and fixed the other two but didn't see the two below

O4 - HKUS\S-1-5-18\..\Run: [ferifiij] C:\Windows\system32\config\systemprofile\AppData\L ocal\yypypcbrt\urcmhlptssd.exe (User 'SYSTEM')
or
O4 - HKUS\.DEFAULT\..\Run: [ferifiij] C:\Windows\system32\config\systemprofile\AppData\L ocal\yypypcbrt\urcmhlptssd.exe (User 'Default user')

windows defender seem to update ok now

Which link is best to click on for the norton removal tool?

aliEnRIK · 20 July 2010 at 10:44PM

As you dont know which Norton you had, use this standard removal tool ~
http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html

DaveG247 · 20 July 2010 at 10:51PM

Many thanks will give that a go tomorrow. Cheers again

DaveG247 · 21 July 2010 at 7:56PM

Got it removed (didn't even think norton was installed) and everything seems to be ok.:j aliEnRIK that must be the forth time you've help me out now many thanks:beer:

aliEnRIK · 21 July 2010 at 8:56PM

Happy to help

please could someone check this hijack/malwarebytes log

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free