We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Logs after infection
Options
stulaunch
Posts: 560 Forumite
in Techie Stuff
Sorry about this long post.
Had Virus which seemed very similar to another in this thread.
Had all kinds of AV popups and it also changed IE settings.
Anyway sorted that out. Updated and ran Malwarebytes 1st, had to do it in safemode with networking, then ran Combofix as instructions on here then ran hijack this, all seems well but would like someone to check over logs just to make sure.
Thanks.
Malwarebytes
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4337
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
22/07/2010 11:01:58
mbam-log-2010-07-22 (11-01-58).txt
Scan type: Quick scan
Objects scanned: 129588
Time elapsed: 4 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqjgpguq (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqjgpguq (Trojan.Dropper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Stu\Local Settings\Application Data\upcmexlby\tfctixutssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
Combofix.
ComboFix 10-07-21.02 - Stu 22/07/2010 11:10:40.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2604 [GMT 1:00]
Running from: c:\documents and settings\Stu\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Stu\Application Data\inst.exe
I:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.
2010-07-22 09:19 . 2010-07-22 10:01
d
w- c:\documents and settings\Stu\Local Settings\Application Data\upcmexlby
2010-07-17 16:48 . 2010-07-17 16:49
d
w- c:\documents and settings\All Users\Application Data\Electronic Arts
2010-07-17 16:29 . 2010-07-17 16:28 38784 ----a-w- c:\documents and settings\Stu\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-17 16:29 . 2010-07-17 16:29
d
w- c:\program files\Common Files\Adobe AIR
2010-07-14 19:24 . 2010-07-14 19:24
d
w- c:\program files\Worms Pinball
2010-07-14 19:20 . 2010-07-14 19:22
d
w- c:\program files\Adventure Pinball
2010-07-14 08:01 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 21:43 . 2010-07-12 21:43 159776 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-08 21:10 . 2006-07-01 21:39 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2010-07-08 21:10 . 2010-07-08 21:10
d
w- c:\program files\AMD
2010-07-08 21:05 . 2006-04-14 19:09 34176 ----a-w- c:\windows\system32\drivers\NVENETFD.sys
2010-07-08 21:05 . 2006-04-14 19:07 203776 ----a-w- c:\windows\system32\fdco1.dll
2010-07-08 21:04 . 2006-04-14 19:09 13056 ----a-w- c:\windows\system32\drivers\nvnetbus.sys
2010-07-08 21:04 . 2006-04-14 19:08 305152 ----a-w- c:\windows\system32\drivers\nvnrm.sys
2010-07-08 21:04 . 2006-04-14 19:08 222720 ----a-w- c:\windows\system32\drivers\nvsnpu.sys
2010-07-08 21:04 . 2006-04-14 19:07 9728 ----a-w- c:\windows\system32\bdco1.dll
2010-07-08 21:04 . 2006-03-14 20:45 35840 ----a-w- c:\windows\system32\nvconrm.dll
2010-07-08 21:02 . 2010-07-08 21:02
d
w- c:\documents and settings\All Users\Application Data\ATI
2010-07-08 20:55 . 2006-08-01 14:02 49152 ----a-w- c:\windows\system32\ChCfg.exe
2010-07-08 20:55 . 2008-09-24 09:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2010-07-08 20:55 . 2010-07-08 20:55
d
w- c:\program files\Realtek AC97
2010-07-08 20:55 . 2006-12-08 14:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2010-07-08 20:55 . 2007-04-16 14:28 577536 ----a-w- c:\windows\soundman.exe
2010-07-08 20:55 . 2006-10-18 01:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2010-07-08 20:55 . 2006-07-31 10:27 217088 ----a-w- c:\windows\Alcrmv.exe
2010-07-08 20:55 . 2006-07-31 10:19 315392 ----a-w- c:\windows\alcupd.exe
2010-07-08 17:20 . 2010-07-08 17:20
d
w- c:\program files\Driver-Soft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 09:56 . 2009-08-17 15:54
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 16:33 . 2010-01-21 15:36
d
w- c:\documents and settings\Stu\Application Data\vlc
2010-07-17 16:46 . 2009-08-15 19:33
d
w- c:\program files\Electronic Arts
2010-07-17 11:38 . 2009-08-13 19:18
d--h--w- c:\program files\InstallShield Installation Information
2010-07-14 19:22 . 2009-08-13 19:51
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-14 08:04 . 2009-08-13 22:05
d
w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-08 20:54 . 2009-08-13 20:51
d
w- c:\program files\ATI Technologies
2010-06-14 14:31 . 2009-08-13 17:09 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 15:52 . 2010-06-10 15:51
d
w- c:\program files\Readon Technology
2010-06-10 15:52 . 2010-06-10 15:52 5430 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{4A24CAC1-90A5-4325-A4FB-B32CE815C780}\_BDA3CDDBF57ADE3854651C.exe
2010-06-10 15:52 . 2010-06-10 15:52 5430 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{4A24CAC1-90A5-4325-A4FB-B32CE815C780}\_1BD05DE3FCEFE82B9BA625.exe
2010-06-05 08:05 . 2010-06-01 17:04
d
w- c:\program files\Tyre
2010-06-05 07:11 . 2010-01-23 17:10
d
w- c:\program files\yDGpatch
2010-06-01 17:24 . 2010-06-01 17:04
d
w- c:\documents and settings\Stu\Application Data\Tyre
2010-05-29 14:22 . 2010-05-29 13:19 79031640 ----a-w- c:\documents and settings\Stu\Application Data\Uniblue\DriverScanner\Download\pci_ven_1002_dev_7146_subsys_3000174b8_593_100_0000.exe
2010-05-29 13:19 . 2010-05-29 13:19 8258496 ----a-w- c:\documents and settings\Stu\Application Data\Uniblue\DriverScanner\LatestUpdate.exe
2010-05-29 13:09 . 2010-05-29 13:09
d
w- c:\program files\Belarc
2010-05-25 19:44 . 2009-12-27 10:53
d
w- c:\program files\Steam
2010-05-19 21:26 . 2010-05-19 20:24 4941136 ----a-w- c:\documents and settings\Stu\Application Data\TomTom\HOME\Profiles\ece1bes5.default\extensions\Navcore.8.562.438269@tomtom.com\8-562-438269-1.dll
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 14:39 . 2009-08-17 15:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-08-17 15:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"FG_Monitor"="c:\program files\Folder Guard Pro\FGKey.exe" [2008-01-04 118600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPZRCV01.LNK]
backup=c:\windows\pss\HPZRCV01.LNKCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 15:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 08:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Firefly Studios\\CivCity Rome\\CivCity Rome.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\napoleon total war\\Napoleon.exe"=
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29/09/2009 14:02 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [29/09/2009 14:05 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [29/09/2009 14:03 735960]
R2 FGUARD32;FGUARD32;c:\program files\Folder Guard Pro\FGUARD32.SYS [13/08/2009 22:22 54008]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [07/05/2010 13:36 92008]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [13/08/2009 22:36 598856]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [21/03/2010 10:53 42880]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [13/08/2009 20:18 17149]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [20/04/2010 14:36 24576]
.
Contents of the 'Scheduled Tasks' folder
2010-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1563985344-839522115-1004Core.job
- c:\documents and settings\Stu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-28 19:21]
2010-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1563985344-839522115-1004UA.job
- c:\documents and settings\Stu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-28 19:21]
.
.
Supplementary Scan
.
uStart Page = hxxp://news.bbc.co.uk/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Stu\Application Data\Mozilla\Firefox\Profiles\dvvxgj6r.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - plugin: c:\documents and settings\Stu\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 11:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-22 11:16:13
ComboFix-quarantined-files.txt 2010-07-22 10:16
Pre-Run: 217,932,251,136 bytes free
Post-Run: 217,935,974,400 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 0272EB0B6DA835CF2BF46348B0B37035
And finally HijackThis
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:21:32, on 22/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250192161140
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 7050 bytes
Had Virus which seemed very similar to another in this thread.
Had all kinds of AV popups and it also changed IE settings.
Anyway sorted that out. Updated and ran Malwarebytes 1st, had to do it in safemode with networking, then ran Combofix as instructions on here then ran hijack this, all seems well but would like someone to check over logs just to make sure.
Thanks.
Malwarebytes
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4337
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
22/07/2010 11:01:58
mbam-log-2010-07-22 (11-01-58).txt
Scan type: Quick scan
Objects scanned: 129588
Time elapsed: 4 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqjgpguq (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqjgpguq (Trojan.Dropper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Stu\Local Settings\Application Data\upcmexlby\tfctixutssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
Combofix.
ComboFix 10-07-21.02 - Stu 22/07/2010 11:10:40.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2604 [GMT 1:00]
Running from: c:\documents and settings\Stu\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Stu\Application Data\inst.exe
I:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.
2010-07-22 09:19 . 2010-07-22 10:01
d
w- c:\documents and settings\Stu\Local Settings\Application Data\upcmexlby
2010-07-17 16:48 . 2010-07-17 16:49
d
w- c:\documents and settings\All Users\Application Data\Electronic Arts
2010-07-17 16:29 . 2010-07-17 16:28 38784 ----a-w- c:\documents and settings\Stu\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-17 16:29 . 2010-07-17 16:29
d
w- c:\program files\Common Files\Adobe AIR
2010-07-14 19:24 . 2010-07-14 19:24
d
w- c:\program files\Worms Pinball
2010-07-14 19:20 . 2010-07-14 19:22
d
w- c:\program files\Adventure Pinball
2010-07-14 08:01 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 21:43 . 2010-07-12 21:43 159776 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-08 21:10 . 2006-07-01 21:39 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2010-07-08 21:10 . 2010-07-08 21:10
d
w- c:\program files\AMD
2010-07-08 21:05 . 2006-04-14 19:09 34176 ----a-w- c:\windows\system32\drivers\NVENETFD.sys
2010-07-08 21:05 . 2006-04-14 19:07 203776 ----a-w- c:\windows\system32\fdco1.dll
2010-07-08 21:04 . 2006-04-14 19:09 13056 ----a-w- c:\windows\system32\drivers\nvnetbus.sys
2010-07-08 21:04 . 2006-04-14 19:08 305152 ----a-w- c:\windows\system32\drivers\nvnrm.sys
2010-07-08 21:04 . 2006-04-14 19:08 222720 ----a-w- c:\windows\system32\drivers\nvsnpu.sys
2010-07-08 21:04 . 2006-04-14 19:07 9728 ----a-w- c:\windows\system32\bdco1.dll
2010-07-08 21:04 . 2006-03-14 20:45 35840 ----a-w- c:\windows\system32\nvconrm.dll
2010-07-08 21:02 . 2010-07-08 21:02
d
w- c:\documents and settings\All Users\Application Data\ATI
2010-07-08 20:55 . 2006-08-01 14:02 49152 ----a-w- c:\windows\system32\ChCfg.exe
2010-07-08 20:55 . 2008-09-24 09:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2010-07-08 20:55 . 2010-07-08 20:55
d
w- c:\program files\Realtek AC97
2010-07-08 20:55 . 2006-12-08 14:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2010-07-08 20:55 . 2007-04-16 14:28 577536 ----a-w- c:\windows\soundman.exe
2010-07-08 20:55 . 2006-10-18 01:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2010-07-08 20:55 . 2006-07-31 10:27 217088 ----a-w- c:\windows\Alcrmv.exe
2010-07-08 20:55 . 2006-07-31 10:19 315392 ----a-w- c:\windows\alcupd.exe
2010-07-08 17:20 . 2010-07-08 17:20
d
w- c:\program files\Driver-Soft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 09:56 . 2009-08-17 15:54
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 16:33 . 2010-01-21 15:36
d
w- c:\documents and settings\Stu\Application Data\vlc
2010-07-17 16:46 . 2009-08-15 19:33
d
w- c:\program files\Electronic Arts
2010-07-17 11:38 . 2009-08-13 19:18
d--h--w- c:\program files\InstallShield Installation Information
2010-07-14 19:22 . 2009-08-13 19:51
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-14 08:04 . 2009-08-13 22:05
d
w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-08 20:54 . 2009-08-13 20:51
d
w- c:\program files\ATI Technologies
2010-06-14 14:31 . 2009-08-13 17:09 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 15:52 . 2010-06-10 15:51
d
w- c:\program files\Readon Technology
2010-06-10 15:52 . 2010-06-10 15:52 5430 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{4A24CAC1-90A5-4325-A4FB-B32CE815C780}\_BDA3CDDBF57ADE3854651C.exe
2010-06-10 15:52 . 2010-06-10 15:52 5430 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{4A24CAC1-90A5-4325-A4FB-B32CE815C780}\_1BD05DE3FCEFE82B9BA625.exe
2010-06-05 08:05 . 2010-06-01 17:04
d
w- c:\program files\Tyre
2010-06-05 07:11 . 2010-01-23 17:10
d
w- c:\program files\yDGpatch
2010-06-01 17:24 . 2010-06-01 17:04
d
w- c:\documents and settings\Stu\Application Data\Tyre
2010-05-29 14:22 . 2010-05-29 13:19 79031640 ----a-w- c:\documents and settings\Stu\Application Data\Uniblue\DriverScanner\Download\pci_ven_1002_dev_7146_subsys_3000174b8_593_100_0000.exe
2010-05-29 13:19 . 2010-05-29 13:19 8258496 ----a-w- c:\documents and settings\Stu\Application Data\Uniblue\DriverScanner\LatestUpdate.exe
2010-05-29 13:09 . 2010-05-29 13:09
d
w- c:\program files\Belarc
2010-05-25 19:44 . 2009-12-27 10:53
d
w- c:\program files\Steam
2010-05-19 21:26 . 2010-05-19 20:24 4941136 ----a-w- c:\documents and settings\Stu\Application Data\TomTom\HOME\Profiles\ece1bes5.default\extensions\Navcore.8.562.438269@tomtom.com\8-562-438269-1.dll
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 14:39 . 2009-08-17 15:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-08-17 15:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"FG_Monitor"="c:\program files\Folder Guard Pro\FGKey.exe" [2008-01-04 118600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPZRCV01.LNK]
backup=c:\windows\pss\HPZRCV01.LNKCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 15:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 08:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Firefly Studios\\CivCity Rome\\CivCity Rome.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\napoleon total war\\Napoleon.exe"=
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29/09/2009 14:02 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [29/09/2009 14:05 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [29/09/2009 14:03 735960]
R2 FGUARD32;FGUARD32;c:\program files\Folder Guard Pro\FGUARD32.SYS [13/08/2009 22:22 54008]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [07/05/2010 13:36 92008]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [13/08/2009 22:36 598856]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [21/03/2010 10:53 42880]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [13/08/2009 20:18 17149]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [20/04/2010 14:36 24576]
.
Contents of the 'Scheduled Tasks' folder
2010-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1563985344-839522115-1004Core.job
- c:\documents and settings\Stu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-28 19:21]
2010-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1563985344-839522115-1004UA.job
- c:\documents and settings\Stu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-28 19:21]
.
.
Supplementary Scan
.
uStart Page = hxxp://news.bbc.co.uk/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Stu\Application Data\Mozilla\Firefox\Profiles\dvvxgj6r.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - plugin: c:\documents and settings\Stu\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 11:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-22 11:16:13
ComboFix-quarantined-files.txt 2010-07-22 10:16
Pre-Run: 217,932,251,136 bytes free
Post-Run: 217,935,974,400 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 0272EB0B6DA835CF2BF46348B0B37035
And finally HijackThis
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:21:32, on 22/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250192161140
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 7050 bytes
0
Comments
-
The order you did things is a bit wrong although it may not be too problematic. However, I would rerun malwarebytes: update definitions (under UPDATE tab, CHECK FOR UPDATES) and run a *FULL* SCAN just in case.
Hijack this log looks ok.
Someone else (alienRIK) will have a look at your combofix log.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.9K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.9K Work, Benefits & Business
- 598.8K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards