We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
hijack this....
kduffy101
Posts: 399 Forumite
in Techie Stuff
hi can someone have a look at this log,i done maleware scan+removed 2 trojens,but pc is running slow+i get the no internet connection page sonetimes aswell.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 06:19:58, on 01/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=174.143.155.243:3128
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
--
End of file - 5724 bytes
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 06:19:58, on 01/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=174.143.155.243:3128
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
--
End of file - 5724 bytes
0
Comments
-
Can you post details of the trojans removed?
have you run an updated FULL scan with malwarebytes?:idea:0 -
hi rik.
i ran a full malware scan,then when it found the trojans i removed them then deleted them,i dont know if i can go into malware to find them again.0 -
Open malwarebytes, goto LOGS and all logs are in there:idea:0
-
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4350
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
01/09/2010 06:05:08
mbam-log-2010-09-01 (06-05-08).txt
Scan type: Full scan (A:\|C:\|D:\|E:\|)
Objects scanned: 193306
Time elapsed: 55 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{F6E19539-2EF1-4C26-A0EB-F59A38E2D865}\RP55\A0011530.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
E:\pc stuff\convertxtodvd\ConvertXtoDVD_4_Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.0 -
Your database version is well behind
You need to UPDATE and run another scan (Current database is 4519, yours is Database version: 4350):idea:0 -
ok ive updated+run scan here is the log...
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4520
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
01/09/2010 11:28:32
mbam-log-2010-09-01 (11-28-32).txt
Scan type: Full scan (A:\|C:\|D:\|E:\|)
Objects scanned: 196869
Time elapsed: 1 hour(s), 4 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)0 -
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive):idea:0 -
ComboFix 10-08-31.02 - kduffy 01/09/2010 11:49:25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1471.915 [GMT 1:00]
Running from: c:\documents and settings\kduffy\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\dfinstall.log
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\kduffy\Application Data\inst.exe
.
((((((((((((((((((((((((( Files Created from 2010-08-01 to 2010-09-01 )))))))))))))))))))))))))))))))
.
2010-09-01 05:19 . 2010-09-01 05:19 388096 ----a-r- c:\documents and settings\kduffy\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-01 05:19 . 2010-09-01 05:19
d
w- c:\program files\Trend Micro
2010-08-31 14:05 . 2010-08-31 14:24
d
w- c:\documents and settings\All Users\Application Data\HideIPEasy
2010-08-31 14:05 . 2010-08-31 14:05
d
w- c:\documents and settings\kduffy\Application Data\HideIPEasy
2010-08-31 13:46 . 2010-08-31 19:03
d
w- c:\documents and settings\kduffy\Local Settings\Application Data\Google
2010-08-30 14:32 . 2010-08-30 15:44
d
w- c:\program files\UltraISO
2010-08-30 06:43 . 2010-08-30 06:43 12343096 ----a-w- c:\documents and settings\kduffy\Application Data\OpenCandy\OpenCandy_4549644ADBD94425B9323B872FF0E424\p1v1_PPIRegistryReviver_w.exe
2010-08-30 06:43 . 2010-08-30 06:44
d
w- c:\documents and settings\kduffy\Local Settings\Application Data\OpenCandy
2010-08-30 06:43 . 2010-08-30 06:43 347632 ----a-w- c:\documents and settings\kduffy\Application Data\OpenCandy\OpenCandy_4549644ADBD94425B9323B872FF0E424\DLMgr_3_1.6.72.exe
2010-08-30 06:43 . 2010-08-30 06:43
d
w- c:\documents and settings\kduffy\Application Data\OpenCandy
2010-08-23 20:54 . 2010-08-23 20:54 12284672 ----a-w- c:\documents and settings\kduffy\Application Data\OpenCandy\OpenCandy_4549644ADBD94425B9323B872FF0E424\PPIRegistryReviverSetup.exe
2010-08-19 15:05 . 2010-08-19 15:05
d
w- c:\documents and settings\All Users\Application Data\LightScribe
2010-08-19 14:29 . 2010-08-20 10:29
d
w- c:\program files\Common Files\LightScribe
2010-08-19 14:27 . 2007-11-06 09:01 1000744 ----a-w- c:\windows\system32\ShellManager10E2D762.dll
2010-08-19 14:26 . 2010-08-19 14:26
d
w- c:\documents and settings\All Users\Application Data\Ahead
2010-08-19 14:26 . 2007-11-06 09:01 3077416 ----a-w- c:\windows\system32\AdvrCntr2D6E0B790.dll
2010-08-19 14:22 . 2010-08-20 10:51
d
w- c:\program files\Common Files\Ahead
2010-08-19 14:22 . 2010-08-19 14:22
d
w- c:\program files\Nero
2010-08-19 14:19 . 1998-07-21 23:00 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2010-08-19 14:19 . 1998-07-21 23:00 102160 ----a-w- c:\windows\system32\VB6KO.DLL
2010-08-19 13:44 . 2010-08-19 13:44
d
w- C:\MyWorks
2010-08-19 13:43 . 2007-01-08 21:17 27168
w- c:\windows\system32\msxml3a.dll
2010-08-19 13:42 . 2010-08-20 10:46
d
w- c:\program files\CyberLink
2010-08-19 13:42 . 2010-08-20 10:46
d--h--w- c:\program files\InstallShield Installation Information
2010-08-19 13:42 . 2010-08-19 13:42
d
w- c:\program files\Common Files\InstallShield
2010-08-17 17:31 . 2010-08-19 15:11
d
w- c:\program files\RegCure
2010-08-17 17:31 . 2010-08-19 15:11
d
w- c:\windows\RegCure
2010-08-12 20:05 . 2010-08-12 20:05
d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-10 11:04 . 2010-08-10 11:04
d
w- c:\documents and settings\kduffy\Local Settings\Application Data\IsolatedStorage
2010-08-10 11:04 . 2010-08-10 11:04
d
w- c:\program files\MSXML 4.0
2010-08-10 11:04 . 2010-08-10 11:04
d
w- c:\documents and settings\kduffy\Local Settings\Application Data\HP
2010-08-10 11:04 . 2010-08-10 11:04 129 ----a-w- c:\documents and settings\kduffy\Local Settings\Application Data\fusioncache.dat
2010-08-10 11:03 . 2010-09-01 05:15
d
w- c:\documents and settings\kduffy\Local Settings\Application Data\ApplicationHistory
2010-08-09 17:30 . 2010-08-09 17:30
d
w- c:\windows\Cache
2010-08-09 17:30 . 2010-08-11 02:28
d
w- c:\program files\Coupon Printer
2010-08-09 17:30 . 2010-08-09 17:30 31 ---ha-w- c:\windows\UKCpInfo.sys
2010-08-09 17:30 . 2010-08-09 17:30
d
w- c:\documents and settings\kduffy\Application Data\HP
2010-08-09 17:28 . 2010-08-09 17:28
d
w- c:\documents and settings\All Users\Application Data\HP
2010-08-09 17:27 . 2010-08-09 17:27
d
w- c:\program files\Common Files\Sonic Shared
2010-08-09 17:27 . 2010-08-09 17:27
d
w- c:\documents and settings\All Users\Application Data\Sonic
2010-08-09 17:26 . 2010-08-09 17:26
d
w- c:\program files\Common Files\HP
2010-08-09 17:24 . 2010-08-09 17:24
d
w- c:\program files\Hewlett-Packard
2010-08-09 17:22 . 2010-08-09 17:22
d
w- c:\windows\system32\URTTemp
2010-08-09 17:21 . 2004-09-29 06:11 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-08-09 17:20 . 2004-09-29 11:15 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2010-08-09 17:20 . 2004-09-29 11:14 69632 ----a-w- c:\windows\system32\HPZipm12.exe
2010-08-09 17:20 . 2004-09-29 11:12 278584 ----a-w- c:\windows\system32\HPZidr12.dll
2010-08-09 17:20 . 2004-09-29 11:09 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2010-08-09 17:20 . 2004-09-29 11:09 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2010-08-09 17:20 . 2004-09-29 11:08 61440 ----a-w- c:\windows\system32\HPZinw12.exe
2010-08-09 17:20 . 1998-10-29 15:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-08-09 17:18 . 2010-08-09 17:24
d
w- c:\program files\HP
2010-08-09 17:15 . 2010-09-01 05:13 81375 ----a-w- c:\windows\HPHins08.dat
2010-08-09 17:15 . 2005-06-01 17:23 4011
w- c:\windows\hphmdl08.dat
2010-08-09 17:15 . 2005-06-01 17:01 77824 ----a-r- c:\windows\system32\hpzids01.dll
2010-08-09 17:15 . 2005-05-05 07:48 67072 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp3xu.dll
2010-08-09 17:15 . 2005-05-05 07:51 37376 ----a-w- c:\windows\system32\hpz3l3xu.dll
2010-08-09 17:12 . 2008-04-13 23:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-08-09 17:12 . 2008-04-13 23:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-08-09 17:12 . 2008-04-13 23:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-08-09 17:12 . 2008-04-13 23:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-08-05 17:13 . 2010-08-06 06:45
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-05 17:13 . 2010-08-05 21:32
d
w- c:\program files\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-01 10:20 . 2010-07-28 09:08
d
w- c:\program files\Common Files\Akamai
2010-08-31 14:18 . 2010-07-26 09:56
d
w- c:\documents and settings\kduffy\Application Data\uTorrent
2010-08-30 21:02 . 2010-07-26 10:10
d
w- c:\documents and settings\kduffy\Application Data\Vso
2010-08-17 08:32 . 2010-07-26 12:14
d
w- c:\documents and settings\kduffy\Application Data\vlc
2010-08-09 17:30 . 2010-07-26 08:07 23120 ----a-w- c:\documents and settings\kduffy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-01 07:25 . 2010-08-01 07:25
d
w- c:\documents and settings\kduffy\Application Data\Adobe Mini Bridge CS5
2010-07-31 09:13 . 2010-07-31 09:13 0 ----a-w- c:\windows\nsreg.dat
2010-07-30 17:28 . 2010-07-30 17:28
d
w- c:\program files\Microsoft ActiveSync
2010-07-30 16:53 . 2010-07-30 16:53
d
w- c:\documents and settings\kduffy\Application Data\Uniblue
2010-07-30 16:50 . 2010-07-30 16:50
d
w- c:\documents and settings\All Users\Application Data\FileCure
2010-07-30 14:10 . 2010-07-30 14:10
d
w- c:\program files\Belarc
2010-07-30 09:54 . 2010-07-30 09:54
d
w- c:\program files\Faronics
2010-07-30 09:30 . 2010-07-30 09:30
d
w- c:\documents and settings\kduffy\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-07-30 09:01 . 2010-07-30 07:44
d
w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2010-07-30 07:48 . 2010-07-30 07:48
d
w- c:\documents and settings\kduffy\Application Data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-07-30 07:37 . 2010-07-27 08:30
d
w- c:\program files\Common Files\Adobe
2010-07-30 07:35 . 2010-07-30 07:35
d
w- c:\program files\Adobe Media Player
2010-07-30 06:46 . 2010-07-30 06:43
d
w- c:\documents and settings\All Users\Application Data\WinZip
2010-07-29 16:24 . 2010-07-26 12:23
d
w- c:\documents and settings\kduffy\Application Data\dvdcss
2010-07-29 07:07 . 2010-07-29 07:07
d
w- c:\documents and settings\kduffy\Application Data\Ashampoo
2010-07-29 07:06 . 2010-07-29 07:06
d
w- c:\documents and settings\All Users\Application Data\ashampoo
2010-07-29 07:05 . 2010-07-29 07:05
d
w- c:\program files\Ashampoo
2010-07-27 15:25 . 2010-07-27 15:25
d
w- c:\program files\Cheetah Burner
2010-07-27 08:17 . 2010-07-27 08:17
d
w- c:\program files\Common Files\Adobe AIR
2010-07-27 08:17 . 2010-07-30 09:25 53632 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-27 08:16 . 2010-07-27 08:16 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-27 08:16 . 2010-07-27 08:16
d
w- c:\documents and settings\All Users\Application Data\NOS
2010-07-27 08:16 . 2010-07-27 08:16
d
w- c:\program files\NOS
2010-07-26 21:34 . 2010-07-26 21:34
d
w- c:\documents and settings\All Users\Application Data\vsosdk
2010-07-26 19:03 . 2010-07-26 19:00
d
w- c:\program files\NCH Software
2010-07-26 19:00 . 2010-07-26 19:00
d
w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-07-26 15:38 . 2010-07-26 15:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-26 11:05 . 2010-07-26 11:05 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-26 10:21 . 2010-07-26 07:58 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-26 10:10 . 2010-07-26 10:10 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-07-26 10:10 . 2010-07-26 10:10 47360 ----a-w- c:\documents and settings\kduffy\Application Data\pcouffin.sys
2010-07-26 10:10 . 2010-07-26 10:10 47360 ----a-w- c:\documents and settings\kduffy\Application Data\pcouffin.sys
2010-07-26 10:10 . 2010-07-26 10:09
d
w- c:\program files\VSO
2010-07-26 09:59 . 2010-07-26 09:59
d
w- c:\program files\VideoLAN
2010-07-26 09:57 . 2010-07-26 09:57
d
w- c:\program files\uTorrent
2010-07-26 09:55 . 2010-07-26 09:55
d
w- c:\documents and settings\kduffy\Application Data\Malwarebytes
2010-07-26 09:55 . 2010-07-26 09:55
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-07-26 09:55 . 2010-07-26 09:55
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-26 09:47 . 2010-07-26 09:47
d
w- c:\program files\Alwil Software
2010-07-26 09:47 . 2010-07-26 09:47
d
w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-26 08:00 . 2010-07-26 08:00
d
w- c:\program files\microsoft frontpage
2010-07-26 07:55 . 2010-07-26 07:55 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-07-26 07:55 . 2010-07-26 07:55
d
w- c:\program files\Windows Media Connect 2
2010-06-30 12:31 . 2008-04-14 05:42 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2010-07-26 09:47 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-07-26 09:47 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-07-26 09:48 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-07-26 09:48 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-07-26 09:48 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-07-26 09:48 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-07-26 09:48 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-07-26 09:48 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-07-26 09:48 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-24 12:22 . 2008-04-14 05:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-14 01:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-14 00:45 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 05:41 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2010-07-26 07:56 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 05:42 1172480 ----a-w- c:\windows\system32\msxml3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Documents and Settings\\kduffy\\Desktop\\pc stuff\\utorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1051:TCP"= 1051:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [26/07/2010 10:48 165456]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 06:42 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/07/2010 10:48 17744]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13:37 517096]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-09-01 c:\windows\Tasks\HPpromotions journeysoftware.job
- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36]
2010-09-01 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]
2010-08-30 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]
2010-09-01 c:\windows\Tasks\User_Feed_Synchronization-{8E4A7A9F-060A-4E9F-932E-6F43F4007F4A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
Supplementary Scan
.
uStart Page = hxxp://uk.yahoo.com/
uInternet Settings,ProxyServer = http=174.143.155.243:3128
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\kduffy\Application Data\Mozilla\Firefox\Profiles\lcz3iodl.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - prefs.js: network.proxy.type - 0
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-AdobeBridge - (no file)
MSConfigStartUp-CTFMON - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-01 11:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-09-01 11:57:13
ComboFix-quarantined-files.txt 2010-09-01 10:57
Pre-Run: 61,422,571,520 bytes free
Post-Run: 61,676,044,288 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - B7E834C645D15139DFB8FCA732B122600 -
can anyone comment on this combofix log?
thanks0 -
Looks clean to me:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.1K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.6K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards