We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Google redirecting me to wrong sites
Comments
-
System restore shouldnt matter
Wheres the logs?:idea:0 -
slightly off-topic, but....
woo-hoo !! to RIK for 16000 posts
......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple0 -
Here's the Malware log...I now can't get Combofix to run, it starts to load up then just disappears.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5823
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
23/02/2011 17:30:50
mbam-log-2011-02-23 (17-30-50).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 257298
Time elapsed: 33 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\snixc (Trojan.Dropper) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\snixc.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\nolmm.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
The two system32 files replicate, doesn't matter how many times they are deleted they are replaced by other files, similar in type, different names. There is always one of these checked in autoruns after start up even if I've unchecked it. The registry key is also detected every time I run Malwarebytes.
How do I get Combofix to run, have deleted and re-downloaded, restarted comp then re-downloaded but it won't do anything?0 -
Combofix log, worked this time!
ComboFix 11-02-23.01 - Ross 23/02/2011 18:05:45.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.494 [GMT 0:00]
Running from: c:\documents and settings\Ross\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
Other Deletions ))))
.
c:\documents and settings\Ross\Application Data\Ocod
c:\documents and settings\Ross\Application Data\Ocod\yheb.anm
c:\documents and settings\Ross\Application Data\Ocod\yheb.tmp
c:\documents and settings\Ross\Application Data\Ydyduh
c:\documents and settings\Ross\Application Data\Ydyduh\uzdio.tmp
c:\documents and settings\Ross\Application Data\Ydyduh\uzdio.xai
c:\program files\Java
c:\program files\Java\jre6\lib\ext\QTJava.zip
c:\windows\system32\twins.exe
c:\windows\TEMP\logishrd\LVPrcInj02.dll
.
((((((((((((((((((( Drivers/Services )))))))))))
.
\Service_Parameters
\Service_Security
(((((((( Files Created from 2011-01-23 to 2011-02-23 )))))))
.
2011-02-23 17:30 . 2011-02-23 17:30 18944 ----a-w- c:\windows\system32\iproty.exe
2011-02-22 22:57 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-22 22:57 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-22 22:57 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-22 22:57 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-22 22:57 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-22 22:57 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-22 22:57 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-22 22:56 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-02-22 22:56 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-22 22:56 . 2011-02-22 22:56
d
w- c:\program files\Alwil Software
2011-02-22 22:56 . 2011-02-22 22:56
d
w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-02-22 21:13 . 2011-02-22 22:28 7168 ----a-w- c:\windows\system32\drivers\utm0ntez.sys
2011-02-22 21:06 . 2011-02-22 21:06
d--h--w- c:\windows\PIF
2011-02-22 20:15 . 2011-02-22 20:15
d
w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2011-02-22 20:01 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\46764202.sys
2011-02-22 20:01 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\46764201.sys
2011-02-22 20:01 . 2009-10-09 22:31 315408 ----a-w- c:\windows\system32\drivers\4676420.sys
2011-02-20 21:43 . 2011-02-02 21:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-20 21:13 . 2011-02-22 18:50
d
w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-02-20 20:30 . 2011-02-20 20:30
d
w- c:\documents and settings\Ross\Local Settings\Application Data\Identities
2011-02-20 20:30 . 2011-02-20 21:04
d
w- c:\documents and settings\Ross\Application Data\Lyaw
2011-02-14 09:47 . 2011-02-14 09:48
d
w- c:\documents and settings\Ross\Application Data\Xoav
.
((((((((( Find3M Report )))))))))))))
.
2011-01-21 14:44 . 2005-08-16 04:18 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2005-08-16 04:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2005-08-16 04:18 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-08-16 04:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2005-08-16 04:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2005-08-16 04:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2005-08-16 04:18 1469440
w- c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2010-02-20 21:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-02-20 21:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2005-08-16 04:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2005-08-16 04:18 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2005-08-16 04:18 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2005-08-16 04:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2005-08-16 04:18 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
((((((((( SnapShot@2011-02-14_20.08.41 ))))))))))))))
.
+ 2005-08-16 04:18 . 2010-12-20 23:59 66560 c:\windows\system32\mshtmled.dll
- 2005-08-16 04:18 . 2010-11-06 00:26 66560 c:\windows\system32\mshtmled.dll
+ 2009-03-08 04:31 . 2010-12-20 23:59 55296 c:\windows\system32\msfeedsbs.dll
- 2009-03-08 04:31 . 2010-11-06 00:26 55296 c:\windows\system32\msfeedsbs.dll
+ 2005-08-16 04:18 . 2010-12-20 23:59 25600 c:\windows\system32\jsproxy.dll
- 2005-08-16 04:18 . 2010-11-06 00:26 25600 c:\windows\system32\jsproxy.dll
+ 2009-12-23 15:37 . 2010-12-20 23:59 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-12-23 15:37 . 2010-11-06 00:26 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-03-08 04:31 . 2010-12-20 23:59 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2009-03-08 04:31 . 2010-11-06 00:26 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2009-12-23 15:37 . 2010-11-06 00:26 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-12-23 15:37 . 2010-12-20 23:59 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-03-08 04:34 . 2010-12-20 23:59 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 04:34 . 2010-11-06 00:26 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2009-03-08 04:33 . 2010-12-20 23:59 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2009-03-08 04:33 . 2010-11-06 00:26 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 12800 c:\windows\ie8updates\KB2482017-IE8\xpshims.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 66560 c:\windows\ie8updates\KB2482017-IE8\mshtmled.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 55296 c:\windows\ie8updates\KB2482017-IE8\msfeedsbs.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 43520 c:\windows\ie8updates\KB2482017-IE8\licmgr10.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 25600 c:\windows\ie8updates\KB2482017-IE8\jsproxy.dll
+ 2011-02-23 18:15 . 2008-02-05 18:20 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
- 2011-02-14 20:07 . 2008-02-05 18:20 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
- 2005-08-16 04:18 . 2010-11-06 00:26 206848 c:\windows\system32\occache.dll
+ 2005-08-16 04:18 . 2010-12-20 23:59 206848 c:\windows\system32\occache.dll
- 2005-08-16 04:18 . 2010-11-06 00:26 611840 c:\windows\system32\mstime.dll
+ 2005-08-16 04:18 . 2010-12-20 23:59 611840 c:\windows\system32\mstime.dll
+ 2009-03-08 04:32 . 2010-12-20 23:59 602112 c:\windows\system32\msfeeds.dll
- 2009-03-08 04:32 . 2010-11-06 00:26 602112 c:\windows\system32\msfeeds.dll
- 2005-08-16 04:18 . 2010-11-06 00:26 184320 c:\windows\system32\iepeers.dll
+ 2005-08-16 04:18 . 2010-12-20 23:59 184320 c:\windows\system32\iepeers.dll
- 2005-08-16 04:18 . 2010-11-06 00:26 387584 c:\windows\system32\iedkcs32.dll
+ 2005-08-16 04:18 . 2010-12-20 23:59 387584 c:\windows\system32\iedkcs32.dll
- 2005-08-16 04:18 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe
+ 2005-08-16 04:18 . 2010-12-20 12:55 173568 c:\windows\system32\ie4uinit.exe
- 2005-08-16 04:27 . 2010-12-17 19:11 201736 c:\windows\system32\FNTCACHE.DAT
+ 2005-08-16 04:27 . 2011-02-15 21:40 201736 c:\windows\system32\FNTCACHE.DAT
+ 2009-03-08 04:34 . 2010-12-20 23:59 916480 c:\windows\system32\dllcache\wininet.dll
- 2009-03-08 04:34 . 2010-11-06 00:26 916480 c:\windows\system32\dllcache\wininet.dll
+ 2011-01-21 14:44 . 2011-01-21 14:44 439296 c:\windows\system32\dllcache\shimgvw.dll
+ 2009-03-08 04:34 . 2010-12-20 23:59 206848 c:\windows\system32\dllcache\occache.dll
- 2009-03-08 04:34 . 2010-11-06 00:26 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-12-23 14:33 . 2010-12-09 15:15 718336 c:\windows\system32\dllcache\ntdll.dll
- 2009-03-08 04:32 . 2010-11-06 00:26 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-03-08 04:32 . 2010-12-20 23:59 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-12-23 15:37 . 2010-11-06 00:26 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-12-23 15:37 . 2010-12-20 23:59 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-12-23 14:33 . 2010-12-20 17:26 730112 c:\windows\system32\dllcache\lsasrv.dll
- 2009-12-23 14:33 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-06-25 08:25 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll
- 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
+ 2009-12-23 15:37 . 2010-12-20 23:59 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-12-23 15:37 . 2010-11-06 00:26 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-03-08 04:31 . 2010-11-06 00:26 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2009-03-08 04:31 . 2010-12-20 23:59 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-11 08:14 . 2010-12-20 23:59 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-11 08:14 . 2010-11-06 00:26 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2009-03-08 14:09 . 2010-12-20 23:59 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-03-08 14:09 . 2010-11-06 00:26 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-03-08 04:32 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-03-08 04:32 . 2010-12-20 12:55 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-04-20 05:30 . 2011-01-07 14:09 290048 c:\windows\system32\dllcache\atmfd.dll
- 2010-04-20 05:30 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
+ 2011-02-20 21:48 . 2011-02-20 21:48 180224 c:\windows\Installer\9b2c3.msi
+ 2011-02-15 21:13 . 2010-11-06 00:26 916480 c:\windows\ie8updates\KB2482017-IE8\wininet.dll
+ 2011-02-15 21:13 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2482017-IE8\spuninst\updspapi.dll
+ 2011-02-15 21:13 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2482017-IE8\spuninst\spuninst.exe
+ 2011-02-15 21:13 . 2010-11-06 00:26 206848 c:\windows\ie8updates\KB2482017-IE8\occache.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 611840 c:\windows\ie8updates\KB2482017-IE8\mstime.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 602112 c:\windows\ie8updates\KB2482017-IE8\msfeeds.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 247808 c:\windows\ie8updates\KB2482017-IE8\ieproxy.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 184320 c:\windows\ie8updates\KB2482017-IE8\iepeers.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 743424 c:\windows\ie8updates\KB2482017-IE8\iedvtool.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 387584 c:\windows\ie8updates\KB2482017-IE8\iedkcs32.dll
+ 2011-02-15 21:13 . 2010-11-03 12:26 173568 c:\windows\ie8updates\KB2482017-IE8\ie4uinit.exe
+ 2005-08-16 04:18 . 2010-12-20 23:59 1210880 c:\windows\system32\urlmon.dll
- 2005-08-16 04:18 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon.dll
+ 2005-08-16 04:18 . 2011-01-21 14:44 8462336 c:\windows\system32\shell32.dll
- 2005-08-16 04:18 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2005-08-16 04:18 . 2010-12-20 23:59 5961216 c:\windows\system32\mshtml.dll
- 2009-03-08 04:32 . 2010-11-06 00:26 1991680 c:\windows\system32\iertutil.dll
+ 2009-03-08 04:32 . 2010-12-20 23:59 1991680 c:\windows\system32\iertutil.dll
+ 2009-08-14 13:21 . 2010-12-31 13:10 1854976 c:\windows\system32\dllcache\win32k.sys
- 2009-03-08 04:34 . 2010-11-06 00:26 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2009-03-08 04:34 . 2010-12-20 23:59 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2008-06-17 19:02 . 2011-01-21 14:44 8462336 c:\windows\system32\dllcache\shell32.dll
- 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2009-12-23 14:33 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2009-12-23 14:33 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-02-07 19:02 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-12-23 14:33 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2009-03-08 04:41 . 2010-12-20 23:59 5961216 c:\windows\system32\dllcache\mshtml.dll
- 2009-12-23 15:37 . 2010-11-06 00:26 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2009-12-23 15:37 . 2010-12-20 23:59 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 1210880 c:\windows\ie8updates\KB2482017-IE8\urlmon.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 5959168 c:\windows\ie8updates\KB2482017-IE8\mshtml.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 1991680 c:\windows\ie8updates\KB2482017-IE8\iertutil.dll
+ 2009-12-23 14:33 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-12-23 14:33 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-02-07 19:02 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-12-23 14:33 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-12-23 15:33 . 2011-02-15 21:14 37443528 c:\windows\system32\MRT.exe
- 2009-03-08 04:39 . 2010-11-06 00:26 11080704 c:\windows\system32\ieframe.dll
+ 2009-03-08 04:39 . 2010-12-21 05:29 11080704 c:\windows\system32\ieframe.dll
+ 2009-12-23 15:37 . 2010-12-21 05:29 11080704 c:\windows\system32\dllcache\ieframe.dll
- 2009-12-23 15:37 . 2010-11-06 00:26 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2011-02-15 21:13 . 2010-11-06 00:26 11080704 c:\windows\ie8updates\KB2482017-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((( Reg Loading Points )))))))))).
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Ross\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-11-30 142336]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
setup_9.0.0.722_22.02.2011_22-19[1].lnk - c:\documents and settings\Ross\Desktop\Virus Removal Tool\setup_9.0.0.722_22.02.2011_22-19[1]\startup.exe [2011-2-22 72208]
c:\documents and settings\Gary\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2010-2-16 66864]
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2010-3-6 790528]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-08-14 14:20 462336 ----a-w- c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-08-28 21:57 395776 ----a-w- c:\program files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 04:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2007-01-08 16:14 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
R0 46764202;46764202 Boot Guard Driver;c:\windows\system32\drivers\46764202.sys [22/02/2011 20:01 37392]
R1 46764201;46764201;c:\windows\system32\drivers\46764201.sys [22/02/2011 20:01 128016]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [22/02/2011 22:57 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22/02/2011 22:57 17744]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [06/03/2010 20:00 38144]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [12/01/2006 22:27 13696]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [12/01/2006 22:29 13568]
S2 iproty;Windows Autenthification Service;c:\windows\system32\iproty.exe [23/02/2011 17:30 18944]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [21/02/2010 18:30 1527900]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [06/03/2010 20:01 194304]
S4 utm0ntez;AVZ Kernel Driver;c:\windows\system32\drivers\utm0ntez.sys [22/02/2011 21:13 7168]
.
Contents of the 'Scheduled Tasks' folder
2010-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.pigsback.com/Pages/4/7/12.aspx?pbq=1269%2c1269%2cVOVVV
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-Norton Ghost 10 - c:\program files\Norton Ghost\Agent\GhostTray.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-23 18:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-766320461-420247582-1097347030-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{09CFBD4E-821C-E996-CDD1-EE9EF1FF961A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"gaecjjfcklllhe"=hex:61,63,61,62,6f,65,6a,67,6b,63,68,6f,67,63,65,6d,69,64,64,
63,65,6f,61,6f,64,6d,6f,62,69,6e,65,65,68,67,6f,6f,65,67,6c,66,62,68,64,6f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\wininet.dll
- - - - - - - > 'explorer.exe'(7616)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
- - - - - - - > 'csrss.exe'(652)
c:\windows\system32\wininet.dll
.
Other Running Processes ----
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-02-23 18:23:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-23 18:23
ComboFix2.txt 2011-02-14 20:12
Pre-Run: 11,617,320,960 bytes free
Post-Run: 11,806,117,888 bytes free
- - End Of File - - 24C665EE2D4238D1EA2633BDCC75B998
Thanks0 -
Your computer is seriously infected
Open notepad and copy/paste the text in RED below
File::
c:\windows\system32\drivers\46764202.sys
c:\windows\system32\drivers\46764201.sys
c:\windows\system32\drivers\4676420.sys
c:\windows\system32\drivers\utm0ntez.sys
c:\windows\system32\iproty.exe
Dirlook::
c:\documents and settings\Ross\Application Data\Lyaw
c:\documents and settings\Ross\Application Data\Xoav
Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
(If SNAPSHOT is stupidly large, leave that part out)
Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.:idea:0 -
back up your data and reinstall windows using factory restore partition (instructions on Dell site) or disc!!
> . !!!! ----> .0 -
ComboFix 11-02-23.01 - Ross 23/02/2011 19:22:59.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.482 [GMT 0:00]
Running from: c:\documents and settings\Ross\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ross\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FILE ::
"c:\windows\system32\drivers\4676420.sys"
"c:\windows\system32\drivers\46764201.sys"
"c:\windows\system32\drivers\46764202.sys"
"c:\windows\system32\drivers\utm0ntez.sys"
"c:\windows\system32\iproty.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\4676420.sys
c:\windows\system32\drivers\46764201.sys
c:\windows\system32\drivers\46764202.sys
c:\windows\system32\drivers\utm0ntez.sys
c:\windows\system32\iproty.exe
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Service_Parameters
\Service_Security
\Legacy_46764201
\Legacy_46764202
\Legacy_iproty
\Legacy_utm0ntez
\Service_46764201
\Service_46764202
\Service_iproty
\Service_setup_9.0.0.722_22.02.2011_22-19[1
\Service_utm0ntez
((((((((((((((((((((((((( Files Created from 2011-01-23 to 2011-02-23 )))))))))))))))))))))))))))))))
.
2011-02-22 22:57 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-22 22:57 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-22 22:57 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-22 22:57 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-22 22:57 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-22 22:57 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-22 22:57 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-22 22:56 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-02-22 22:56 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-22 22:56 . 2011-02-22 22:56
d
w- c:\program files\Alwil Software
2011-02-22 22:56 . 2011-02-22 22:56
d
w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-02-22 21:06 . 2011-02-22 21:06
d--h--w- c:\windows\PIF
2011-02-22 20:15 . 2011-02-22 20:15
d
w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2011-02-20 21:43 . 2011-02-02 21:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-20 21:13 . 2011-02-22 18:50
d
w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-02-20 20:30 . 2011-02-20 20:30
d
w- c:\documents and settings\Ross\Local Settings\Application Data\Identities
2011-02-20 20:30 . 2011-02-20 21:04
d
w- c:\documents and settings\Ross\Application Data\Lyaw
2011-02-14 09:47 . 2011-02-14 09:48
d
w- c:\documents and settings\Ross\Application Data\Xoav
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2005-08-16 04:18 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2005-08-16 04:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2005-08-16 04:18 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-08-16 04:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2005-08-16 04:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2005-08-16 04:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2005-08-16 04:18 1469440
w- c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2010-02-20 21:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-02-20 21:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2005-08-16 04:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2005-08-16 04:18 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2005-08-16 04:18 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2005-08-16 04:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2005-08-16 04:18 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Ross\Application Data\Lyaw ----
---- Directory of c:\documents and settings\Ross\Application Data\Xoav ----
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Ross\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-11-30 142336]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
setup_9.0.0.722_22.02.2011_22-19[1].lnk - c:\documents and settings\Ross\Desktop\Virus Removal Tool\setup_9.0.0.722_22.02.2011_22-19[1]\startup.exe [2011-2-22 72208]
c:\documents and settings\Gary\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2010-2-16 66864]
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2010-3-6 790528]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-08-14 14:20 462336 ----a-w- c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-08-28 21:57 395776 ----a-w- c:\program files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 04:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2007-01-08 16:14 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [22/02/2011 22:57 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22/02/2011 22:57 17744]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [06/03/2010 20:00 38144]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [12/01/2006 22:27 13696]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [12/01/2006 22:29 13568]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [21/02/2010 18:30 1527900]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [06/03/2010 20:01 194304]
.
Contents of the 'Scheduled Tasks' folder
2010-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.pigsback.com/Pages/4/7/12.aspx?pbq=1269%2c1269%2cVOVVV
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-23 19:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-766320461-420247582-1097347030-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{09CFBD4E-821C-E996-CDD1-EE9EF1FF961A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"gaecjjfcklllhe"=hex:61,63,61,62,6f,65,6a,67,6b,63,68,6f,67,63,65,6d,69,64,64,
63,65,6f,61,6f,64,6d,6f,62,69,6e,65,65,68,67,6f,6f,65,67,6c,66,62,68,64,6f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(6976)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Other Running Processes
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-02-23 19:42:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-23 19:42
ComboFix2.txt 2011-02-23 18:23
ComboFix3.txt 2011-02-14 20:12
Pre-Run: 11,809,001,472 bytes free
Post-Run: 11,766,624,256 bytes free
- - End Of File - - 1F2D519C7FA7B53674D1B5393E9F1A8E
Done as you suggested...what next?
Closed - is that your way of telling me I'm stuffed and the only way is to restore the comp?0 -
Closed is saying thats the best route to take:idea:0
-
OK - well thanks for trying folks, I appreciate your time spent looking at the issue. This seems like a nasty piece of work and I hope I don't get it again...also hope the virus busters can work out how to stop others getting it too!0
-
I'm saying it's probably the fastest/easiest/safest, and you will have a speedy uninfected machine at the end of it - assuming you have somewhere to backup, and means of re-installation!!
> . !!!! ----> .0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.5K Banking & Borrowing
- 253.7K Reduce Debt & Boost Income
- 454.5K Spending & Discounts
- 245.5K Work, Benefits & Business
- 601.4K Mortgages, Homes & Bills
- 177.6K Life & Family
- 259.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards