We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Hijack log
Options
Comments
-
Combo log
ComboFix 10-11-27.01 - user1 28/11/2010 15:56:38.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.1014.276 [GMT 0:00]
Running from: c:\users\user1\Desktop\QWERTY.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\page
c:\programdata\page\page.ico
c:\programdata\page\page.URL
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.
2010-11-28 16:07 . 2010-11-28 16:07
d
w- c:\users\owen\AppData\Local\temp
2010-11-28 16:07 . 2010-11-28 16:07
d
w- c:\users\Default\AppData\Local\temp
2010-11-28 16:07 . 2010-11-28 16:07
d
w- c:\users\Guest\AppData\Local\temp
2010-11-27 21:24 . 2010-11-27 21:24
d
w- c:\users\user1\AppData\Roaming\SUPERAntiSpyware.com
2010-11-27 21:24 . 2010-11-27 21:24
d
w- c:\program files\SUPERAntiSpyware
2010-11-27 09:13 . 2010-11-27 09:13
d
w- c:\users\user1\AppData\Local\CrashDumps
2010-11-25 15:48 . 2010-11-25 15:48 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-25 15:48 . 2010-11-25 16:02
d
w- c:\program files\Common Files\Symantec Shared
2010-11-25 15:48 . 2010-11-25 15:48
d
w- c:\program files\Symantec
2010-11-25 15:46 . 2010-11-26 20:13
d
w- c:\windows\system32\drivers\NIS
2010-11-25 15:46 . 2010-11-25 15:46
d
w- c:\program files\Norton Internet Security
2010-11-25 15:46 . 2010-11-25 15:46
d
w- c:\programdata\Norton
2010-11-25 15:41 . 2010-11-25 15:41
d
w- c:\program files\NortonInstaller
2010-11-25 14:46 . 2010-11-26 15:25
d
w- c:\users\user1\DoctorWeb
2010-11-24 19:14 . 2010-11-24 19:14
d
w- c:\users\Guest\AppData\Local\Microsoft Games
2010-11-24 17:09 . 2010-11-24 17:09
d
w- c:\programdata\SUPERAntiSpyware.com
2010-11-24 17:03 . 2010-11-24 17:03
d
w- c:\program files\CCleaner
2010-11-24 16:47 . 2010-11-24 16:47
d
w- c:\users\Guest\AppData\Roaming\Malwarebytes
2010-11-24 15:00 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-23 18:24 . 2010-11-23 18:24
d
w- c:\users\user1\AppData\Roaming\Malwarebytes
2010-11-23 18:24 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-23 18:24 . 2010-11-23 18:24
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-11-23 18:24 . 2010-11-23 18:24
d
w- c:\programdata\Malwarebytes
2010-11-23 18:24 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-23 18:02 . 2010-11-27 09:04
d
w- c:\program files\Windows Live Safety Center
2010-11-23 17:41 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-23 17:41 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-11-23 17:40 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-11-23 17:40 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-11-23 16:46 . 2010-11-23 16:18
d
w- c:\users\me
2010-11-02 14:40 . 2010-11-02 14:41
d
w- c:\users\Guest\AppData\Local\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-13 13:56 . 2010-10-15 13:12 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-15 12:59 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-15 13:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-15 12:59 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-15 12:59 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:56 . 2010-10-15 12:59 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:04 . 2010-10-15 13:00 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-15 12:59 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-15 12:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-15 13:11 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-15 13:11 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-15 13:11 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-15 13:11 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-15 13:11 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-15 13:13 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-15 13:13 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-15 12:51 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-15 13:12 2038272 ----a-w- c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-11 39408]
"CollaborationHost"="c:\windows\system32\p2phost.exe" [2008-01-21 192000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UIExec"="c:\program files\T-Mobile Mobile Broadband Manager\UIExec.exe" [2009-07-16 132608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-02 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-02 150552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 133104]
R2 UI Assistant Service;UI Assistant Service;c:\program files\T-Mobile Mobile Broadband Manager\AssistantServices.exe [2009-07-16 241664]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-05-22 9728]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20101104.001\BHDrvx86.sys [2010-11-04 691248]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20101124.002\IDSvix86.sys [2010-10-19 353840]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1108000.005\SYMTDIV.SYS [2010-05-06 339504]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe [2010-02-26 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-11-25 102448]
--- Other Services/Drivers In Memory ---
*Deregistered* - BMLoad
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2010-11-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-11 18:09]
2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 18:10]
2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-11 18:10]
2010-11-28 c:\windows\Tasks\User_Feed_Synchronization-{5FC8685B-B208-4428-A51B-953F7D7AFC44}.job
- c:\windows\system32\msfeedssync.exe [2010-10-15 04:25]
2010-11-28 c:\windows\Tasks\User_Feed_Synchronization-{680F91C9-46B8-42C1-9C32-42F46C5744A4}.job
- c:\windows\system32\msfeedssync.exe [2010-10-15 04:25]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
IE: Google Sidewiki...
LSP: c:\windows\system32\wpclsp.dll
TCP: {756F62D4-6A4D-4EE8-9916-12C214DA4E9A} = 149.254.230.7 149.254.201.126
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-28 16:08
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-11-28 16:13:24
ComboFix-quarantined-files.txt 2010-11-28 16:13
Pre-Run: 79,975,211,008 bytes free
Post-Run: 79,775,395,840 bytes free
- - End Of File - - E5299D8657303F8C0E42A67EE790770F
Thank you
is it ok if i check back tommorrow i am at work at 2 amSpending my time reading how to fix PC's,instead of looking at Facebook.0 -
I cant find anything wrong in the log. That said, its possible genuine system files have been overwritten
Download REGCLEANER
http://majorgeeks.com/download460.html
use recleaner to manually look for any remaining MYWEBSEARCH/ZANGO entries and remove them (make sure you ONLY remove them as the program WILL remove things it shouldnt if asked to)
..............................................................
TICK and FIX these in hijack -
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/disp...b_id&%language
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.a...d=80012&lng=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_cus...spx?tbid=80012
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox.com/search/ie.a...d=80012&lng=en
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_cus...spx?tbid=80012
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\Run: [CollaborationHost] C:\Windows\system32\p2phost.exe -s
...................................................
Download CCLEANER
http://www.piriform.com/ccleaner/download/slim
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
Download GLARY UTILITIES
http://www.glaryutilities.com/download/gusetup_slim.exe
REBOOT then run the ONE CLICK scan
Goto MODULES / SYSTEM TOOLS / WINDOWS STANDARD TOOLS / then run SYSTEM FILE CHECKER
.............................................................
I notice youve run DR WEB. Did you run a FULL scan with it?:idea:0 -
Bump (w t f ?):idea:0
-
Thanks for all this going to run regcleaner now along with the others.
I did do a full scan with Drweb but the 4 year old closed the lappy before i gopt to see the results so i will rerun it and get back to you in a day or so with the results..
Thank you very very much for all your help.Spending my time reading how to fix PC's,instead of looking at Facebook.0 -
Download the latest version of dr web before running it:idea:0
-
Hi just ran Drweb and all it found was combofix and the files in quarrateen and what had been deleted by combofix so i deleted them when drweb said so.
Am i ok now to install a FRRE anti virus plus what other security this lappy needs so i can give it back
Also remove Norton and the dr web etc?
Thanks GTSpending my time reading how to fix PC's,instead of looking at Facebook.0 -
Go for it
Use the NORTON REMOVAL TOOL before installing the new av:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards