We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Supposed to be doing my BSL homework!!!
Options
Comments
-
Okay, try uninstalling AVG, and after you reboot then use a removal tool to make sure it's gone - http://www.avg.com/us-en/download-tools (also can try www.appremover.com with the 'check for failed uninstall' option).
Then download this file to the desktop and run it (it will try to temporarily shut down any malware processes):
http://www.users.on.net/~russ/iExplore.exe
Then run this one and post the logs as previously described: (this is the malware cleaner, just renamed to trick malware)
http://www.users.on.net/~russ/qwertles.exe
Only after you've run the malware cleaner, then try installing Avast (or reinstall AVG, but I don't recommend it):
http://majorgeeks.com/Avast_Home_Edition_d1968.html0 -
Okay, try uninstalling AVG, and after you reboot then use a removal tool to make sure it's gone - http://www.avg.com/us-en/download-tools (also can try www.appremover.com with the 'check for failed uninstall' option).
Then download this file to the desktop and run it (it will try to temporarily shut down any malware processes):
http://www.users.on.net/~russ/iExplore.exe
Then run this one and post the logs as previously described: (this is the malware cleaner, just renamed to trick malware)
http://www.users.on.net/~russ/qwertles.exe
Only after you've run the malware cleaner, then try installing Avast (or reinstall AVG, but I don't recommend it):
http://majorgeeks.com/Avast_Home_Edition_d1968.html
Everything worked fine then tried to run the malware cleaner; it goes through the various security checks, briefly shows something like a dos screen and then stops. Not sure what I have done wrong.
Jen0 -
top_drawer wrote: »Everything worked fine then tried to run the malware cleaner; it goes through the various security checks, briefly shows something like a dos screen and then stops. Not sure what I have done wrong.
Jen
What stage does it get to from this guide?
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Check if there's a combofix log (My computer > Drive C > combofix.txt)0 -
Not a clue what I did right, here it is.....
omboFix 11-05-09.01 - Jennifer 09/05/2011 22:12:00.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.1132 [GMT 1:00]
Running from: c:\users\Jennifer\Downloads\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\progra~1\KINGKO~1\Capture\KKBRow~1.dll
c:\users\Jennifer\OOo_3.1.0_Win32Intel_install_wJRE_en-US.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))
.
.
2011-05-09 21:21 . 2011-05-09 21:22
d
w- c:\users\Jennifer\AppData\Local\temp
2011-05-09 21:21 . 2011-05-09 21:21
d
w- c:\users\Default\AppData\Local\temp
2011-05-08 17:02 . 2011-05-08 17:02
d
w- c:\windows\system32\Adobe
2011-05-07 21:37 . 2011-05-07 21:37
d
w- c:\programdata\McAfee
2011-04-30 10:38 . 2011-05-05 21:59 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-30 10:38 . 2011-04-30 10:38
d
w- c:\program files\Hitman Pro 3.5
2011-04-30 10:38 . 2011-05-05 21:55
d
w- c:\programdata\Hitman Pro
2011-04-29 21:45 . 2011-04-29 21:45 388096 ----a-r- c:\users\Jennifer\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-29 20:15 . 2011-04-29 20:15
d
w- c:\program files\Trend Micro
2011-04-29 17:19 . 2011-04-29 17:19
d
w- c:\users\Jennifer\AppData\Roaming\Malwarebytes
2011-04-29 17:19 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-29 17:19 . 2011-04-29 17:19
d
w- c:\programdata\Malwarebytes
2011-04-29 17:19 . 2011-04-29 17:19
d
w- c:\program files\Malwarebytes' Anti-Malware
2011-04-29 17:19 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-28 16:38 . 2011-04-28 16:38
d
w- c:\users\Jennifer\AppData\Local\Opera
2011-04-28 16:37 . 2011-04-28 16:37
d
w- c:\program files\Opera
2011-04-28 14:20 . 2011-04-28 14:20 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-04-28 14:19 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-28 14:19 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-28 14:19 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-25 20:16 . 2011-04-25 20:16
d
w- c:\users\Jennifer\AppData\Local\Mozilla
2011-04-24 22:54 . 2011-04-24 22:54
d
w- c:\users\Jennifer\AppData\Roaming\Apple Computer
2011-04-24 22:54 . 2011-04-24 22:54
d
w- c:\users\Jennifer\AppData\Local\Apple Computer
2011-04-24 22:51 . 2009-05-18 12:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-04-24 22:51 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-04-24 22:49 . 2011-04-24 22:49
d
w- c:\program files\iPod
2011-04-24 22:49 . 2011-04-24 22:51
d
w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-04-24 22:49 . 2011-04-24 22:51
d
w- c:\program files\iTunes
2011-04-24 22:43 . 2011-04-24 22:43
d
w- c:\program files\Apple Software Update
2011-04-24 22:35 . 2011-04-28 15:52
d
w- c:\program files\Common Files\Apple
2011-04-24 22:00 . 1999-11-10 11:05 86016 ----a-w- c:\windows\unvise32qt.exe
2011-04-24 21:59 . 2011-04-24 22:29
d
w- c:\windows\system32\QuickTime
2011-04-24 21:59 . 2011-04-24 21:59
d
w- c:\programdata\QuickTime
2011-04-21 17:28 . 2011-04-21 17:28
d
w- c:\users\Jennifer\AppData\Roaming\AVG10
2011-04-21 17:22 . 2011-05-09 19:05
d
w- c:\programdata\AVG Security Toolbar
2011-04-21 17:15 . 2011-04-18 08:15 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A0D0F2FC-6A06-46BF-8AA2-F83B7C10770F}\mpengine.dll
2011-04-21 16:33 . 2011-05-09 18:29
d
w- c:\programdata\MFAData
2011-04-21 14:02 . 2011-04-21 14:02
d
w- c:\users\Jennifer\AppData\Local\Yahoo
2011-04-21 13:31 . 2011-04-24 17:24
d
w- c:\programdata\Yahoo!
2011-04-21 13:31 . 2011-04-21 13:31
d
w- c:\users\Jennifer\AppData\Roaming\Yahoo!
2011-04-21 13:30 . 2011-04-25 15:09
d
w- c:\program files\Yahoo!
2011-04-15 20:33 . 2011-04-15 20:35
d
w- C:\07bb69d92e1143295b2042681a64dcd1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-10 03:24 . 2010-06-24 10:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-03 15:40 . 2011-04-28 14:19 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-28 14:19 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-28 14:19 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-28 14:19 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-02-22 14:13 . 2011-03-23 14:04 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 14:04 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 14:04 797696 ----a-w- c:\windows\system32\FntCache.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-11-09 160328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-20 815104]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-18 1540096]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-6-6 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 12:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2009-09-12 22:09 103768 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 10:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-04-24 22:07 136176 ----atw- c:\users\Jennifer\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 10:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
2010-10-20 15:32 2192752 ----a-w- c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-02-08 05:11 303104 ----a-w- c:\windows\sttray.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-08-24 266240]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-06-07 840936]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-05-05 17480]
R3 S2usbser;S2 USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\S2usbser.sys [2008-07-23 103680]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-27 390528]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-06-07 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-06-07 166632]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1530635545-1869025753-2870467505-1000Core.job
- c:\users\Jennifer\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-25 22:07]
.
2011-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1530635545-1869025753-2870467505-1000UA.job
- c:\users\Jennifer\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-25 22:07]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.aol.co.uk/
IE: Customize Menu - [URL]file://c:\program[/URL] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - [URL]file://c:\program[/URL] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: RoboForm Toolbar - [URL]file://c:\program[/URL] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [URL]file://c:\program[/URL] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-09 22:22
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
LOCKED REGISTRY KEYS
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-09 22:26:20
ComboFix-quarantined-files.txt 2011-05-09 21:26
.
Pre-Run: 58,982,682,624 bytes free
Post-Run: 58,954,473,472 bytes free
.
- - End Of File - - D6E27E3D0DF5AA8E4B3540C8B51BB784
Jen0 -
Hey Jenny, thanks for that - looks like it didn't like the King Kong capture either! I'll ask AlienRik to take a look at the log.
I noticed the AVG toolbar is still there, so see if you can uninstall that from the control panel > programs and features
Make sure you install an antivirus.
Afterwards, run an Eset Online On-Demand scan (just the bit that says "Part 1", ignore the "Part 2" which is just an ad for the paid version):
http://www.eset.com/us/online-scanner0 -
Hey Jenny, thanks for that - looks like it didn't like the King Kong capture either! I'll ask AlienRik to take a look at the log.
I noticed the AVG toolbar is still there, so see if you can uninstall that from the control panel > programs and features
Make sure you install an antivirus.
Afterwards, run an Eset Online On-Demand scan (just the bit that says "Part 1", ignore the "Part 2" which is just an ad for the paid version):
http://www.eset.com/us/online-scanner
AVG isnt showing up in the control panal>programs and features
Downloaded AVAST and IObit Malware Fighter and both are currently scanning.
Jen0 -
sometimes it's much simpler to backup your data and restore to factory settings using factory restore partition!!
> . !!!! ----> .0 -
Open notepad and copy/paste the text in RED below
File::
c:\windows\unvise32qt.exe
Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
(If SNAPSHOT is stupidly large, leave that part out)
Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.:idea:0 -
Well second/third time lucky! Not sure what SNAPSHOT is.
Jen
ComboFix 11-05-09.04 - Jennifer 10/05/2011 23:15:31.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.1002 [GMT 1:00]
Running from: c:\users\Jennifer\Downloads\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run
.
c:\windows\unvise32qt.exe
.
-- Previous Run --
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe
.
.
.
((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))
.
.
2011-05-10 22:29 . 2011-05-10 22:31
d
w- c:\users\Jennifer\AppData\Local\temp
2011-05-10 22:29 . 2011-05-10 22:29
d
w- c:\users\Default\AppData\Local\temp
2011-05-10 16:01 . 2011-05-10 16:01
d
w- c:\program files\ESET
2011-05-10 13:57 . 2011-05-10 16:08
d
w- c:\program files\Application Updater
2011-05-10 13:57 . 2011-05-10 13:57
d
w- c:\program files\IObit Toolbar
2011-05-10 13:57 . 2011-05-10 13:57
d
w- c:\program files\Common Files\Spigot
2011-05-10 13:51 . 2011-05-10 13:56
d
w- c:\users\Jennifer\AppData\Roaming\IObit
2011-05-10 13:51 . 2011-05-10 13:56
d
w- c:\program files\IObit
2011-05-08 17:02 . 2011-05-08 17:02
d
w- c:\windows\system32\Adobe
2011-05-07 21:37 . 2011-05-07 21:37
d
w- c:\programdata\McAfee
2011-04-30 10:38 . 2011-05-05 21:59 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-30 10:38 . 2011-04-30 10:38
d
w- c:\program files\Hitman Pro 3.5
2011-04-30 10:38 . 2011-05-05 21:55
d
w- c:\programdata\Hitman Pro
2011-04-29 21:45 . 2011-04-29 21:45 388096 ----a-r- c:\users\Jennifer\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-29 20:15 . 2011-04-29 20:15
d
w- c:\program files\Trend Micro
2011-04-29 17:19 . 2011-04-29 17:19
d
w- c:\users\Jennifer\AppData\Roaming\Malwarebytes
2011-04-29 17:19 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-29 17:19 . 2011-04-29 17:19
d
w- c:\programdata\Malwarebytes
2011-04-29 17:19 . 2011-04-29 17:19
d
w- c:\program files\Malwarebytes' Anti-Malware
2011-04-29 17:19 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-28 16:38 . 2011-04-28 16:38
d
w- c:\users\Jennifer\AppData\Local\Opera
2011-04-28 16:37 . 2011-04-28 16:37
d
w- c:\program files\Opera
2011-04-28 14:20 . 2011-04-28 14:20 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-04-28 14:19 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-28 14:19 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-28 14:19 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-25 20:16 . 2011-04-25 20:16
d
w- c:\users\Jennifer\AppData\Local\Mozilla
2011-04-24 22:54 . 2011-04-24 22:54
d
w- c:\users\Jennifer\AppData\Roaming\Apple Computer
2011-04-24 22:54 . 2011-04-24 22:54
d
w- c:\users\Jennifer\AppData\Local\Apple Computer
2011-04-24 22:51 . 2009-05-18 12:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-04-24 22:51 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-04-24 22:49 . 2011-04-24 22:49
d
w- c:\program files\iPod
2011-04-24 22:49 . 2011-04-24 22:51
d
w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-04-24 22:49 . 2011-04-24 22:51
d
w- c:\program files\iTunes
2011-04-24 22:43 . 2011-04-24 22:43
d
w- c:\program files\Apple Software Update
2011-04-24 22:35 . 2011-04-28 15:52
d
w- c:\program files\Common Files\Apple
2011-04-24 21:59 . 2011-04-24 22:29
d
w- c:\windows\system32\QuickTime
2011-04-24 21:59 . 2011-04-24 21:59
d
w- c:\programdata\QuickTime
2011-04-21 17:28 . 2011-04-21 17:28
d
w- c:\users\Jennifer\AppData\Roaming\AVG10
2011-04-21 17:22 . 2011-05-09 19:05
d
w- c:\programdata\AVG Security Toolbar
2011-04-21 17:15 . 2011-04-18 08:15 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A0D0F2FC-6A06-46BF-8AA2-F83B7C10770F}\mpengine.dll
2011-04-21 16:33 . 2011-05-09 18:29
d
w- c:\programdata\MFAData
2011-04-21 14:02 . 2011-04-21 14:02
d
w- c:\users\Jennifer\AppData\Local\Yahoo
2011-04-21 13:31 . 2011-04-24 17:24
d
w- c:\programdata\Yahoo!
2011-04-21 13:31 . 2011-04-21 13:31
d
w- c:\users\Jennifer\AppData\Roaming\Yahoo!
2011-04-21 13:30 . 2011-04-25 15:09
d
w- c:\program files\Yahoo!
2011-04-15 20:33 . 2011-04-15 20:35
d
w- C:\07bb69d92e1143295b2042681a64dcd1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-10 03:24 . 2010-06-24 10:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-03 15:40 . 2011-04-28 14:19 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-28 14:19 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-28 14:19 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-28 14:19 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-02-22 14:13 . 2011-03-23 14:04 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 14:04 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 14:04 797696 ----a-w- c:\windows\system32\FntCache.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-11-09 160328]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-04-29 402832]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-20 815104]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-18 1540096]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-05-06 4378968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-6-6 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 12:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2009-09-12 22:09 103768 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 10:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-04-24 22:07 136176 ----atw- c:\users\Jennifer\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 10:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
2010-10-20 15:32 2192752 ----a-w- c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-02-08 05:11 303104 ----a-w- c:\windows\sttray.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-08-24 266240]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-06-07 840936]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-05-05 17480]
R3 S2usbser;S2 USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\S2usbser.sys [2008-07-23 103680]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-27 390528]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-06-07 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-06-07 166632]
S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [2011-04-29 352656]
S2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [2011-05-06 821592]
S3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wlh_x86\FileMonitor.sys [2011-04-27 18768]
S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\drivers\wlh_x86\regfilter.sys [2011-03-22 30600]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\drivers\wlh_x86\UrlFilter.sys [2011-03-22 19280]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1530635545-1869025753-2870467505-1000Core.job
- c:\users\Jennifer\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-25 22:07]
.
2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1530635545-1869025753-2870467505-1000UA.job
- c:\users\Jennifer\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-25 22:07]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.aol.co.uk/
IE: Customize Menu - [URL]file://c:\program[/URL] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - [URL]file://c:\program[/URL] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: RoboForm Toolbar - [URL]file://c:\program[/URL] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [URL]file://c:\program[/URL] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-QuickTime - c:\windows\unvise32qt.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-10 23:30
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
LOCKED REGISTRY KEYS
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-10 23:36:57
ComboFix-quarantined-files.txt 2011-05-10 22:36
ComboFix2.txt 2011-05-09 21:26
.
Pre-Run: 57,550,716,928 bytes free
Post-Run: 57,464,164,352 bytes free
.
- - End Of File - - 5492DBD3710CD11C165724D03988CEF90 -
Im not convinced its clean (Although the log looks ok now)
Download and run the FREE version of DR WEB (DONT UPGRADE)
http://www.freedrweb.com/download+cureit/?nc=t&lng=en
:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.6K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards