We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Hijack this can anyone help
Comments
-
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive):idea:0 -
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)
Just tried that, I clicked on run and a few seconds later the log disappeared and it doesnt seem to be in C drive0 -
Dont run, SAVE it, put it on your desktop then run it:idea:0
-
Here is my combofix log
ComboFix 12-01-30.02 - Owner 30/01/2012 18:44:11.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.728 [GMT 0:00]
Running from: c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\My Documents\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\hpe72.dll
C:\no.txt
c:\program files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
c:\windows\bwUnin-6.1.4.36-8876480L.exe
c:\windows\bwUnin-7.2.0.137-8876480SL.exe
c:\windows\help\wmplayer.bak
c:\windows\patch.exe
c:\windows\run.log
c:\windows\system32\ps2.bat
c:\windows\system32\regobj.dll
c:\windows\system32\roboot.exe
\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-30 )))))))))))))))))))))))))))))))
.
.
2012-01-30 18:27 . 2012-01-30 18:27
d
w- c:\program files\SpecialSavings
2012-01-30 18:27 . 2012-01-30 18:36
d
w- c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Application Data\PerformerSoft
2012-01-29 09:28 . 2012-01-30 16:09
d
w- c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Application Data\Dropbox
2012-01-08 16:01 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-08 15:51 . 2012-01-08 15:51 388096 ----a-r- c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-08 10:54 . 2012-01-08 10:54
d
w- c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Application Data\ArcSoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 18:01 . 2011-05-21 06:36 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 18:01 . 2011-05-21 06:36 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 17:53 . 2011-05-21 06:37 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 17:53 . 2011-05-21 06:37 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 17:52 . 2011-05-21 06:37 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 17:52 . 2011-05-21 06:37 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 17:52 . 2011-05-21 06:37 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-28 17:51 . 2011-05-21 06:37 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-28 17:51 . 2011-05-21 06:37 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-28 17:48 . 2011-05-21 06:37 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-25 21:57 . 2004-01-01 15:21 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-01-01 15:21 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-02-24 20:36 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20 . 2004-02-24 20:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-02-24 20:35 1469440
w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:20 . 2004-01-21 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 11:23 . 2010-01-24 08:43 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2003-05-30 16:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2003-05-30 16:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-09-29 06:53 . 2011-10-17 16:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="c:\progra~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe" [2004-01-01 155648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 135168]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-12-05 3022848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
AutoTBar.exe [2003-9-30 57344]
.
c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Application Data\Dropbox\bin\Dropbox.exe [2012-1-18 24246216]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 8.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 8.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Broadband Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Broadband Assistant.lnk
backup=c:\windows\pss\AOL Broadband Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\broadband medic.lnk
backup=c:\windows\pss\broadband medic.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=c:\windows\pss\Exif Launcher 2.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-EVF1TFJ8B7^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 17:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 10:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2003-11-03 16:50 221184 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2009-11-20 10:17 434176 ----a-w- c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 10:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 08:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"WebClient"=2 (0x2)
"SSDPSRV"=3 (0x3)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"OMSI download service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Owner.YOUR-EVF1TFJ8B7\\Desktop\\Scrabble\\scrabble.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Documents and Settings\\Owner.YOUR-EVF1TFJ8B7\\Application Data\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\Owner.YOUR-EVF1TFJ8B7\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [17/01/2011 19:02 16024]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [21/05/2011 06:37 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [21/05/2011 06:37 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/05/2011 06:37 20568]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [17/01/2011 19:02 220824]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [10/02/2010 17:47 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [10/02/2010 17:47 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [10/02/2010 17:47 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [10/02/2010 17:47 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [10/02/2010 17:47 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [10/02/2010 17:47 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [10/02/2010 17:47 115752]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [10/02/2010 17:47 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [10/02/2010 17:47 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [10/02/2010 17:47 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [10/02/2010 17:47 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [10/02/2010 17:47 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [10/02/2010 17:47 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [10/02/2010 17:48 109736]
S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2009 18:29 133104]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2009 18:29 133104]
S4 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [10/02/2010 17:46 90112]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-30 c:\windows\Tasks\Clean System Memory.job
- c:\windows\system32\CleanMem.exe [2009-04-01 16:51]
.
2011-06-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
2012-01-30 c:\windows\Tasks\User_Feed_Synchronization-{303AACE9-33DD-4F13-8EA0-80B43A21BCA3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.moneysavingexpert.com/
uDefault_Search_URL = hxxp://srch-gb10.hpwis.com/
mSearch Bar = hxxp://srch-gb10.hpwis.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {{A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\SpecialSavings\SpecialSavingsSinged.dll
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Application Data\Mozilla\Firefox\Profiles\p9asyxtz.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-AvgRemover - c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Local Settings\Temporary Internet Files\Content.IE5\BRLIGFH7\avg_remover_stf_x86_2011_1322[1].exe
MSConfigStartUp-CTFMON - (no file)
AddRemove-Casino-On-Net - c:\progra~1\CASINO~1\UNWISE.EXE
AddRemove-HitmanPro35 - c:\documents and settings\Owner.YOUR-EVF1TFJ8B7\Local Settings\Temporary Internet Files\Content.IE5\8PF6HM07\HitmanPro35[1].exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-30 19:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
LOCKED REGISTRY KEYS
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
DLLs Loaded Under Running Processes
.
- - - - - - - > 'winlogon.exe'(584)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2012-01-30 19:42:52
ComboFix-quarantined-files.txt 2012-01-30 19:42
.
Pre-Run: 68,732,669,952 bytes free
Post-Run: 69,572,890,624 bytes free
.
- - End Of File - - B585A29B0C3B7D1C69BA0706492D1CF50 -
Reset internet explorer
1. Open Internet Explorer.
2. Click Tools, and then click Internet Options.
3. Click the Advanced tab.
4. Under Reset Internet Explorer Settings, click Reset.
Create a new firefox profile and delete the old one:
http://www.guidingtech.com/7430/how-to-create-a-new-profile-in-firefox/
You will lose ALL saved information in both IE and firefox. So you might want to sort out passwords etc first:idea:0 -
hpe72.dll <- Related to Sony Ericsson suite((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\hpe72.dll
C:\no.txt
c:\program files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
c:\windows\bwUnin-6.1.4.36-8876480L.exe
c:\windows\bwUnin-7.2.0.137-8876480SL.exe
c:\windows\help\wmplayer.bak
c:\windows\patch.exe
c:\windows\run.log
c:\windows\system32\ps2.bat
c:\windows\system32\regobj.dll
c:\windows\system32\roboot.exe\Autorun.inf
.
.
https://www.virustotal.com/file/45a2f8fae3d3284373a0a7b4927f2bb3757cd39abecb2b0e7c26540fc52618d1/analysis/ORIGIN
Some phone and mobile device utilities may use Avanquest Software to perform updates. In my case, installing Sony Ericsson's phone utility lead to an update
bwUnin-6.1.4.36-8876480L.exe
bwUnin-7.2.0.137-8876480SL.exe<- HP backweb related
http://r.virscan.org/734e51b6742dd1be6e83b20a9e8431fb
http://f.virscan.org/bwUnin-7.2.0.137-8876480SL.exe.html
https://www.virustotal.com/file/ad341236fab19137b6451df0c2be76f868c5fd7847e27307a1df77e1c2999d7a/analysis/PE Exports....................:
CloseBackWeb, GetUninstallerPath, RemoveUnusedVersions
ps2.bat <- HP, keyboard related
https://www.virustotal.com/file/cd5a70ab8d0278cd58e1eac059680d005aca8db01b0f0cf63d8fee724af2dd51/analysis/1300876854/publisher................: Hewlett-Packard Company
product..................: Hewlett-Packard Company PS2 EXE
internal name............: PS2 EXE
copyright................: Copyright (c) Hewlett-Packard Company 2002
original name............: Ps2.exe
comments.................:
file version.............: 1.0.2.2.112404
description..............: PS2 EXE
regobj.dll <- Legit file - could be used nefariously.
http://msdn.microsoft.com/en-us/vstudio/ee410535
http://www.threatexpert.com/files/regobj.dll.htmlRegObj.dll is an ActiveX server that allows Visual Basic developers to programmatically control the Registry without having to resort to the Windows API.
https://www.virustotal.com/file/793501a47f91e23b17ad70e77ab8e9d96c8891bc00aaeb8a2aa768da064a00d0/analysis/
roboot.exe <- Systweak
https://www.virustotal.com/file/71348bdbb51aeea4680d6abc3e7baa76fcd6bf14cc3261a9b946f29897dad550/analysis/1324138438/
publisher................: Systweak Inc., (www.systweak.com)
product..................: Systweak Regclean Pro
internal name............: Regclean Pro Registry Optimizer
copyright................: Copyright (C) 2010 Systweak Inc., All rights reserved.
original name............: RegcleanPro.exe0 -
Waddler you post all those links but not sure what I am expected to do with them
I dont use the sony ericson suite any more and I dont have an HP keyboard anymore0 -
Reset internet explorer
1. Open Internet Explorer.
2. Click Tools, and then click Internet Options.
3. Click the Advanced tab.
4. Under Reset Internet Explorer Settings, click Reset.
Create a new firefox profile and delete the old one:
http://www.guidingtech.com/7430/how-to-create-a-new-profile-in-firefox/
You will lose ALL saved information in both IE and firefox. So you might want to sort out passwords etc first
thanks will try this eve
I rarely use firefox0 -
Is it running any better?:idea:0
-
Waddler you post all those links but not sure what I am expected to do with them
I dont use the sony ericson suite any more and I dont have an HP keyboard anymore
The log should be checked for false positives & the links show the files are likely legitimate. At first look it may seem as though combofix has removed malware, when it has in fact it removed not much more than a few traces harmless traces & false positives.
Combofix is a powerfull, aggressive tool designed to combat complex malware infections where other, more generic scanners fail to remove them - there will be innocent bystanders taken out sometimes in the process.
If you say you don't need those files then it's not so much of a problem, though if needed they would have to be dequarantined before uninstalling combofix.
I can't see that anything there would be contributing to your problem.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.1K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards