We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Internet Explorer hijacked, history shows sites not visited
Comments
-
Hi, Combofix has run OK in Safe mode, so here's the log...
ComboFix 12-04-16.02 - Administrator 04/18/2012 19:46:19.3.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.691 [GMT 1:00]
Running from: c:\quarantine\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Janet Preston\WINDOWS
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\SET37.tmp
c:\windows\system32\SET4A.tmp
c:\windows\system32\SET4C.tmp
c:\windows\system32\SET4D.tmp
c:\windows\system32\SET4F.tmp
c:\windows\system32\SET52.tmp
c:\windows\system32\SET54.tmp
c:\windows\system32\SET62.tmp
c:\windows\UA000106.DLL
F:\Autorun.inf
F:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-18 to 2012-04-18 )))))))))))))))))))))))))))))))
.
.
2012-04-18 18:35 . 2012-04-18 18:36
d
w- c:\documents and settings\Administrator
2012-04-16 19:21 . 2012-04-16 19:21
d
w- c:\documents and settings\Owner\Local Settings\Application Data\Babylon
2012-04-16 19:21 . 2012-04-16 19:21
d
w- c:\documents and settings\All Users\Application Data\Babylon
2012-04-16 12:27 . 2012-04-16 12:27
d
w- c:\documents and settings\Janet Preston\Application Data\AVG Secure Search
2012-04-15 20:02 . 2012-04-15 20:03
d
w- c:\documents and settings\All Users\Application Data\AVG Secure Search
2012-04-15 20:02 . 2012-04-15 20:02
d
w- c:\program files\Common Files\AVG Secure Search
2012-04-15 20:02 . 2012-04-15 20:03
d
w- c:\program files\AVG Secure Search
2012-04-15 07:56 . 2012-04-15 08:51 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-14 18:33 . 2012-04-14 18:33
d
w- c:\program files\PCHand
2012-04-11 22:10 . 2012-04-11 22:10
d
w- c:\program files\iPod
2012-04-11 22:10 . 2012-04-11 22:11
d
w- c:\program files\iTunes
2012-04-02 07:57 . 2012-04-18 11:03
d
w- c:\documents and settings\Janet Preston\Application Data\Dropbox
2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2012-03-22 20:07 . 2012-03-22 20:11
d
w- C:\Camcorder DVD
2012-03-20 08:49 . 2012-03-20 08:49
d
w- c:\program files\SlideGo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-15 08:51 . 2011-05-17 19:51 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 14:56 . 2012-03-18 13:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-17 16:38 . 2012-03-17 16:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-17 16:38 . 2010-12-28 16:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-01 11:01 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-14 12:00 43520
w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2008-04-14 12:00 1469440
w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-14 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-14 12:00 385024
w- c:\windows\system32\html.iec
2012-02-12 16:48 . 2007-10-25 17:26 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2012-02-03 09:22 . 2008-04-14 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-04-15 20:02 1869152 ----a-w- c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca4eedb3-5719-4e27-a478-8d13f761c28d}]
2011-05-09 09:49 176936 ----a-w- c:\program files\SparkleBox\prxtbSpa2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ca4eedb3-5719-4e27-a478-8d13f761c28d}"= "c:\program files\SparkleBox\prxtbSpa2.dll" [2011-05-09 176936]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-04-15 1869152]
.
[HKEY_CLASSES_ROOT\clsid\{ca4eedb3-5719-4e27-a478-8d13f761c28d}]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2003-09-05 878080]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-06-06 273544]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-04-15 982880]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-12-14 24576]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2009-12-14 925803]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMGNA.DLL]
2004-12-08 12:41 229465 ----a-w- c:\windows\system32\PRISMGNA.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\SMART Technologies\\SMART Product Drivers\\UCGui.exe"=
"c:\\Program Files\\SMART Technologies\\SMART Product Drivers\\SMARTSNMPAgent.exe"=
"c:\\Program Files\\SMART Technologies\\SMART Product Drivers\\UCService.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Janet Preston\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Documents and Settings\\Janet Preston\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 5:27 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 4:48 AM 230608]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 4:49 AM 295248]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 7:25 AM 4433248]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [1/2/2010 11:48 AM 233472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 10:38 AM 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/18/2012 2:56 PM 654408]
S2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [12/14/2009 5:04 PM 57433]
S2 SMART Display Controller;SMART Display Controller;c:\program files\SMART Technologies\SMART Product Drivers\UCService.exe [1/25/2011 6:10 PM 846704]
S2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [4/15/2012 9:02 PM 918880]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/15/2012 8:56 AM 253088]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [5/13/2011 4:21 AM 30312]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 10:42 PM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 10:42 PM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 10:42 PM 16720]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [1/2/2010 11:48 AM 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 10:38 AM 135664]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/18/2012 2:56 PM 22344]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [2/14/2010 1:59 PM 47360]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe [1/25/2011 6:13 PM 1678704]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [1/2/2010 11:49 AM 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [1/2/2010 11:49 AM 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [1/2/2010 11:49 AM 121856]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [5/13/2011 4:21 AM 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [5/13/2011 4:21 AM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [5/13/2011 4:21 AM 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [5/13/2011 4:21 AM 114280]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PARPORT
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 08:51]
.
2012-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 09:38]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 09:38]
.
2012-04-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1547161642-2146896677-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2012-04-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1547161642-2146896677-1606980848-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2012-04-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1547161642-2146896677-1606980848-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2012-04-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1547161642-2146896677-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2012-04-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1547161642-2146896677-1606980848-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2012-04-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1547161642-2146896677-1606980848-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
.
Supplementary Scan
.
TCP: DhcpNameServer = 192.168.2.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
DPF: {644F656A-013E-4198-BE03-1D7A4F6AB550} - hxxps://www.promapserver.co.uk/controls/latest/promap.cab
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKLM-Run-UIUCU - c:\docume~1\Owner\LOCALS~1\Temp\UIUCU.EXE
HKLM-Run-NPSStartup - (no file)
AddRemove-EPSON Scanner - c:\program files\epson\escndv\setup\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-18 19:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
DLLs Loaded Under Running Processes
.
- - - - - - - > 'winlogon.exe'(252)
c:\windows\system32\PRISMGNA.DLL
.
Completion time: 2012-04-18 20:02:03
ComboFix-quarantined-files.txt 2012-04-18 19:02
.
Pre-Run: 314,220,679,168 bytes free
Post-Run: 314,632,654,848 bytes free
.
- - End Of File - - 13FDAFBA792D7514C706296477AB1200
Many thanks, Andy0 -
How are things now - any problems still?0
-
Hi,
Things seem to be a lot better. IE is running faster, there are no dodgy pages appearing in the history, and no rogue iexplore.exe showing up in task manager.
I think you've cracked it!
Many, many thanks for your help - it really is truly appreciated.
All the best,
Andy0 -
Go to start > run and copy/paste the following (Include the quotes) and click ok.
"C:\Qoobox\Add-Remove Programs.txt"
Post me the log that opens.0 -
Sorry - spoke too soon. A rogue website has just appeared in history, IE is using high memory, and Malwarebytes has detected attempts to access malicious websites.
Anything else I can try?
Thanks,
Andy0 -
Sorry, didn't see your reply.
Here's the log.....
ABBYY FineReader 5.0 Sprint
ABBYY FineReader 6.0
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe Acrobat 5.0
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Reader 9.5.1
Adobe Setup
Adobe Stock Photos 1.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AGEIA PhysX v6.11.13
Amazon MP3 Downloader 1.0.9
AnyDVD
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.3.14 (Unicode)
AudibleManager
AVG 2012
AVG Security Toolbar
AVS Update Manager 1.0
AVS4YOU Software Navigator 1.4
BitTorrent
Bonjour
Boris Graffiti
Canon iP5300 User Registration
CD-LabelPrint
CloneCD
CloneDVD2
ConvertXtoDVD 4.0.9.322
Corel VideoStudio 12
CorelDRAW Graphics Suite 12
Coupon Printer
Creative System Information
Creative ZEN
CutePDF Writer 2.8
Digital Line Detect
Dr SpeedTouch
DVD Flick 1.3.0.7
Easy-WebPrint
EPSON Scan
EPSON SX410 Series Printer Uninstall
EPSON Web-To-Page
GOM Player
Google Earth
Google Earth Plug-in
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Image Resizer Powertoy for Windows XP
Intel(R) PRO Network Connections Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 31
JDownloader
K-Lite Mega Codec Pack 8.0.0
LeapFrog Connect
LeapFrog My Pals Plugin
Magic Bullet Looks Studio
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Transfer Utility Ver.1.5
Nuclear Coffee - VideoGet
P1670 Reference Guide
PC Connectivity Solution
PCHand Video Converter 2.5.1.0
Pinnacle Hollywood FX for Studio
Pinnacle Instant DVD Recorder
Pinnacle Studio 12
Pinnacle Studio 12 Ultimate Plugins
Pinnacle Video Driver
PowerDVD 5.5
Presto! BizCard 4.1 Eng
proDAD Vitascene 1.0
PSP Movie Creator(remove only)
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
SAMSUNG Mobile Composite Device Software
Samsung Mobile Modem Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
Samsung New PC Studio USB Driver Installer
SAMSUNG USB Mobile Device Software
SamsungConnectivityCableDriver
ScanToWeb
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SigmaTel Audio
SlideGo
SMART Notebook
SMART Notebook Express
SMART Product Drivers
SmartSound Quicktracks Plugin
SparkleBox Toolbar
SpeedTouch USB Software
Studio 9
thomas
Thomas New Line
Total Video Converter 3.60 100204
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB 2.0 Wireless LAN Card Utility
Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin)
VideoStudio
Wanadoo Search Toolbar
WebFldrs XP
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell(TM) 1.0
ZENcast Organizer0 -
How far do you want to go with this? I will help you if you want till we either find the cause or deem it best to wipe the drive & reinstall windows - it's up to you.
Some like to get to the bottom of it, learning a few things along the way - Some just want the damn thing working.
The things that can cause this can hide really well & generic scanners just don't detect it - which may mean taking a look at things outside of windows - I can help you with that.
For now, if you want, do this.
Download GMER Rootkit Scanner from here:
http://www.gmer.net/download.php- Disconnect from the Internet and close all running programs.
- Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
- Double click the .exe file.
- When GMER opens, it will run an inital quick scan. This should only take a few seconds, allow it to complete.
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than C:\
- Show All
- Then click the Scan button & wait for it to finish
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
- Save it where you can easily find it, and post it in your next reply
- Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Rootkit scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Do not use the computer or run any programs while Gmer is running.0 -
Thanks, I'll give that a go.
I guess I need to be pragmatic here. First, is this just an annoyance, or is it potentially damaging? If it is harmful, then I'd like to get rid of it by the most direct route - if that is to wipe Drive C and reinstall Windows then that's fine, although this is not something I have a clue about!
Again, thanks for the ongoing help. I have an early start tomorrow so this may be the last post for this evening.
Cheers,
Andy0 -
It could be. Without knowing exactly what it is and what is causing it, it's hard to say to what extent.is it potentially damaging?
It's showing what can the symptoms of one of the many rootkits doing the rounds. If that's the case than anything could be happening and almost anything is possible without you knowing it.
At the very least your computer could be being used to commit clickfraud - That may explain the weird history showing up.0 -
Hi, sorry for the delay in posting, as the Gmer scan took several hours last night. If this thing might be harmful then I appreciate your help in getting rid of it, and like you say I'm learning a few things along the way!
Gmer wouldn't run in normal Windows operating mode, just opening the program caused an immediate restart. I did get it running in safe mode though. Here's the log...
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-21 06:50:10
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-f WDC_WD5000AAKS-00V1A0 rev.05.01D05
Running: w4xemjkg.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fwdcaaoc.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Fastfat \Fat F69D1D20
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...
---- EOF - GMER 1.0.15 ----
Thanks, Andy0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.2K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.3K Work, Benefits & Business
- 601K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards