kaidius
Members-
Posts
10 -
Joined
-
Last visited
Reputation
0 Neutral-
kenny thank you for your help. this afternoon i wiped the drive clean and am installing the os again. this was some of the worst malware ive ever seen. thanks again for your work and time. Matt.
-
SmitFraudFix v2.423 Scan done at 16:34:51.39, Tue 08/11/2009 Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode
-
SmitFraudFix v2.423 Scan done at 15:34:45.09, Tue 08/11/2009 Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode
-
also did a rescan again with malwarebytes, and that one reg entry is still there : HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) for some reason when it tells me to reboot malwarebytes doesnt auto reboot i have to do it manually, is that normal? thank you once again for your time. -Matt.
-
Malwarebytes' Anti-Malware 1.40 Database version: 2589 Windows 5.1.2600 Service Pack 2 8/11/2009 8:02:36 AM mbam-log-2009-08-11 (08-02-36).txt Scan type: Quick Scan Objects scanned: 105514 Time elapsed: 5 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\i899.i899mgr (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Delete on reboot. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ComboFix 09-08-10.01 - Owner 08/10/2009 18:13.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.559 [GMT -6:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 ))))))))))))))))))))))))))))))) . 2009-08-10 13:37 . 2009-08-10 13:37 -------- d-----w- c:\program files\Trend Micro 2009-08-10 01:12 . 2009-08-10 01:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-08-09 23:36 . 2009-08-09 23:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-08-09 23:30 . 2009-08-10 03:21 878481 ----a-w- c:\windows\system32\drivers\sfi.dat 2009-08-09 22:20 . 2009-08-10 03:22 -------- d-----w- c:\program files\COMODO 2009-08-08 09:01 . 2009-08-08 09:01 -------- d-----w- c:\windows\ie8updates 2009-08-08 03:09 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-08-08 03:09 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-08-07 23:23 . 2009-08-07 23:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-07 23:22 . 2009-08-07 23:22 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-08-06 05:18 . 2009-08-08 19:37 -------- d--h--w- C:\$AVG8.VAULT$ 2009-08-06 04:57 . 2009-07-24 15:55 1090816 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-08-06 04:55 . 2009-08-06 04:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-06 04:55 . 2009-08-06 04:55 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-08-06 04:55 . 2009-08-06 04:55 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-06 04:55 . 2009-08-06 04:55 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-06 04:55 . 2009-08-11 00:05 -------- d-----w- c:\windows\system32\drivers\Avg 2009-08-06 04:55 . 2009-08-06 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-08-06 04:54 . 2009-08-06 04:54 -------- d-----w- c:\program files\AVG 2009-08-06 04:54 . 2009-08-06 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-08-06 04:54 . 2009-08-06 05:01 -------- d-----w- c:\windows\SxsCaPendDel 2009-08-06 04:32 . 2009-08-06 04:32 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache 2009-08-06 04:29 . 2009-08-06 04:29 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE 2009-08-06 04:15 . 2009-08-06 04:15 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8 2009-08-06 00:07 . 2009-08-06 00:07 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-08-05 23:58 . 2009-08-05 23:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-08-05 23:58 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-05 23:58 . 2009-08-05 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-05 23:58 . 2009-08-05 23:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-05 23:58 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-05 23:45 . 2009-08-05 23:45 -------- d-sh--w- c:\documents and settings\Owner\IETldCache 2009-08-05 23:37 . 2009-08-05 23:39 -------- dc-h--w- c:\windows\ie8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-10 01:12 . 2009-03-24 14:29 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-08-09 23:49 . 2009-03-24 15:57 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-08-06 05:23 . 2009-01-28 05:16 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData 2009-08-06 04:38 . 2005-11-27 12:42 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-06 04:36 . 2005-11-27 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-08-06 04:18 . 2006-04-15 15:30 -------- d-----w- c:\documents and settings\Owner\Application Data\Lavasoft 2009-08-06 01:41 . 2007-01-26 00:44 -------- d-----w- c:\program files\MSN Messenger 2009-07-28 04:44 . 2009-03-23 19:14 -------- d-----w- c:\documents and settings\Janel\Application Data\HPAppData 2009-07-28 04:29 . 2007-08-22 20:09 -------- d-----w- c:\documents and settings\Janel\Application Data\MSN6 2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-12 04:40 . 2009-06-12 04:31 1915520 ----a-w- c:\documents and settings\Janel\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe 2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-07-24 15:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-06 2000152] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Canon PC1200 iC D600 iR1200G Status Window.LNK - c:\windows\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE [2009-3-18 38464] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-06 04:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=c:\windows\pss\LimeWire On Startup.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe backup=c:\windows\pss\PowerReg Scheduler.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/5/2009 10:55 PM 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/5/2009 10:55 PM 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2009 11:43 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 74480] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/5/2009 10:54 PM 297752] S2 RapidPortM1;RapidPortM1;c:\windows\system32\drivers\CAPM1LP.SYS [3/18/2009 12:00 PM 22912] S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\drivers\kwusb2k.sys [12/31/2005 12:59 AM 29952] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57] 2009-08-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.ca/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q305&bd=pavilion&pf=laptop uInternet Settings,ProxyServer = http=localhost:7171 uInternet Settings,ProxyOverride = *.local;<local> uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR IE: &Search IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-10 18:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs] @DACL=(02 0000) @="{A9571378-68A1-443d-B082-284F960C6D17}" [HKEY_LOCAL_MACHINE\software\Classes\i899.i899mgr\CLSID] @DACL=(02 0000) @="{5FF186E7-0957-4095-8A2C-577CE6EA1B1F}" [HKEY_LOCAL_MACHINE\software\Classes\i899.i899mgr\CurVer] @DACL=(02 0000) @="i899.i899mgr.1" [HKEY_LOCAL_MACHINE\software\Classes\i899.i899mgr.1\CLSID] @DACL=(02 0000) @="{5FF186E7-0957-4095-8A2C-577CE6EA1B1F}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid] @DACL=(02 0000) @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32] @DACL=(02 0000) @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib] @DACL=(02 0000) @="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0] @DACL=(02 0000) @="887164 1.0 Type Library" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(696) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\igfxsrvc.dll c:\windows\system32\hccutils.DLL . Completion time: 2009-08-11 18:21 ComboFix-quarantined-files.txt 2009-08-11 00:21 ComboFix2.txt 2009-08-10 03:59 Pre-Run: 68,093,698,048 bytes free Post-Run: 68,051,210,240 bytes free 238 --- E O F --- 2009-08-10 13:09 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:07:12 AM, on 8/11/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\CAPM1RSK.EXE C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local> R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- End of file - 8831 bytes
-
ComboFix 09-08-10.01 - Owner 08/10/2009 18:13.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.559 [GMT -6:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 ))))))))))))))))))))))))))))))) . 2009-08-10 13:37 . 2009-08-10 13:37 -------- d-----w- c:\program files\Trend Micro 2009-08-10 01:12 . 2009-08-10 01:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-08-09 23:36 . 2009-08-09 23:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-08-09 23:30 . 2009-08-10 03:21 878481 ----a-w- c:\windows\system32\drivers\sfi.dat 2009-08-09 22:20 . 2009-08-10 03:22 -------- d-----w- c:\program files\COMODO 2009-08-08 09:01 . 2009-08-08 09:01 -------- d-----w- c:\windows\ie8updates 2009-08-08 03:09 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-08-08 03:09 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-08-07 23:23 . 2009-08-07 23:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-07 23:22 . 2009-08-07 23:22 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-08-06 05:18 . 2009-08-08 19:37 -------- d--h--w- C:\$AVG8.VAULT$ 2009-08-06 04:57 . 2009-07-24 15:55 1090816 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-08-06 04:55 . 2009-08-06 04:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-06 04:55 . 2009-08-06 04:55 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-08-06 04:55 . 2009-08-06 04:55 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-06 04:55 . 2009-08-06 04:55 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-06 04:55 . 2009-08-11 00:05 -------- d-----w- c:\windows\system32\drivers\Avg 2009-08-06 04:55 . 2009-08-06 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-08-06 04:54 . 2009-08-06 04:54 -------- d-----w- c:\program files\AVG 2009-08-06 04:54 . 2009-08-06 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-08-06 04:54 . 2009-08-06 05:01 -------- d-----w- c:\windows\SxsCaPendDel 2009-08-06 04:32 . 2009-08-06 04:32 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache 2009-08-06 04:29 . 2009-08-06 04:29 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE 2009-08-06 04:15 . 2009-08-06 04:15 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8 2009-08-06 00:07 . 2009-08-06 00:07 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-08-05 23:58 . 2009-08-05 23:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-08-05 23:58 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-05 23:58 . 2009-08-05 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-05 23:58 . 2009-08-05 23:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-05 23:58 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-05 23:45 . 2009-08-05 23:45 -------- d-sh--w- c:\documents and settings\Owner\IETldCache 2009-08-05 23:37 . 2009-08-05 23:39 -------- dc-h--w- c:\windows\ie8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-10 01:12 . 2009-03-24 14:29 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-08-09 23:49 . 2009-03-24 15:57 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-08-06 05:23 . 2009-01-28 05:16 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData 2009-08-06 04:38 . 2005-11-27 12:42 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-06 04:36 . 2005-11-27 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-08-06 04:18 . 2006-04-15 15:30 -------- d-----w- c:\documents and settings\Owner\Application Data\Lavasoft 2009-08-06 01:41 . 2007-01-26 00:44 -------- d-----w- c:\program files\MSN Messenger 2009-07-28 04:44 . 2009-03-23 19:14 -------- d-----w- c:\documents and settings\Janel\Application Data\HPAppData 2009-07-28 04:29 . 2007-08-22 20:09 -------- d-----w- c:\documents and settings\Janel\Application Data\MSN6 2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-12 04:40 . 2009-06-12 04:31 1915520 ----a-w- c:\documents and settings\Janel\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe 2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-07-24 15:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-06 2000152] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Canon PC1200 iC D600 iR1200G Status Window.LNK - c:\windows\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE [2009-3-18 38464] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-06 04:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=c:\windows\pss\LimeWire On Startup.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe backup=c:\windows\pss\PowerReg Scheduler.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/5/2009 10:55 PM 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/5/2009 10:55 PM 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2009 11:43 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 74480] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/5/2009 10:54 PM 297752] S2 RapidPortM1;RapidPortM1;c:\windows\system32\drivers\CAPM1LP.SYS [3/18/2009 12:00 PM 22912] S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\drivers\kwusb2k.sys [12/31/2005 12:59 AM 29952] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57] 2009-08-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.ca/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q305&bd=pavilion&pf=laptop uInternet Settings,ProxyServer = http=localhost:7171 uInternet Settings,ProxyOverride = *.local;<local> uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR IE: &Search IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-10 18:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs] @DACL=(02 0000) @="{A9571378-68A1-443d-B082-284F960C6D17}" [HKEY_LOCAL_MACHINE\software\Classes\i899.i899mgr\CLSID] @DACL=(02 0000) @="{5FF186E7-0957-4095-8A2C-577CE6EA1B1F}" [HKEY_LOCAL_MACHINE\software\Classes\i899.i899mgr\CurVer] @DACL=(02 0000) @="i899.i899mgr.1" [HKEY_LOCAL_MACHINE\software\Classes\i899.i899mgr.1\CLSID] @DACL=(02 0000) @="{5FF186E7-0957-4095-8A2C-577CE6EA1B1F}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid] @DACL=(02 0000) @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32] @DACL=(02 0000) @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib] @DACL=(02 0000) @="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0] @DACL=(02 0000) @="887164 1.0 Type Library" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(696) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\igfxsrvc.dll c:\windows\system32\hccutils.DLL . Completion time: 2009-08-11 18:21 ComboFix-quarantined-files.txt 2009-08-11 00:21 ComboFix2.txt 2009-08-10 03:59 Pre-Run: 68,093,698,048 bytes free Post-Run: 68,051,210,240 bytes free 238 --- E O F --- 2009-08-10 13:09
-
Here is the combofix log you asked for thank you for your time i appreciate it. ComboFix.txt ComboFix.txt
-
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:37:39 AM, on 8/10/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local> R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O1 - Hosts: 66.38.215.115 kazza.com O1 - Hosts: 66.38.215.115 www.kazza.com O1 - Hosts: 66.38.215.115 kaza.com O1 - Hosts: 66.38.215.115 www.kaza.com O1 - Hosts: 66.38.215.115 kaaza.com O1 - Hosts: 66.38.215.115 www.kaaza.com O1 - Hosts: 66.38.215.115 kahza.com O1 - Hosts: 66.38.215.115 www.kahza.com O1 - Hosts: 66.38.215.115 edonkey.com O1 - Hosts: 66.38.215.115 www.edonkey.com O1 - Hosts: 66.38.215.115 emule.com O1 - Hosts: 66.38.215.115 www.emule.com O1 - Hosts: 66.38.215.115 suprnova.com O1 - Hosts: 66.38.215.115 www.suprnova.com O1 - Hosts: 64.124.166.37 klite.com O1 - Hosts: 64.124.166.37 www.klite.com O1 - Hosts: 64.124.166.37 k-lite.com O1 - Hosts: 64.124.166.37 www.k-lite.com O1 - Hosts: 64.124.166.37 kazaalite.com O1 - Hosts: 64.124.166.37 www.kazzalite.com O1 - Hosts: 64.124.166.37 kazalite.com O1 - Hosts: 64.124.166.37 www.kazalite.com O1 - Hosts: 64.124.166.37 kaazalite.com O1 - Hosts: 64.124.166.37 www.kaazalite.com O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- End of file - 9529 bytes
-
hi here is the log you asked for thank you for your help. HJTlog.txt HJTlog.txt
-
hello working on a buddys computer was installed avg got rid of a few virus and used malwarebytes to get most of the spyware/malware but cannot seem to get rid of trojan.bho a reg entry no matter what i try, any help would be great. thanks. mbam_log_2009_08_09__22_48_34_.txt mbam_log_2009_08_09__22_48_34_.txt