Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:47:33 PM, on 8/12/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\PRISMSVR.EXE C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE C:\Documents and Settings\Hil\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com O1 - Hosts: ::1 localhost O1 - Hosts: 208.43.47.212 a1.review.zdnet.com O1 - Hosts: 208.43.47.212 reviews.riverstreams.co.uk O1 - Hosts: 208.43.47.212 d1.reviews.cnet.com O1 - Hosts: 208.43.47.212 review.2009softwarereviews.com O1 - Hosts: 208.43.47.212 reviews.download.com O1 - Hosts: 208.43.47.212 reviews.pcadvisor.co.uk O1 - Hosts: 208.43.47.212 reviews.pcmag.com O1 - Hosts: 208.43.47.212 reviews.pcpro.co.uk O1 - Hosts: 208.43.47.212 reviews.techradar.com O1 - Hosts: 208.43.47.212 toptenreviews.com O1 - Hosts: 208.43.47.212 www.reevoo.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll O2 - BHO: Net Games Toolbar - {8a6264b5-a8f2-494b-8f37-cf898a763e42} - C:\Program Files\Net_Games\tbNet1.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Net Games Toolbar - {8a6264b5-a8f2-494b-8f37-cf898a763e42} - C:\Program Files\Net_Games\tbNet1.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave.com/content/snailmail...gwebinstall.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...r_installer.exe O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfr...outLauncher.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{34A571C2-88F4-4D5D-A066-07AE82AACB9F}: NameServer = 192.168.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{34A571C2-88F4-4D5D-A066-07AE82AACB9F}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{34A571C2-88F4-4D5D-A066-07AE82AACB9F}: NameServer = 192.168.1.1 O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O18 - Filter hijack: text/html - {9f7d088e-b35b-4fce-bff1-005ca02033db} - C:\WINDOWS\system32\xwreg32.dll -- End of file - 6945 bytes ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ComboFix 09-08-10.06 - Hil 08/12/2009 17:31.3.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.562 [GMT -4:00] Running from: c:\documents and settings\Hil\Desktop\Combo-Fix.exe AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Hil\wsdt.exe c:\program files\PeoplePC\Toolbar\PPCToolbar.dll . ((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 ))))))))))))))))))))))))))))))) . 2009-08-12 21:29 . 2009-08-12 21:30 -------- d-----w- C:\32788R22FWJFW 2009-08-11 15:55 . 2009-08-06 13:19 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\EECTRL.SYS 2009-08-11 15:55 . 2009-08-06 13:19 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\ERASER.SYS 2009-08-11 15:55 . 2009-08-06 13:19 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\NAVENG32.DLL 2009-08-11 15:55 . 2009-08-06 13:19 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\NAVEX32A.DLL 2009-08-11 15:55 . 2009-08-06 13:19 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\ECMSVR32.DLL 2009-08-11 15:55 . 2009-08-06 13:19 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\CCERASER.DLL 2009-08-11 15:55 . 2009-08-05 08:00 87888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\NAVENG.SYS 2009-08-11 15:55 . 2009-08-05 08:00 875728 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\NAVEX15.SYS 2009-08-09 12:23 . 2009-08-09 12:23 578560 ----a-w- c:\windows\system32\dllcache\user32.dll 2009-08-08 15:09 . 2009-08-08 15:10 1402418 ----a-w- c:\documents and settings\All Users\Application Data\gav\GAVBi.exe 2009-08-08 15:08 . 2009-08-11 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\gav 2009-08-07 21:28 . 2009-08-07 21:28 966144 ----a-w- c:\documents and settings\All Users\Application Data\gav\gav.exe 2009-08-07 07:34 . 2009-08-07 07:34 331791 ----a-w- c:\documents and settings\All Users\Application Data\gav\wsdt05.exe 2009-08-06 17:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys 2009-08-06 17:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\Scxpx86.dll 2009-08-06 17:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSvix86.sys 2009-08-06 17:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSxpx86.dll 2009-08-06 17:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSviA64.sys 2009-08-06 13:20 . 2009-01-15 16:19 23848 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-08-06 13:20 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2009-08-06 13:19 . 2009-08-06 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B} 2009-08-06 13:19 . 2009-08-06 13:19 -------- d-----w- c:\documents and settings\Hil\Local Settings\Application Data\Downloaded Installations 2009-08-06 13:19 . 2009-08-06 13:19 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys 2009-08-06 13:19 . 2009-08-06 13:19 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2009-08-06 13:19 . 2009-08-06 13:19 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2009-08-06 13:19 . 2009-08-06 13:19 -------- d-----w- c:\program files\Symantec 2009-08-06 13:19 . 2009-08-06 13:19 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll 2009-08-06 13:19 . 2009-08-06 13:19 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll 2009-08-06 13:19 . 2009-08-06 13:19 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll 2009-08-06 13:18 . 2009-08-06 13:18 -------- d-----w- c:\windows\system32\drivers\N360 2009-08-06 13:18 . 2009-08-06 13:19 -------- d-----w- c:\program files\Norton 360 2009-08-06 13:18 . 2009-08-06 13:18 -------- d-----w- c:\program files\Windows Sidebar 2009-08-06 13:18 . 2009-08-06 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-08-06 13:17 . 2009-08-06 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-08-06 13:17 . 2009-08-06 13:17 -------- d-----w- c:\program files\NortonInstaller 2009-08-03 23:17 . 2009-08-03 23:17 -------- d-----w- c:\windows\Progress Data 2009-08-03 23:08 . 2009-08-03 23:08 -------- d-----w- c:\program files\VTech 2009-08-01 16:57 . 2009-08-11 11:45 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-08-01 16:14 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-01 16:14 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-01 16:14 . 2009-08-11 22:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-01 04:47 . 2009-08-01 18:31 -------- d-----w- c:\program files\kciqbe 2009-07-22 08:02 . 2009-08-11 22:30 -------- d-----w- c:\program files\Shared 2009-07-17 01:21 . 2009-07-17 01:56 -------- d-----w- c:\program files\Race The World 2009-07-17 01:18 . 2009-08-12 20:10 -------- d-----w- c:\program files\Hot Wheels . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-12 19:49 . 2009-05-09 20:03 -------- d-----w- c:\program files\Net_Games 2009-08-12 19:49 . 2008-02-27 13:52 -------- d-----w- c:\program files\Google 2009-08-12 04:27 . 2005-08-07 15:35 74064 ----a-w- c:\documents and settings\Hil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-09 12:23 . 2004-08-04 10:00 578560 ----a-w- c:\windows\system32\user32.DLL 2009-08-06 22:19 . 2005-07-08 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-08-06 18:06 . 2009-05-09 20:03 -------- d-----w- c:\program files\Net-Games.biz 2009-08-06 14:11 . 2005-07-08 14:30 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-06 13:19 . 2009-08-06 13:19 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2009-08-06 13:19 . 2009-08-06 13:19 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2009-08-03 23:08 . 2005-07-08 14:18 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-11 19:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys 2009-07-11 19:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys 2009-07-11 19:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll 2009-07-11 19:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll 2009-07-11 19:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys 2009-06-29 16:20 . 2007-09-20 17:08 585 ----a-w- c:\windows\PowerReg.dat 2009-06-29 16:12 . 2004-08-04 10:00 827392 ----a-w- c:\windows\system32\wininet.dll 2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-06-29 16:12 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll 2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-15 19:36 . 2009-06-15 19:36 -------- d-----w- c:\documents and settings\Hil\Application Data\Malwarebytes 2009-06-15 19:36 . 2009-06-15 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll 2002-07-26 22:02 . 2008-09-09 22:20 153088 ----a-w- c:\program files\UNWISE.EXE . ((((((((((((((((((((((((((((( SnapShot@2009-08-12_19.55.02 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-12 20:15 . 2009-08-12 20:15 16384 c:\windows\temp\Perflib_Perfdata_dc.dat + 2005-07-08 14:09 . 2009-08-12 20:19 54280 c:\windows\SYSTEM32\PERFC009.DAT - 2005-07-08 14:09 . 2009-08-12 04:29 54280 c:\windows\SYSTEM32\PERFC009.DAT + 2005-07-08 14:09 . 2009-08-12 20:19 384596 c:\windows\SYSTEM32\PERFH009.DAT - 2005-07-08 14:09 . 2009-08-12 04:29 384596 c:\windows\SYSTEM32\PERFH009.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys] @="FSFilter Activity Monitor" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"= "c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"= "c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"= "c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0300000.087\SymEFA.sys [8/6/2009 9:19 AM 310320] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\N360\0300000.087\BHDrvx86.sys [8/6/2009 9:19 AM 258608] R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0300000.087\cchpx86.sys [8/6/2009 9:19 AM 482352] R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys [8/6/2009 1:34 PM 276344] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/11/2009 11:55 AM 101936] S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [8/6/2009 9:19 AM 115560] S4 PRISMSVC;PRISMSVC;c:\windows\SYSTEM32\PRISMSVC.exe [7/8/2005 10:18 AM 57344] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-12 17:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360] "ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,41,00,e8,ad,4b, 8e,59,7e,2e,e8,e1,00,eb,16,2b,de,db,05,94,c1,0b,ad,83,2c,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,21,6b,4a,0b,46, 43,82,fc,46,47,15,b0,92,4b,c7,ef,00,fe,b4,44,b1,e0,b5,a2,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,08,75,90,a5,e6, 1a,b4,ad,7a,45,05,fd,91,e8,6f,31,ae,23,9e,14,10,a4,ea,54,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,30,c5,cd,7f,73, d0,fe,90,6b,65,49,6a,7e,99,74,f7,6c,01,fd,83,71,f1,0f,0c,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,41,60,08,64,aa, a4,e1,b8,e9,02,6c,fa,fb,1d,47,57,90,c3,99,b7,5b,d7,4d,fe,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,f1,2b,f6,24,e9, 3b,4c,98,50,93,e5,ab,ec,6a,4e,ab,97,a9,4b,79,c0,7f,40,6f,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,d3,2e,9e,c2,1c, 35,4f,03,97,20,4e,9a,c7,f1,35,ee,e6,20,ea,58,0b,b1,e6,59,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,2e,3b,32,70,36, 52,35,2d,aa,52,c6,00,84,3c,26,64,dc,9e,b6,2b,87,66,c4,b6,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,0f,e2,fb,bd,e3, c5,2b,53,b2,46,9a,e2,1b,fe,1b,94,78,02,bf,94,24,d4,b5,2e,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,84,e2,92,d2,09, f2,54,12,37,a4,aa,c3,a6,15,56,0a,08,f4,b5,6c,56,09,45,d5,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,96,95,82,8e,91, 5a,00,b0,f8,31,0f,a9,5f,a0,ec,fb,a4,61,e9,9c,cc,4d,5b,3a,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,db,d8,63,46,49, fb,fe,3e,05,73,21,dd,54,d8,4a,c5,26,a3,3d,33,c3,2a,ed,d3,6c,43,2d,1e,aa,22,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1092) c:\windows\system32\Ati2evxx.dll c:\windows\system32\PRISMAPI.dll . Completion time: 2009-08-12 17:42 ComboFix-quarantined-files.txt 2009-08-12 21:42 ComboFix2.txt 2009-08-12 20:04 Pre-Run: 180,856,963,072 bytes free Post-Run: 180,836,384,768 bytes free 225 --- E O F --- 2009-08-01 16:43