nfsme

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:47:33 PM, on 8/12/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\PRISMSVR.EXE C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE C:\Documents and Settings\Hil\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com O1 - Hosts: ::1 localhost O1 - Hosts: 208.43.47.212 a1.review.zdnet.com O1 - Hosts: 208.43.47.212 reviews.riverstreams.co.uk O1 - Hosts: 208.43.47.212 d1.reviews.cnet.com O1 - Hosts: 208.43.47.212 review.2009softwarereviews.com O1 - Hosts: 208.43.47.212 reviews.download.com O1 - Hosts: 208.43.47.212 reviews.pcadvisor.co.uk O1 - Hosts: 208.43.47.212 reviews.pcmag.com O1 - Hosts: 208.43.47.212 reviews.pcpro.co.uk O1 - Hosts: 208.43.47.212 reviews.techradar.com O1 - Hosts: 208.43.47.212 toptenreviews.com O1 - Hosts: 208.43.47.212 www.reevoo.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll O2 - BHO: Net Games Toolbar - {8a6264b5-a8f2-494b-8f37-cf898a763e42} - C:\Program Files\Net_Games\tbNet1.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Net Games Toolbar - {8a6264b5-a8f2-494b-8f37-cf898a763e42} - C:\Program Files\Net_Games\tbNet1.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave.com/content/snailmail...gwebinstall.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...r_installer.exe O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfr...outLauncher.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{34A571C2-88F4-4D5D-A066-07AE82AACB9F}: NameServer = 192.168.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{34A571C2-88F4-4D5D-A066-07AE82AACB9F}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{34A571C2-88F4-4D5D-A066-07AE82AACB9F}: NameServer = 192.168.1.1 O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O18 - Filter hijack: text/html - {9f7d088e-b35b-4fce-bff1-005ca02033db} - C:\WINDOWS\system32\xwreg32.dll -- End of file - 6945 bytes ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ComboFix 09-08-10.06 - Hil 08/12/2009 17:31.3.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.562 [GMT -4:00] Running from: c:\documents and settings\Hil\Desktop\Combo-Fix.exe AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Hil\wsdt.exe c:\program files\PeoplePC\Toolbar\PPCToolbar.dll . ((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 ))))))))))))))))))))))))))))))) . 2009-08-12 21:29 . 2009-08-12 21:30 -------- d-----w- C:\32788R22FWJFW 2009-08-11 15:55 . 2009-08-06 13:19 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\EECTRL.SYS 2009-08-11 15:55 . 2009-08-06 13:19 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\ERASER.SYS 2009-08-11 15:55 . 2009-08-06 13:19 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\NAVENG32.DLL 2009-08-11 15:55 . 2009-08-06 13:19 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\NAVEX32A.DLL 2009-08-11 15:55 . 2009-08-06 13:19 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\ECMSVR32.DLL 2009-08-11 15:55 . 2009-08-06 13:19 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\CCERASER.DLL 2009-08-11 15:55 . 2009-08-05 08:00 87888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\NAVENG.SYS 2009-08-11 15:55 . 2009-08-05 08:00 875728 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\NAVEX15.SYS 2009-08-09 12:23 . 2009-08-09 12:23 578560 ----a-w- c:\windows\system32\dllcache\user32.dll 2009-08-08 15:09 . 2009-08-08 15:10 1402418 ----a-w- c:\documents and settings\All Users\Application Data\gav\GAVBi.exe 2009-08-08 15:08 . 2009-08-11 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\gav 2009-08-07 21:28 . 2009-08-07 21:28 966144 ----a-w- c:\documents and settings\All Users\Application Data\gav\gav.exe 2009-08-07 07:34 . 2009-08-07 07:34 331791 ----a-w- c:\documents and settings\All Users\Application Data\gav\wsdt05.exe 2009-08-06 17:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys 2009-08-06 17:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\Scxpx86.dll 2009-08-06 17:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSvix86.sys 2009-08-06 17:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSxpx86.dll 2009-08-06 17:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSviA64.sys 2009-08-06 13:20 . 2009-01-15 16:19 23848 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-08-06 13:20 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2009-08-06 13:19 . 2009-08-06 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B} 2009-08-06 13:19 . 2009-08-06 13:19 -------- d-----w- c:\documents and settings\Hil\Local Settings\Application Data\Downloaded Installations 2009-08-06 13:19 . 2009-08-06 13:19 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys 2009-08-06 13:19 . 2009-08-06 13:19 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2009-08-06 13:19 . 2009-08-06 13:19 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2009-08-06 13:19 . 2009-08-06 13:19 -------- d-----w- c:\program files\Symantec 2009-08-06 13:19 . 2009-08-06 13:19 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll 2009-08-06 13:19 . 2009-08-06 13:19 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll 2009-08-06 13:19 . 2009-08-06 13:19 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll 2009-08-06 13:18 . 2009-08-06 13:18 -------- d-----w- c:\windows\system32\drivers\N360 2009-08-06 13:18 . 2009-08-06 13:19 -------- d-----w- c:\program files\Norton 360 2009-08-06 13:18 . 2009-08-06 13:18 -------- d-----w- c:\program files\Windows Sidebar 2009-08-06 13:18 . 2009-08-06 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-08-06 13:17 . 2009-08-06 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-08-06 13:17 . 2009-08-06 13:17 -------- d-----w- c:\program files\NortonInstaller 2009-08-03 23:17 . 2009-08-03 23:17 -------- d-----w- c:\windows\Progress Data 2009-08-03 23:08 . 2009-08-03 23:08 -------- d-----w- c:\program files\VTech 2009-08-01 16:57 . 2009-08-11 11:45 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-08-01 16:14 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-01 16:14 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-01 16:14 . 2009-08-11 22:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-01 04:47 . 2009-08-01 18:31 -------- d-----w- c:\program files\kciqbe 2009-07-22 08:02 . 2009-08-11 22:30 -------- d-----w- c:\program files\Shared 2009-07-17 01:21 . 2009-07-17 01:56 -------- d-----w- c:\program files\Race The World 2009-07-17 01:18 . 2009-08-12 20:10 -------- d-----w- c:\program files\Hot Wheels . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-12 19:49 . 2009-05-09 20:03 -------- d-----w- c:\program files\Net_Games 2009-08-12 19:49 . 2008-02-27 13:52 -------- d-----w- c:\program files\Google 2009-08-12 04:27 . 2005-08-07 15:35 74064 ----a-w- c:\documents and settings\Hil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-09 12:23 . 2004-08-04 10:00 578560 ----a-w- c:\windows\system32\user32.DLL 2009-08-06 22:19 . 2005-07-08 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-08-06 18:06 . 2009-05-09 20:03 -------- d-----w- c:\program files\Net-Games.biz 2009-08-06 14:11 . 2005-07-08 14:30 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-06 13:19 . 2009-08-06 13:19 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2009-08-06 13:19 . 2009-08-06 13:19 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2009-08-03 23:08 . 2005-07-08 14:18 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-11 19:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys 2009-07-11 19:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys 2009-07-11 19:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll 2009-07-11 19:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll 2009-07-11 19:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys 2009-06-29 16:20 . 2007-09-20 17:08 585 ----a-w- c:\windows\PowerReg.dat 2009-06-29 16:12 . 2004-08-04 10:00 827392 ----a-w- c:\windows\system32\wininet.dll 2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-06-29 16:12 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll 2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-15 19:36 . 2009-06-15 19:36 -------- d-----w- c:\documents and settings\Hil\Application Data\Malwarebytes 2009-06-15 19:36 . 2009-06-15 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll 2002-07-26 22:02 . 2008-09-09 22:20 153088 ----a-w- c:\program files\UNWISE.EXE . ((((((((((((((((((((((((((((( SnapShot@2009-08-12_19.55.02 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-12 20:15 . 2009-08-12 20:15 16384 c:\windows\temp\Perflib_Perfdata_dc.dat + 2005-07-08 14:09 . 2009-08-12 20:19 54280 c:\windows\SYSTEM32\PERFC009.DAT - 2005-07-08 14:09 . 2009-08-12 04:29 54280 c:\windows\SYSTEM32\PERFC009.DAT + 2005-07-08 14:09 . 2009-08-12 20:19 384596 c:\windows\SYSTEM32\PERFH009.DAT - 2005-07-08 14:09 . 2009-08-12 04:29 384596 c:\windows\SYSTEM32\PERFH009.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys] @="FSFilter Activity Monitor" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"= "c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"= "c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"= "c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0300000.087\SymEFA.sys [8/6/2009 9:19 AM 310320] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\N360\0300000.087\BHDrvx86.sys [8/6/2009 9:19 AM 258608] R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0300000.087\cchpx86.sys [8/6/2009 9:19 AM 482352] R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys [8/6/2009 1:34 PM 276344] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/11/2009 11:55 AM 101936] S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [8/6/2009 9:19 AM 115560] S4 PRISMSVC;PRISMSVC;c:\windows\SYSTEM32\PRISMSVC.exe [7/8/2005 10:18 AM 57344] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-12 17:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360] "ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,41,00,e8,ad,4b, 8e,59,7e,2e,e8,e1,00,eb,16,2b,de,db,05,94,c1,0b,ad,83,2c,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,21,6b,4a,0b,46, 43,82,fc,46,47,15,b0,92,4b,c7,ef,00,fe,b4,44,b1,e0,b5,a2,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,08,75,90,a5,e6, 1a,b4,ad,7a,45,05,fd,91,e8,6f,31,ae,23,9e,14,10,a4,ea,54,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,30,c5,cd,7f,73, d0,fe,90,6b,65,49,6a,7e,99,74,f7,6c,01,fd,83,71,f1,0f,0c,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,41,60,08,64,aa, a4,e1,b8,e9,02,6c,fa,fb,1d,47,57,90,c3,99,b7,5b,d7,4d,fe,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,f1,2b,f6,24,e9, 3b,4c,98,50,93,e5,ab,ec,6a,4e,ab,97,a9,4b,79,c0,7f,40,6f,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,d3,2e,9e,c2,1c, 35,4f,03,97,20,4e,9a,c7,f1,35,ee,e6,20,ea,58,0b,b1,e6,59,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,2e,3b,32,70,36, 52,35,2d,aa,52,c6,00,84,3c,26,64,dc,9e,b6,2b,87,66,c4,b6,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,0f,e2,fb,bd,e3, c5,2b,53,b2,46,9a,e2,1b,fe,1b,94,78,02,bf,94,24,d4,b5,2e,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,84,e2,92,d2,09, f2,54,12,37,a4,aa,c3,a6,15,56,0a,08,f4,b5,6c,56,09,45,d5,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,96,95,82,8e,91, 5a,00,b0,f8,31,0f,a9,5f,a0,ec,fb,a4,61,e9,9c,cc,4d,5b,3a,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,db,d8,63,46,49, fb,fe,3e,05,73,21,dd,54,d8,4a,c5,26,a3,3d,33,c3,2a,ed,d3,6c,43,2d,1e,aa,22,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1092) c:\windows\system32\Ati2evxx.dll c:\windows\system32\PRISMAPI.dll . Completion time: 2009-08-12 17:42 ComboFix-quarantined-files.txt 2009-08-12 21:42 ComboFix2.txt 2009-08-12 20:04 Pre-Run: 180,856,963,072 bytes free Post-Run: 180,836,384,768 bytes free 225 --- E O F --- 2009-08-01 16:43

nope...but found gav.exe in c:\documents and settings\all user\application data\gav...also was in registry.... removed from both locations

Norton 360

did as directed is virus gone... how do i keep from getting it again...attaching logs

i got a PC that has that green anti virus on it it looks and acts just like all the other rogue anti viruses/fake ware but when i scan for it it is not detected....have used stinger, Norton's 360 and malwarebytes...none of them detect it but it is there...i could probably follow the registry keys and find the files and delete them but i need to be sure it is gone...any info would be helpful