Jump to content

Vundo infection hijack this log


Recommended Posts

My daughter's pc got infected with vundo and god knows what else. Unfortunately, I am 1000 miles away and trying to help her remotely when she has no internet connection due to the condition of her machine. I had her run Malwarebytes and here is the log:

Malwarebytes' Anti-Malware 1.34

Database version: 1749

Windows 5.1.2600 Service Pack 3

3/26/2009 2:51:11 PM

mbam-log-2009-03-26 (14-51-11).txt

Scan type: Full Scan (C:\|D:\|K:\|)

Objects scanned: 197455

Time elapsed: 2 hour(s), 41 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00a1328 (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\__c00A1328.dat (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c0019F4D.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c002ED49.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c0032ACC.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c00627C9.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c00AFB2A.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c00B4670.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c00B5A6E.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

After that, a second run of malware bytes was clean but her machine still won't function properly. I'm not sure if Windows is damaged or if it is something else that can be determined from the hijack this log below:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:48:41 PM, on 3/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Compaq_Owner\Desktop\windows-kb890830-v2.8.exe

c:\05edb98892f004a482b4b25b07ff\mrtstub.exe

C:\WINDOWS\system32\MRT.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [stxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [thirdintel] c:\hp\bin\cloaker.exe c:\hp\bin\intel_tweak\intel_tweak3.cmd

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [A00F7620D8.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F7620D8.exe

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)

O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200361035125

O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 9350 bytes

Thank you.

Link to post
Share on other sites

  • Staff

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a full scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Sorry for the delay in getting new logs posted. Here is the MalwareBytes Log (a second run was clean):

Malwarebytes' Anti-Malware 1.35

Database version: 1904

Windows 5.1.2600 Service Pack 3

3/30/2009 12:51:12 PM

mbam-log-2009-03-30 (12-51-12).txt

Scan type: Full Scan (C:\|)

Objects scanned: 206835

Time elapsed: 2 hour(s), 22 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:57:29 PM, on 3/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [stxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [thirdintel] c:\hp\bin\cloaker.exe c:\hp\bin\intel_tweak\intel_tweak3.cmd

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes\mbamgui.exe /install /silent

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [A00F7620D8.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F7620D8.exe

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)

O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200361035125

O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 9472 bytes

Thank you for your continued help.

Link to post
Share on other sites

  • Staff

Hi,

Above HijackThislog is from Windows safe mode. Not sure why you're in Windows safe mode anyway.

Please reboot your computer back to normal mode, because malwarebytes needs to finish a job after reboot and this will only work from Windows normal mode.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

I had my daughter download and run combofix. She ran it twice because the first time it was accidentally run from the USB flash device and the machine may have still been in safe mode. The second time it was run from C: and the machine was definitely in normal mode. Sorry if this makes anything more difficult to debug.

Note: She is still unable to access the internet and I don't know if that is due to damage to Windows, issues with her ISP or Malware.

----------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix Run 1:

ComboFix 09-03-31.01 - Compaq_Owner 2009-03-31 19:05:21.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.111 [GMT -6:00]

Running from: L:\ComboFix.exe

AV: Norton 360 *On-access scanning disabled* (Outdated)

FW: Norton 360 *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

D:\Autorun.inf

K:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))

.

2009-03-27 12:47 . 2009-03-27 12:47 <DIR> d-------- c:\program files\Trend Micro

2009-03-26 23:31 . 2009-03-26 23:31 <DIR> d--hs---- c:\windows\ftpcache

2009-03-26 23:31 . 2009-03-26 23:31 917,504 --a------ c:\windows\system32\FLASH.OCX

2009-03-26 21:34 . 2001-08-31 12:00 27,296 --a------ c:\windows\system32\drivers\PERC2.SYS

2009-03-26 21:34 . 2001-08-31 12:00 27,296 --a------ c:\windows\system32\dllcache\perc2.sys

2009-03-26 21:34 . 2001-08-31 12:00 19,072 --a------ c:\windows\system32\drivers\SPARROW.SYS

2009-03-26 21:34 . 2001-08-31 12:00 19,072 --a------ c:\windows\system32\dllcache\sparrow.sys

2009-03-26 21:34 . 2001-08-31 12:00 17,280 --a------ c:\windows\system32\drivers\MRAID35X.SYS

2009-03-26 21:34 . 2001-08-31 12:00 17,280 --a------ c:\windows\system32\dllcache\mraid35x.sys

2009-03-26 21:34 . 2001-08-31 12:00 5,504 --a------ c:\windows\system32\drivers\PERC2HIB.SYS

2009-03-26 21:34 . 2001-08-31 12:00 5,504 --a------ c:\windows\system32\dllcache\perc2hib.sys

2009-03-26 21:33 . 2008-04-13 11:40 34,688 --a------ c:\windows\system32\drivers\lbrtfdc.sys

2009-03-26 21:33 . 2008-04-13 11:40 34,688 --a------ c:\windows\system32\dllcache\lbrtfdc.sys

2009-03-26 21:33 . 2008-04-13 11:41 18,560 --a------ c:\windows\system32\drivers\i2omp.sys

2009-03-26 21:33 . 2008-04-13 11:41 18,560 --a------ c:\windows\system32\dllcache\i2omp.sys

2009-03-26 21:33 . 2001-08-31 12:00 16,000 --a------ c:\windows\system32\drivers\INI910U.SYS

2009-03-26 21:33 . 2001-08-31 12:00 16,000 --a------ c:\windows\system32\dllcache\ini910u.sys

2009-03-26 21:33 . 2008-04-13 11:41 8,576 --a------ c:\windows\system32\drivers\i2omgmt.sys

2009-03-26 21:33 . 2008-04-13 11:41 8,576 --a------ c:\windows\system32\dllcache\i2omgmt.sys

2009-03-26 21:17 . 2004-08-03 22:00 18,304 --a------ c:\windows\system32\drivers\SYMC8XX.SY_

2009-03-26 21:17 . 2004-08-03 22:00 15,864 --a------ c:\windows\system32\drivers\ULTRA.SY_

2009-03-26 21:17 . 2004-08-03 22:00 2,629 --a------ c:\windows\system32\drivers\TOSIDE.SY_

2009-03-26 21:16 . 2004-08-03 22:00 17,923 --a------ c:\windows\system32\drivers\SYM_U3.SY_

2009-03-26 21:16 . 2004-08-03 22:00 16,761 --a------ c:\windows\system32\drivers\SYM_HI.SY_

2009-03-26 21:16 . 2004-08-03 22:00 11,098 --a------ c:\windows\system32\drivers\SPARROW.SY_

2009-03-26 21:16 . 2004-08-03 22:00 8,352 --a------ c:\windows\system32\drivers\SYMC810.SY_

2009-03-26 21:15 . 2004-08-03 22:00 27,359 --a------ c:\windows\system32\drivers\QL1280.SY_

2009-03-26 21:15 . 2004-08-03 22:00 22,855 --a------ c:\windows\system32\drivers\QL1240.SY_

2009-03-26 21:14 . 2004-08-03 22:00 25,938 --a------ c:\windows\system32\drivers\QL12160.SY_

2009-03-26 21:14 . 2004-08-03 22:00 22,761 --a------ c:\windows\system32\drivers\QL1080.SY_

2009-03-26 21:14 . 2004-08-03 22:00 18,888 --a------ c:\windows\system32\drivers\QL10WNT.SY_

2009-03-26 21:12 . 2004-08-03 22:00 9,785 --a------ c:\windows\system32\drivers\MRAID35X.SY_

2009-03-26 21:09 . 2004-08-03 22:00 14,614 --a------ c:\windows\system32\drivers\LBRTFDC.SY_

2009-03-26 21:09 . 2004-08-03 22:00 8,560 --a------ c:\windows\system32\drivers\INI910U.SY_

2009-03-26 21:08 . 2004-08-03 22:00 10,324 --a------ c:\windows\system32\drivers\I2OMP.SY_

2009-03-26 21:08 . 2004-08-03 22:00 4,064 --a------ c:\windows\system32\drivers\I2OMGMT.SY_

2009-03-26 20:58 . 2009-03-26 20:59 <DIR> d-------- c:\program files\PC-Doctor for Windows

2009-03-26 20:56 . 2009-03-26 20:56 <DIR> d-------- c:\program files\directx

2009-03-26 20:53 . 2009-03-26 20:53 <DIR> d-------- c:\program files\Support Tools

2009-03-26 20:49 . 2009-03-26 20:49 <DIR> d-------- c:\program files\Application Compatibility Toolkit

2009-03-26 20:30 . 2009-03-26 20:30 <DIR> d-------- c:\program files\AWS

2009-03-26 20:12 . 2009-03-26 20:12 <DIR> d-------- c:\program files\Common Files\xing shared

2009-03-26 20:01 . 2003-09-10 23:36 21,060 --------- c:\windows\system32\drivers\iviaspi.sys

2009-03-26 20:01 . 2003-09-19 01:47 10,368 --------- c:\windows\system32\drivers\pfc.sys

2009-03-26 20:00 . 2004-12-16 20:07 204,800 --a------ c:\windows\system32\IVIresizeW7.dll

2009-03-26 20:00 . 2004-12-16 20:07 200,704 --a------ c:\windows\system32\IVIresizeA6.dll

2009-03-26 20:00 . 2004-12-16 20:07 192,512 --a------ c:\windows\system32\IVIresizeP6.dll

2009-03-26 20:00 . 2004-12-16 20:07 192,512 --a------ c:\windows\system32\IVIresizeM6.dll

2009-03-26 20:00 . 2004-12-16 20:07 188,416 --a------ c:\windows\system32\IVIresizePX.dll

2009-03-26 20:00 . 2004-12-16 20:07 20,480 --a------ c:\windows\system32\IVIresize.dll

2009-03-26 19:58 . 2009-03-26 20:56 <DIR> d-------- c:\program files\InterVideo

2009-03-26 19:55 . 2009-03-26 19:55 <DIR> d-------- c:\program files\Macrovision Corp

2009-03-26 19:51 . 2009-03-26 19:51 <DIR> d-------- c:\program files\Common Files\Sonic

2009-03-26 19:51 . 2009-03-26 19:51 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Sonic

2009-03-26 19:48 . 2009-03-26 19:48 <DIR> d-------- c:\program files\Common Files\SureThing Shared

2009-03-26 19:16 . 2009-03-26 19:16 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\InterMute

2009-03-26 19:15 . 2009-03-26 19:15 <DIR> d-------- c:\program files\InterMute

2009-03-26 19:15 . 2009-03-26 19:16 2,158 --a------ c:\windows\system32\ssmute.ini

2009-03-26 16:08 . 2004-01-28 10:11 159,744 -ra------ c:\windows\system32\nvuide.exe

2009-03-26 15:44 . 2002-08-29 14:00 25,952 --a------ c:\windows\system32\drivers\hpn.sys

2009-03-26 15:44 . 2002-08-29 14:00 25,952 --a------ c:\windows\system32\dllcache\hpn.sys

2009-03-26 15:43 . 2001-08-31 12:00 20,192 --a------ c:\windows\system32\drivers\dpti2o.sys

2009-03-26 15:43 . 2001-08-31 12:00 20,192 --a------ c:\windows\system32\dllcache\dpti2o.sys

2009-03-26 15:42 . 2001-08-31 12:00 14,976 --a------ c:\windows\system32\drivers\cpqarray.sys

2009-03-26 15:42 . 2001-08-31 12:00 14,976 --a------ c:\windows\system32\dllcache\cpqarray.sys

2009-03-26 15:42 . 2001-08-31 12:00 14,720 --a------ c:\windows\system32\drivers\dac960nt.sys

2009-03-26 15:42 . 2001-08-31 12:00 14,720 --a------ c:\windows\system32\dllcache\dac960nt.sys

2009-03-26 15:41 . 2001-08-31 12:00 7,680 --a------ c:\windows\system32\drivers\cd20xrnt.sys

2009-03-26 15:41 . 2001-08-31 12:00 7,680 --a------ c:\windows\system32\dllcache\cd20xrnt.sys

2009-03-26 15:41 . 2001-08-17 13:51 6,656 --a------ c:\windows\system32\drivers\cmdide.sys

2009-03-26 15:41 . 2001-08-17 13:51 6,656 --a------ c:\windows\system32\dllcache\cmdide.sys

2009-03-26 15:40 . 2001-08-31 12:00 26,496 --a------ c:\windows\system32\drivers\asc.sys

2009-03-26 15:40 . 2001-08-31 12:00 26,496 --a------ c:\windows\system32\dllcache\asc.sys

2009-03-26 15:40 . 2001-08-31 12:00 22,400 --a------ c:\windows\system32\drivers\asc3350p.sys

2009-03-26 15:40 . 2001-08-31 12:00 22,400 --a------ c:\windows\system32\dllcache\asc3350p.sys

2009-03-26 15:40 . 2001-08-31 12:00 14,848 --a------ c:\windows\system32\drivers\asc3550.sys

2009-03-26 15:40 . 2001-08-31 12:00 14,848 --a------ c:\windows\system32\dllcache\asc3550.sys

2009-03-26 15:40 . 2001-08-31 12:00 12,032 --a------ c:\windows\system32\drivers\amsint.sys

2009-03-26 15:40 . 2001-08-31 12:00 12,032 --a------ c:\windows\system32\dllcache\amsint.sys

2009-03-26 15:39 . 2001-08-31 12:00 56,960 --a------ c:\windows\system32\drivers\aic78xx.sys

2009-03-26 15:39 . 2001-08-31 12:00 56,960 --a------ c:\windows\system32\dllcache\aic78xx.sys

2009-03-26 15:39 . 2001-08-31 12:00 55,168 --a------ c:\windows\system32\drivers\aic78u2.sys

2009-03-26 15:39 . 2001-08-31 12:00 55,168 --a------ c:\windows\system32\dllcache\aic78u2.sys

2009-03-26 15:39 . 2001-08-31 12:00 5,248 --a------ c:\windows\system32\drivers\aliide.sys

2009-03-26 15:39 . 2001-08-31 12:00 5,248 --a------ c:\windows\system32\dllcache\aliide.sys

2009-03-26 15:38 . 2001-08-31 12:00 101,888 --a------ c:\windows\system32\drivers\adpu160m.sys

2009-03-26 15:38 . 2001-08-31 12:00 101,888 --a------ c:\windows\system32\dllcache\adpu160m.sys

2009-03-26 15:38 . 2001-08-31 12:00 12,800 --a------ c:\windows\system32\drivers\aha154x.sys

2009-03-26 15:38 . 2001-08-31 12:00 12,800 --a------ c:\windows\system32\dllcache\aha154x.sys

2009-03-26 15:35 . 2001-08-31 12:00 23,552 --a------ c:\windows\system32\drivers\abp480n5.sys

2009-03-26 15:35 . 2001-08-31 12:00 23,552 --a------ c:\windows\system32\dllcache\abp480n5.sys

2009-03-26 12:06 . 2009-03-30 10:20 <DIR> d-------- c:\program files\Malwarebytes

2009-03-26 12:06 . 2009-03-26 12:06 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes

2009-03-26 12:06 . 2009-03-26 12:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-26 12:06 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-26 12:06 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-25 21:50 . 2009-03-25 21:50 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\HPQ

2009-03-25 11:56 . 2009-03-25 11:56 0 --a------ c:\windows\nsreg.dat

2009-03-23 12:06 . 2009-03-23 12:06 7,522,240 --a------ c:\program files\Firefox.exe

2009-03-23 12:02 . 2009-03-23 12:02 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\MSNInstaller

2009-03-02 16:27 . 2009-03-02 16:27 28,365,104 --a------ c:\program files\snagit.exe

2009-03-01 22:25 . 2008-01-13 23:29 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS

2009-03-01 22:25 . 2008-01-13 23:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit

2009-03-01 22:25 . 2009-03-01 22:25 <DIR> d-------- c:\documents and settings\Administrator

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-01 01:03 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-27 11:43 --------- d-----w c:\program files\WildTangent

2009-03-27 06:14 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-03-27 02:59 --------- d--h--w c:\program files\InstallShield Installation Information

2009-03-27 02:58 --------- d-----w c:\program files\Quicken

2009-03-27 02:12 --------- d-----w c:\program files\Common Files\Real

2009-03-27 01:55 --------- d-----w c:\program files\Common Files\InstallShield

2009-03-27 01:48 --------- d-----w c:\program files\Sonic

2009-03-27 01:40 --------- d-----w c:\program files\Symantec

2009-03-25 17:24 --------- d-----w c:\program files\Google

2009-03-23 16:29 --------- d-----w c:\program files\Common Files\Sonic Shared

2009-03-23 16:18 --------- d-----w c:\program files\HP Games

2009-03-23 16:17 --------- d-----w c:\program files\Chill

2009-03-02 22:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-02 19:01 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\ZoomBrowser EX

2009-03-02 19:01 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser

2009-03-02 17:38 --------- d-----w c:\program files\Norton 360

2009-03-02 02:21 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\LimeWire

2009-02-25 13:15 --------- d-----w c:\documents and settings\Guest\Application Data\Apple Computer

2009-02-22 17:58 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Apple Computer

2009-02-19 23:48 --------- d-----w c:\program files\Lavasoft

2009-02-19 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-02-18 05:14 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Move Networks

2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys

2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys

2009-02-04 01:36 --------- d-----w c:\program files\LimeWire

2009-01-28 11:25 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL

2009-01-17 04:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll

2008-11-13 00:35 350 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat

2008-08-06 12:53 15,070,144 ----a-w c:\program files\SpySweeper.exe

2008-01-15 22:27 4,494,664 ----a-w c:\program files\LimeWire.exe

2008-12-19 14:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008121920081220\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"Weather"="c:\progra~1\AWS\WEATHE~1\Weather.exe" [2004-04-13 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-26 180269]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"thirdintel"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-04-26 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-07-07 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\InterMute\SpySubtract\sshook.dll" [2009-03-26 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-27 64160]

R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [2007-01-18 24120]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-23 101936]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-03-26 38496]

S3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\drivers\WMP300Nv1.sys [2007-10-17 822400]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]

\Shell\AutoRun\command - K:\setupSNK.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-23 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\system32\cleanmgr.exe [2008-04-13 18:12]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

HKLM-Run-DXDllRegExe - dxdllreg.exe

HKLM-Run-PCDrProfiler - (no file)

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.comcast.net/

FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\stuwmk4w.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-31 19:10:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4077673394-3207311990-1865167216-1009\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2009-03-31 19:21:22

ComboFix-quarantined-files.txt 2009-04-01 01:21:17

Pre-Run: 162,384,642,048 bytes free

Post-Run: 162,534,211,584 bytes free

264 --- E O F --- 2009-03-18 03:55:37

-----------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix Run 2

ComboFix 09-03-31.01 - Compaq_Owner 2009-03-31 19:58:18.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.72 [GMT -6:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

AV: Norton 360 *On-access scanning disabled* (Outdated)

FW: Norton 360 *disabled*

.

((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))

.

2009-03-27 12:47 . 2009-03-27 12:47 <DIR> d-------- c:\program files\Trend Micro

2009-03-26 23:31 . 2009-03-26 23:31 <DIR> d--hs---- c:\windows\ftpcache

2009-03-26 23:31 . 2009-03-26 23:31 917,504 --a------ c:\windows\system32\FLASH.OCX

2009-03-26 21:34 . 2001-08-31 12:00 27,296 --a------ c:\windows\system32\drivers\PERC2.SYS

2009-03-26 21:34 . 2001-08-31 12:00 27,296 --a------ c:\windows\system32\dllcache\perc2.sys

2009-03-26 21:34 . 2001-08-31 12:00 19,072 --a------ c:\windows\system32\drivers\SPARROW.SYS

2009-03-26 21:34 . 2001-08-31 12:00 19,072 --a------ c:\windows\system32\dllcache\sparrow.sys

2009-03-26 21:34 . 2001-08-31 12:00 17,280 --a------ c:\windows\system32\drivers\MRAID35X.SYS

2009-03-26 21:34 . 2001-08-31 12:00 17,280 --a------ c:\windows\system32\dllcache\mraid35x.sys

2009-03-26 21:34 . 2001-08-31 12:00 5,504 --a------ c:\windows\system32\drivers\PERC2HIB.SYS

2009-03-26 21:34 . 2001-08-31 12:00 5,504 --a------ c:\windows\system32\dllcache\perc2hib.sys

2009-03-26 21:33 . 2008-04-13 11:40 34,688 --a------ c:\windows\system32\drivers\lbrtfdc.sys

2009-03-26 21:33 . 2008-04-13 11:40 34,688 --a------ c:\windows\system32\dllcache\lbrtfdc.sys

2009-03-26 21:33 . 2008-04-13 11:41 18,560 --a------ c:\windows\system32\drivers\i2omp.sys

2009-03-26 21:33 . 2008-04-13 11:41 18,560 --a------ c:\windows\system32\dllcache\i2omp.sys

2009-03-26 21:33 . 2001-08-31 12:00 16,000 --a------ c:\windows\system32\drivers\INI910U.SYS

2009-03-26 21:33 . 2001-08-31 12:00 16,000 --a------ c:\windows\system32\dllcache\ini910u.sys

2009-03-26 21:33 . 2008-04-13 11:41 8,576 --a------ c:\windows\system32\drivers\i2omgmt.sys

2009-03-26 21:33 . 2008-04-13 11:41 8,576 --a------ c:\windows\system32\dllcache\i2omgmt.sys

2009-03-26 21:17 . 2004-08-03 22:00 18,304 --a------ c:\windows\system32\drivers\SYMC8XX.SY_

2009-03-26 21:17 . 2004-08-03 22:00 15,864 --a------ c:\windows\system32\drivers\ULTRA.SY_

2009-03-26 21:17 . 2004-08-03 22:00 2,629 --a------ c:\windows\system32\drivers\TOSIDE.SY_

2009-03-26 21:16 . 2004-08-03 22:00 17,923 --a------ c:\windows\system32\drivers\SYM_U3.SY_

2009-03-26 21:16 . 2004-08-03 22:00 16,761 --a------ c:\windows\system32\drivers\SYM_HI.SY_

2009-03-26 21:16 . 2004-08-03 22:00 11,098 --a------ c:\windows\system32\drivers\SPARROW.SY_

2009-03-26 21:16 . 2004-08-03 22:00 8,352 --a------ c:\windows\system32\drivers\SYMC810.SY_

2009-03-26 21:15 . 2004-08-03 22:00 27,359 --a------ c:\windows\system32\drivers\QL1280.SY_

2009-03-26 21:15 . 2004-08-03 22:00 22,855 --a------ c:\windows\system32\drivers\QL1240.SY_

2009-03-26 21:14 . 2004-08-03 22:00 25,938 --a------ c:\windows\system32\drivers\QL12160.SY_

2009-03-26 21:14 . 2004-08-03 22:00 22,761 --a------ c:\windows\system32\drivers\QL1080.SY_

2009-03-26 21:14 . 2004-08-03 22:00 18,888 --a------ c:\windows\system32\drivers\QL10WNT.SY_

2009-03-26 21:12 . 2004-08-03 22:00 9,785 --a------ c:\windows\system32\drivers\MRAID35X.SY_

2009-03-26 21:09 . 2004-08-03 22:00 14,614 --a------ c:\windows\system32\drivers\LBRTFDC.SY_

2009-03-26 21:09 . 2004-08-03 22:00 8,560 --a------ c:\windows\system32\drivers\INI910U.SY_

2009-03-26 21:08 . 2004-08-03 22:00 10,324 --a------ c:\windows\system32\drivers\I2OMP.SY_

2009-03-26 21:08 . 2004-08-03 22:00 4,064 --a------ c:\windows\system32\drivers\I2OMGMT.SY_

2009-03-26 20:58 . 2009-03-26 20:59 <DIR> d-------- c:\program files\PC-Doctor for Windows

2009-03-26 20:56 . 2009-03-26 20:56 <DIR> d-------- c:\program files\directx

2009-03-26 20:53 . 2009-03-26 20:53 <DIR> d-------- c:\program files\Support Tools

2009-03-26 20:49 . 2009-03-26 20:49 <DIR> d-------- c:\program files\Application Compatibility Toolkit

2009-03-26 20:30 . 2009-03-26 20:30 <DIR> d-------- c:\program files\AWS

2009-03-26 20:12 . 2009-03-26 20:12 <DIR> d-------- c:\program files\Common Files\xing shared

2009-03-26 20:01 . 2003-09-10 23:36 21,060 --------- c:\windows\system32\drivers\iviaspi.sys

2009-03-26 20:01 . 2003-09-19 01:47 10,368 --------- c:\windows\system32\drivers\pfc.sys

2009-03-26 20:00 . 2004-12-16 20:07 204,800 --a------ c:\windows\system32\IVIresizeW7.dll

2009-03-26 20:00 . 2004-12-16 20:07 200,704 --a------ c:\windows\system32\IVIresizeA6.dll

2009-03-26 20:00 . 2004-12-16 20:07 192,512 --a------ c:\windows\system32\IVIresizeP6.dll

2009-03-26 20:00 . 2004-12-16 20:07 192,512 --a------ c:\windows\system32\IVIresizeM6.dll

2009-03-26 20:00 . 2004-12-16 20:07 188,416 --a------ c:\windows\system32\IVIresizePX.dll

2009-03-26 20:00 . 2004-12-16 20:07 20,480 --a------ c:\windows\system32\IVIresize.dll

2009-03-26 19:58 . 2009-03-26 20:56 <DIR> d-------- c:\program files\InterVideo

2009-03-26 19:55 . 2009-03-26 19:55 <DIR> d-------- c:\program files\Macrovision Corp

2009-03-26 19:51 . 2009-03-26 19:51 <DIR> d-------- c:\program files\Common Files\Sonic

2009-03-26 19:51 . 2009-03-26 19:51 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Sonic

2009-03-26 19:48 . 2009-03-26 19:48 <DIR> d-------- c:\program files\Common Files\SureThing Shared

2009-03-26 19:16 . 2009-03-26 19:16 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\InterMute

2009-03-26 19:15 . 2009-03-26 19:15 <DIR> d-------- c:\program files\InterMute

2009-03-26 19:15 . 2009-03-26 19:16 2,158 --a------ c:\windows\system32\ssmute.ini

2009-03-26 16:08 . 2004-01-28 10:11 159,744 -ra------ c:\windows\system32\nvuide.exe

2009-03-26 15:44 . 2002-08-29 14:00 25,952 --a------ c:\windows\system32\drivers\hpn.sys

2009-03-26 15:44 . 2002-08-29 14:00 25,952 --a------ c:\windows\system32\dllcache\hpn.sys

2009-03-26 15:43 . 2001-08-31 12:00 20,192 --a------ c:\windows\system32\drivers\dpti2o.sys

2009-03-26 15:43 . 2001-08-31 12:00 20,192 --a------ c:\windows\system32\dllcache\dpti2o.sys

2009-03-26 15:42 . 2001-08-31 12:00 14,976 --a------ c:\windows\system32\drivers\cpqarray.sys

2009-03-26 15:42 . 2001-08-31 12:00 14,976 --a------ c:\windows\system32\dllcache\cpqarray.sys

2009-03-26 15:42 . 2001-08-31 12:00 14,720 --a------ c:\windows\system32\drivers\dac960nt.sys

2009-03-26 15:42 . 2001-08-31 12:00 14,720 --a------ c:\windows\system32\dllcache\dac960nt.sys

2009-03-26 15:41 . 2001-08-31 12:00 7,680 --a------ c:\windows\system32\drivers\cd20xrnt.sys

2009-03-26 15:41 . 2001-08-31 12:00 7,680 --a------ c:\windows\system32\dllcache\cd20xrnt.sys

2009-03-26 15:41 . 2001-08-17 13:51 6,656 --a------ c:\windows\system32\drivers\cmdide.sys

2009-03-26 15:41 . 2001-08-17 13:51 6,656 --a------ c:\windows\system32\dllcache\cmdide.sys

2009-03-26 15:40 . 2001-08-31 12:00 26,496 --a------ c:\windows\system32\drivers\asc.sys

2009-03-26 15:40 . 2001-08-31 12:00 26,496 --a------ c:\windows\system32\dllcache\asc.sys

2009-03-26 15:40 . 2001-08-31 12:00 22,400 --a------ c:\windows\system32\drivers\asc3350p.sys

2009-03-26 15:40 . 2001-08-31 12:00 22,400 --a------ c:\windows\system32\dllcache\asc3350p.sys

2009-03-26 15:40 . 2001-08-31 12:00 14,848 --a------ c:\windows\system32\drivers\asc3550.sys

2009-03-26 15:40 . 2001-08-31 12:00 14,848 --a------ c:\windows\system32\dllcache\asc3550.sys

2009-03-26 15:40 . 2001-08-31 12:00 12,032 --a------ c:\windows\system32\drivers\amsint.sys

2009-03-26 15:40 . 2001-08-31 12:00 12,032 --a------ c:\windows\system32\dllcache\amsint.sys

2009-03-26 15:39 . 2001-08-31 12:00 56,960 --a------ c:\windows\system32\drivers\aic78xx.sys

2009-03-26 15:39 . 2001-08-31 12:00 56,960 --a------ c:\windows\system32\dllcache\aic78xx.sys

2009-03-26 15:39 . 2001-08-31 12:00 55,168 --a------ c:\windows\system32\drivers\aic78u2.sys

2009-03-26 15:39 . 2001-08-31 12:00 55,168 --a------ c:\windows\system32\dllcache\aic78u2.sys

2009-03-26 15:39 . 2001-08-31 12:00 5,248 --a------ c:\windows\system32\drivers\aliide.sys

2009-03-26 15:39 . 2001-08-31 12:00 5,248 --a------ c:\windows\system32\dllcache\aliide.sys

2009-03-26 15:38 . 2001-08-31 12:00 101,888 --a------ c:\windows\system32\drivers\adpu160m.sys

2009-03-26 15:38 . 2001-08-31 12:00 101,888 --a------ c:\windows\system32\dllcache\adpu160m.sys

2009-03-26 15:38 . 2001-08-31 12:00 12,800 --a------ c:\windows\system32\drivers\aha154x.sys

2009-03-26 15:38 . 2001-08-31 12:00 12,800 --a------ c:\windows\system32\dllcache\aha154x.sys

2009-03-26 15:35 . 2001-08-31 12:00 23,552 --a------ c:\windows\system32\drivers\abp480n5.sys

2009-03-26 15:35 . 2001-08-31 12:00 23,552 --a------ c:\windows\system32\dllcache\abp480n5.sys

2009-03-26 12:06 . 2009-03-30 10:20 <DIR> d-------- c:\program files\Malwarebytes

2009-03-26 12:06 . 2009-03-26 12:06 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes

2009-03-26 12:06 . 2009-03-26 12:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-26 12:06 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-26 12:06 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-25 21:50 . 2009-03-25 21:50 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\HPQ

2009-03-25 11:56 . 2009-03-25 11:56 0 --a------ c:\windows\nsreg.dat

2009-03-23 12:06 . 2009-03-23 12:06 7,522,240 --a------ c:\program files\Firefox.exe

2009-03-23 12:02 . 2009-03-23 12:02 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\MSNInstaller

2009-03-02 16:27 . 2009-03-02 16:27 28,365,104 --a------ c:\program files\snagit.exe

2009-03-01 22:25 . 2008-01-13 23:29 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS

2009-03-01 22:25 . 2008-01-13 23:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit

2009-03-01 22:25 . 2009-03-01 22:25 <DIR> d-------- c:\documents and settings\Administrator

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-01 01:44 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-27 11:43 --------- d-----w c:\program files\WildTangent

2009-03-27 06:14 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-03-27 02:59 --------- d--h--w c:\program files\InstallShield Installation Information

2009-03-27 02:58 --------- d-----w c:\program files\Quicken

2009-03-27 02:12 --------- d-----w c:\program files\Common Files\Real

2009-03-27 01:55 --------- d-----w c:\program files\Common Files\InstallShield

2009-03-27 01:48 --------- d-----w c:\program files\Sonic

2009-03-27 01:40 --------- d-----w c:\program files\Symantec

2009-03-25 17:24 --------- d-----w c:\program files\Google

2009-03-23 16:29 --------- d-----w c:\program files\Common Files\Sonic Shared

2009-03-23 16:18 --------- d-----w c:\program files\HP Games

2009-03-23 16:17 --------- d-----w c:\program files\Chill

2009-03-02 22:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-02 19:01 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\ZoomBrowser EX

2009-03-02 19:01 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser

2009-03-02 17:38 --------- d-----w c:\program files\Norton 360

2009-03-02 02:21 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\LimeWire

2009-02-25 13:15 --------- d-----w c:\documents and settings\Guest\Application Data\Apple Computer

2009-02-22 17:58 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Apple Computer

2009-02-19 23:48 --------- d-----w c:\program files\Lavasoft

2009-02-19 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-02-18 05:14 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Move Networks

2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys

2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys

2009-02-04 01:36 --------- d-----w c:\program files\LimeWire

2009-01-28 11:25 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL

2009-01-17 04:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll

2008-11-13 00:35 350 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat

2008-08-06 12:53 15,070,144 ----a-w c:\program files\SpySweeper.exe

2008-01-15 22:27 4,494,664 ----a-w c:\program files\LimeWire.exe

2008-12-19 14:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008121920081220\index.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-03-31_19.19.53.07 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-03-30 21:28:15 1,660 ----a-w c:\windows\bthservsdp.dat

+ 2009-04-01 01:30:16 1,660 ----a-w c:\windows\bthservsdp.dat

- 2009-04-01 00:54:39 53,436 ----a-w c:\windows\system32\perfc009.dat

+ 2009-04-01 01:35:53 53,436 ----a-w c:\windows\system32\perfc009.dat

- 2009-04-01 00:54:39 381,692 ----a-w c:\windows\system32\perfh009.dat

+ 2009-04-01 01:35:53 381,692 ----a-w c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"Weather"="c:\progra~1\AWS\WEATHE~1\Weather.exe" [2004-04-13 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-26 180269]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"thirdintel"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-04-26 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-07-07 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\InterMute\SpySubtract\sshook.dll" [2009-03-26 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-27 64160]

R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [2007-01-18 24120]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-23 101936]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-03-26 38496]

S3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\drivers\WMP300Nv1.sys [2007-10-17 822400]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]

\Shell\AutoRun\command - K:\setupSNK.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-23 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\system32\cleanmgr.exe [2008-04-13 18:12]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.comcast.net/

FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\stuwmk4w.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll

FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-31 20:01:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4077673394-3207311990-1865167216-1009\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2009-03-31 20:03:41

ComboFix-quarantined-files.txt 2009-04-01 02:03:37

ComboFix2.txt 2009-04-01 01:52:53

ComboFix3.txt 2009-04-01 01:21:25

Pre-Run: 162,540,216,320 bytes free

Post-Run: 162,524,762,112 bytes free

264 --- E O F --- 2009-03-18 03:55:37

Link to post
Share on other sites

  • Staff

Hi,

Nothing strange anymore in your Combofix log, which means that MalwareBytes already removed whatever was present.

There's however something strange though - I see a lot of files (drivers) and folders being created/modified on 26 and 27 march

Is it possible that a repair install was done in between? Or any other steps related with drivers etc? because this is somewhat strange.

Anyway, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

As a final check... Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Link to post
Share on other sites

We haven't done anything from your last post yet. Still cannot connect to the internet. Connects to the ISP ok via the cable modem (IP address, etc.) and all the settings look good but cannot go anywhere with IE or Firefox. Seems like something might be wrong with Windows but I'm not sure. If you have any suggestions I would appreciate it. Otherwise, I will keep trying. I will be visiting her next week so it might help not working remote.

THANKS!

Link to post
Share on other sites

  • Staff

Hi,

It's unclear here whether you have connection problems with wireless or cable or both..

Anyway...

Was there a proxyserver previously set? Because I see a partially configured proxysettings here.

So not sure if it was configured to use a proxy or not.

In anyway, try this first..

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

In case there was a proxysetting set previously, then you also need to adjust it again with these settings. Unfortunately I cannot tell you what these settings in your case are.

If no change, use WinsockFix:

http://majorgeeks.com/download4372.html

If still no luck, Can you access the Internet in Windows Safe mode (choose Safe mode with network access ofcourse). If so, then it's most probably your Antivirus/Firewall causing your problem.

Even if no access in Windows safe mode, it may be a good idea to temporary uninstall Norton anyway, this to test. It's not the first time that Norton causes this.

Please reboot after uninstalling.

If still no luck, read here: http://support.microsoft.com/kb/299357

If it's mainly your Wireless (since that part is unclear here), look here: http://www.daileyint.com/hmdpc/connect.htm

It's always a good idea to reset settings / reinstall Wireless

Link to post
Share on other sites

Thank you. Unfortuantely, none of this helped. I am starting to think she has a problem with her cable modem and/or ISP in addition to the malware that was there. I think this because she is not even able to ping her gateway from a DOS window. BTW, the connection is directly to a cable modem and wireless is not being used.

Thanks again,

Link to post
Share on other sites

  • Staff

Hi,

Yes, malware damages a lot and not all damage can be repaired. So yes, it's a good idea to perform a repair install.

Glad I could help. :lol:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.