Jump to content

green anti virus


Recommended Posts

i got a PC that has that green anti virus on it it looks and acts just like all the other rogue anti viruses/fake ware but when i scan for it it is not detected....have used stinger, Norton's 360 and malwarebytes...none of them detect it but it is there...i could probably follow the registry keys and find the files and delete them but i need to be sure it is gone...any info would be helpful

Link to post
Share on other sites

Before you do anythig read this, then follow the steps below

First run hijack this

Get it from here.

Post the log please.

Then

Try running combo fix.

For help on using it click here.

Download it here.

Post the log also.

If you are unable to run this restart your computer and press "F8" key until a list of choices appears when that happens chose "Safe Mode With Networking" Then run the programs and post the logs. If you have any questions post back!

Good luck!!

Link to post
Share on other sites

...how do i keep from getting it again...

Keep up-to-date with windows updates. Run an up-to-date Virus protection and Anti-malware.

I run Nortan AntiVirus Corparate edition, Lavasofts ad-aware, Spy-bot Seach and destroy, and Windows Defender.

If you have any questions about these products and where to get them post back.

Also what do you have to protect you on your pc now?

Link to post
Share on other sites

Keep up-to-date with windows updates. Run an up-to-date Virus protection and Anti-malware.

I run Nortan AntiVirus Corparate edition, Lavasofts ad-aware, Spy-bot Seach and destroy, and Windows Defender.

If you have any questions about these products and where to get them post back.

Also what do you have to protect you on your pc now?

Norton 360

Link to post
Share on other sites

  • Root Admin

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

  1. Please read and follow the instructions provided here: I'm infected - What do I do now?
  2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

  • Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  • Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  • Using these other tools often makes the cleanup task more difficult and time consuming.
  • If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  • Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  • There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

  • NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:47:33 PM, on 8/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PRISMSVR.EXE

C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE

C:\Documents and Settings\Hil\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

O1 - Hosts: ::1 localhost

O1 - Hosts: 208.43.47.212 a1.review.zdnet.com

O1 - Hosts: 208.43.47.212 reviews.riverstreams.co.uk

O1 - Hosts: 208.43.47.212 d1.reviews.cnet.com

O1 - Hosts: 208.43.47.212 review.2009softwarereviews.com

O1 - Hosts: 208.43.47.212 reviews.download.com

O1 - Hosts: 208.43.47.212 reviews.pcadvisor.co.uk

O1 - Hosts: 208.43.47.212 reviews.pcmag.com

O1 - Hosts: 208.43.47.212 reviews.pcpro.co.uk

O1 - Hosts: 208.43.47.212 reviews.techradar.com

O1 - Hosts: 208.43.47.212 toptenreviews.com

O1 - Hosts: 208.43.47.212 www.reevoo.com

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll

O2 - BHO: Net Games Toolbar - {8a6264b5-a8f2-494b-8f37-cf898a763e42} - C:\Program Files\Net_Games\tbNet1.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Net Games Toolbar - {8a6264b5-a8f2-494b-8f37-cf898a763e42} - C:\Program Files\Net_Games\tbNet1.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab

O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave.com/content/snailmail...gwebinstall.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...r_installer.exe

O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfr...outLauncher.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{34A571C2-88F4-4D5D-A066-07AE82AACB9F}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{34A571C2-88F4-4D5D-A066-07AE82AACB9F}: NameServer = 192.168.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{34A571C2-88F4-4D5D-A066-07AE82AACB9F}: NameServer = 192.168.1.1

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll

O18 - Filter hijack: text/html - {9f7d088e-b35b-4fce-bff1-005ca02033db} - C:\WINDOWS\system32\xwreg32.dll

--

End of file - 6945 bytes

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 09-08-10.06 - Hil 08/12/2009 17:31.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.562 [GMT -4:00]

Running from: c:\documents and settings\Hil\Desktop\Combo-Fix.exe

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Hil\wsdt.exe

c:\program files\PeoplePC\Toolbar\PPCToolbar.dll

.

((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))

.

2009-08-12 21:29 . 2009-08-12 21:30 -------- d-----w- C:\32788R22FWJFW

2009-08-11 15:55 . 2009-08-06 13:19 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\EECTRL.SYS

2009-08-11 15:55 . 2009-08-06 13:19 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\ERASER.SYS

2009-08-11 15:55 . 2009-08-06 13:19 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\NAVENG32.DLL

2009-08-11 15:55 . 2009-08-06 13:19 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\NAVEX32A.DLL

2009-08-11 15:55 . 2009-08-06 13:19 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\ECMSVR32.DLL

2009-08-11 15:55 . 2009-08-06 13:19 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\CCERASER.DLL

2009-08-11 15:55 . 2009-08-05 08:00 87888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\NAVENG.SYS

2009-08-11 15:55 . 2009-08-05 08:00 875728 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090811.004\NAVEX15.SYS

2009-08-09 12:23 . 2009-08-09 12:23 578560 ----a-w- c:\windows\system32\dllcache\user32.dll

2009-08-08 15:09 . 2009-08-08 15:10 1402418 ----a-w- c:\documents and settings\All Users\Application Data\gav\GAVBi.exe

2009-08-08 15:08 . 2009-08-11 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\gav

2009-08-07 21:28 . 2009-08-07 21:28 966144 ----a-w- c:\documents and settings\All Users\Application Data\gav\gav.exe

2009-08-07 07:34 . 2009-08-07 07:34 331791 ----a-w- c:\documents and settings\All Users\Application Data\gav\wsdt05.exe

2009-08-06 17:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys

2009-08-06 17:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\Scxpx86.dll

2009-08-06 17:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSvix86.sys

2009-08-06 17:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSxpx86.dll

2009-08-06 17:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSviA64.sys

2009-08-06 13:20 . 2009-01-15 16:19 23848 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2009-08-06 13:20 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2009-08-06 13:19 . 2009-08-06 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

2009-08-06 13:19 . 2009-08-06 13:19 -------- d-----w- c:\documents and settings\Hil\Local Settings\Application Data\Downloaded Installations

2009-08-06 13:19 . 2009-08-06 13:19 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2009-08-06 13:19 . 2009-08-06 13:19 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-08-06 13:19 . 2009-08-06 13:19 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-08-06 13:19 . 2009-08-06 13:19 -------- d-----w- c:\program files\Symantec

2009-08-06 13:19 . 2009-08-06 13:19 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll

2009-08-06 13:19 . 2009-08-06 13:19 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll

2009-08-06 13:19 . 2009-08-06 13:19 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll

2009-08-06 13:18 . 2009-08-06 13:18 -------- d-----w- c:\windows\system32\drivers\N360

2009-08-06 13:18 . 2009-08-06 13:19 -------- d-----w- c:\program files\Norton 360

2009-08-06 13:18 . 2009-08-06 13:18 -------- d-----w- c:\program files\Windows Sidebar

2009-08-06 13:18 . 2009-08-06 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-06 13:17 . 2009-08-06 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-06 13:17 . 2009-08-06 13:17 -------- d-----w- c:\program files\NortonInstaller

2009-08-03 23:17 . 2009-08-03 23:17 -------- d-----w- c:\windows\Progress Data

2009-08-03 23:08 . 2009-08-03 23:08 -------- d-----w- c:\program files\VTech

2009-08-01 16:57 . 2009-08-11 11:45 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-01 16:14 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-01 16:14 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-01 16:14 . 2009-08-11 22:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-01 04:47 . 2009-08-01 18:31 -------- d-----w- c:\program files\kciqbe

2009-07-22 08:02 . 2009-08-11 22:30 -------- d-----w- c:\program files\Shared

2009-07-17 01:21 . 2009-07-17 01:56 -------- d-----w- c:\program files\Race The World

2009-07-17 01:18 . 2009-08-12 20:10 -------- d-----w- c:\program files\Hot Wheels

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-12 19:49 . 2009-05-09 20:03 -------- d-----w- c:\program files\Net_Games

2009-08-12 19:49 . 2008-02-27 13:52 -------- d-----w- c:\program files\Google

2009-08-12 04:27 . 2005-08-07 15:35 74064 ----a-w- c:\documents and settings\Hil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-09 12:23 . 2004-08-04 10:00 578560 ----a-w- c:\windows\system32\user32.DLL

2009-08-06 22:19 . 2005-07-08 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-06 18:06 . 2009-05-09 20:03 -------- d-----w- c:\program files\Net-Games.biz

2009-08-06 14:11 . 2005-07-08 14:30 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-06 13:19 . 2009-08-06 13:19 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-08-06 13:19 . 2009-08-06 13:19 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-08-03 23:08 . 2005-07-08 14:18 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-11 19:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys

2009-07-11 19:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys

2009-07-11 19:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll

2009-07-11 19:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll

2009-07-11 19:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys

2009-06-29 16:20 . 2007-09-20 17:08 585 ----a-w- c:\windows\PowerReg.dat

2009-06-29 16:12 . 2004-08-04 10:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll

2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-15 19:36 . 2009-06-15 19:36 -------- d-----w- c:\documents and settings\Hil\Application Data\Malwarebytes

2009-06-15 19:36 . 2009-06-15 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2002-07-26 22:02 . 2008-09-09 22:20 153088 ----a-w- c:\program files\UNWISE.EXE

.

((((((((((((((((((((((((((((( SnapShot@2009-08-12_19.55.02 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-12 20:15 . 2009-08-12 20:15 16384 c:\windows\temp\Perflib_Perfdata_dc.dat

+ 2005-07-08 14:09 . 2009-08-12 20:19 54280 c:\windows\SYSTEM32\PERFC009.DAT

- 2005-07-08 14:09 . 2009-08-12 04:29 54280 c:\windows\SYSTEM32\PERFC009.DAT

+ 2005-07-08 14:09 . 2009-08-12 20:19 384596 c:\windows\SYSTEM32\PERFH009.DAT

- 2005-07-08 14:09 . 2009-08-12 04:29 384596 c:\windows\SYSTEM32\PERFH009.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=

"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=

"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=

"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0300000.087\SymEFA.sys [8/6/2009 9:19 AM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\N360\0300000.087\BHDrvx86.sys [8/6/2009 9:19 AM 258608]

R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0300000.087\cchpx86.sys [8/6/2009 9:19 AM 482352]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys [8/6/2009 1:34 PM 276344]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/11/2009 11:55 AM 101936]

S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [8/6/2009 9:19 AM 115560]

S4 PRISMSVC;PRISMSVC;c:\windows\SYSTEM32\PRISMSVC.exe [7/8/2005 10:18 AM 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-12 17:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,41,00,e8,ad,4b,

8e,59,7e,2e,e8,e1,00,eb,16,2b,de,db,05,94,c1,0b,ad,83,2c,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,21,6b,4a,0b,46,

43,82,fc,46,47,15,b0,92,4b,c7,ef,00,fe,b4,44,b1,e0,b5,a2,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,08,75,90,a5,e6,

1a,b4,ad,7a,45,05,fd,91,e8,6f,31,ae,23,9e,14,10,a4,ea,54,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,30,c5,cd,7f,73,

d0,fe,90,6b,65,49,6a,7e,99,74,f7,6c,01,fd,83,71,f1,0f,0c,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,41,60,08,64,aa,

a4,e1,b8,e9,02,6c,fa,fb,1d,47,57,90,c3,99,b7,5b,d7,4d,fe,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,f1,2b,f6,24,e9,

3b,4c,98,50,93,e5,ab,ec,6a,4e,ab,97,a9,4b,79,c0,7f,40,6f,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,d3,2e,9e,c2,1c,

35,4f,03,97,20,4e,9a,c7,f1,35,ee,e6,20,ea,58,0b,b1,e6,59,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,2e,3b,32,70,36,

52,35,2d,aa,52,c6,00,84,3c,26,64,dc,9e,b6,2b,87,66,c4,b6,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,0f,e2,fb,bd,e3,

c5,2b,53,b2,46,9a,e2,1b,fe,1b,94,78,02,bf,94,24,d4,b5,2e,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,84,e2,92,d2,09,

f2,54,12,37,a4,aa,c3,a6,15,56,0a,08,f4,b5,6c,56,09,45,d5,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,96,95,82,8e,91,

5a,00,b0,f8,31,0f,a9,5f,a0,ec,fb,a4,61,e9,9c,cc,4d,5b,3a,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,db,d8,63,46,49,

fb,fe,3e,05,73,21,dd,54,d8,4a,c5,26,a3,3d,33,c3,2a,ed,d3,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\PRISMAPI.dll

.

Completion time: 2009-08-12 17:42

ComboFix-quarantined-files.txt 2009-08-12 21:42

ComboFix2.txt 2009-08-12 20:04

Pre-Run: 180,856,963,072 bytes free

Post-Run: 180,836,384,768 bytes free

225 --- E O F --- 2009-08-01 16:43

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.