Login 
 Search | |
| |
07-Nov-2009, 09:12 AM
#16 | |||||
|
__________________ Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue |
| |
07-Nov-2009, 11:33 AM
#17 | |||||
| new log ComboFix 09-11-06.03 - mom 11/07/2009 10:04.1.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.221 [GMT -5:00] Running from: c:\documents and settings\mom\Desktop\ComboFix.exe AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4} FW: Norton 360 Premier Edition *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\mom\My Documents\CALC.EXE C:\Images c:\recycler\NPROTECT c:\windows\COUPON~1.OCX c:\windows\CouponPrinter.ocx c:\windows\system32\Ijl11.dll c:\windows\system32\twain.dll . ((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 ))))))))))))))))))))))))))))))) . 2009-11-06 17:34 . 2009-11-06 17:34 -------- d-----w- c:\documents and settings\mom\Application Data\Malwarebytes 2009-11-06 17:33 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-06 17:33 . 2009-11-06 17:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-06 17:33 . 2009-11-06 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-06 17:33 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-16 20:47 . 2009-10-16 20:47 -------- d-----w- c:\documents and settings\mom\Tracing 2009-10-16 20:23 . 2009-10-16 20:23 -------- d-----w- c:\program files\Microsoft Office Outlook Connector 2009-10-16 20:23 . 2009-08-06 02:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys 2009-10-16 20:21 . 2009-10-16 20:21 -------- d-----w- c:\program files\Microsoft Sync Framework 2009-10-16 20:13 . 2009-10-16 20:24 -------- d-----w- c:\program files\Microsoft 2009-10-16 20:12 . 2009-10-16 20:12 -------- d-----w- c:\program files\Windows Live SkyDrive 2009-10-16 20:06 . 2009-10-16 20:06 -------- d-----w- c:\program files\Common Files\Windows Live . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-07 14:57 . 2006-02-25 21:55 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-11-07 14:23 . 2004-06-13 01:22 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-11-07 14:23 . 2004-04-01 23:17 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-00000008-00001102-00000002-80661102}.dat 2009-11-07 14:23 . 2004-04-01 23:17 288 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-00000008-00001102-00000002-80661102}.dat 2009-11-07 14:23 . 2009-09-04 15:19 311 ----a-w- c:\windows\system32\InetLock.dat 2009-11-07 14:23 . 2009-05-29 06:43 17659 ----a-w- c:\windows\system32\drivers\InetLock.sys 2009-11-07 14:21 . 2004-03-30 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-11-07 14:20 . 2007-07-04 13:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-11-07 13:11 . 2009-04-28 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-11-07 13:11 . 2005-02-17 23:14 -------- d-----w- c:\program files\Lavasoft 2009-11-07 13:09 . 2004-12-18 13:43 -------- d-----w- c:\documents and settings\mom\Application Data\Lavasoft 2009-11-06 20:03 . 2007-01-29 01:06 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-10-31 21:33 . 2008-06-29 20:34 -------- d-----w- c:\documents and settings\mom\Application Data\U3 2009-10-27 10:55 . 2009-01-29 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-10-16 20:41 . 2004-09-16 23:19 208152 ----a-w- c:\documents and settings\mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-16 20:23 . 2007-12-18 12:20 -------- d-----w- c:\program files\Windows Live 2009-10-10 13:26 . 2008-02-19 01:31 -------- d-----w- c:\documents and settings\mom\Application Data\Image Zone Express 2009-09-30 18:58 . 2008-02-18 19:38 9576 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Static\CCMSLLUM.DLL 2009-09-25 05:37 . 2004-02-06 22:05 667136 ----a-w- c:\windows\system32\wininet.dll 2009-09-25 05:37 . 2009-09-02 12:52 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-09-11 14:18 . 2002-08-29 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-26 08:00 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-04-01 02:47 . 2009-01-30 15:05 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll 2007-06-08 13:47 . 2007-07-12 17:18 180224 ----a-w- c:\program files\mozilla firefox\components\nsgkff20_meter1.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A15CA85-DAB9-456c-95ED-06C6E3885C2A}] 2009-04-02 01:04 161120 ----a-w- c:\program files\ExitReality\WebSpace\System\ExitRealityHelper.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\0_FlingIconOverlay] @="{02696AD5-FF96-454b-9E00-81DA8B79B678}" [HKEY_CLASSES_ROOT\CLSID\{02696AD5-FF96-454b-9E00-81DA8B79B678}] 2008-12-16 15:27 81920 ----a-w- c:\program files\NCH Software\Fling\fldll.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-01-27 251264] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "KernelFaultCheck"="c:\windows\system32\dumprep 0 -k" [X] "Smart Start UP"="c:\program files\NewSoft\Smart Start UP\PnPDetect.exe" [2003-01-21 98304] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2003-04-25 180224] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\windows\system32\SK9910DM.EXE [2001-01-03 66048] "CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-08-28 24576] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] 2001-12-21 04:34 24576 ----a-w- c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\wbsys.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel MEDIA FOLDERS INDEXER 8.lnk backup=c:\windows\pss\Corel MEDIA FOLDERS INDEXER 8.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^mom^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk] path=c:\documents and settings\mom\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk backup=c:\windows\pss\Greetings Workshop Reminders.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime "iTunesHelper"=c:\program files\iTunes\iTunesHelper.exe "CreativeMixer"=c:\program files\Creative\Audio\PROGRAM\CTMIX32.EXE /t [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Internet Explorer\\iexplore.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"= "c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"= "c:\\Downloads\\incredimail_install.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImLc.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImSc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\BREW 3.1.5\\sdk\\bin\\BREW_Simulator.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List] "67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled  HCP Discovery ServiceR0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [7/18/2005 2:05 PM 16855] R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [7/12/2007 12:18 PM 13312] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [10/16/2009 3:23 PM 54752] R2 INETLOCK;INETLOCK;c:\windows\system32\drivers\InetLock.sys [5/29/2009 1:43 AM 17659] R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [7/18/2005 2:05 PM 21808] R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 9:32 PM 23888] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 7:16 PM 102448] R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [7/12/2007 12:17 PM 8832] S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?] S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [3/27/2004 12:23 PM 54271] S3 idmc1aud;Intel(r) Play(tm) USB Audio Filter (WDM);c:\windows\system32\drivers\idmc1aud.sys [11/25/2005 6:02 PM 15188] S3 IDMC1Blk;Intel Play DMC Download Driver;c:\windows\system32\drivers\IDMC1Blk.sys [11/25/2005 6:02 PM 14628] S3 IDMC1Vxp;Intel(r) Play(tm) DMC Camera;c:\windows\system32\drivers\idmc1vme.sys [11/25/2005 6:02 PM 416564] S3 misalign;Data Misalignment Exception Kernel Driver;c:\windows\system32\drivers\misalign.sys [12/31/2008 11:21 AM 8832] S3 S3chipid;S3chipid;\??\c:\windows\TEMP\_ISTMP1.DIR\S3chipid.sys --> c:\windows\TEMP\_ISTMP1.DIR\S3chipid.sys [?] --- Other Services/Drivers In Memory --- *NewlyCreated* - COMHOST *NewlyCreated* - MBR *NewlyCreated* - PROCEXP113 *Deregistered* - mbr *Deregistered* - PROCEXP113 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2009-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-11-07 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-25 02:43] 2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-25 02:46] 2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-25 02:46] 2009-11-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1035525444-839522115-1005Core.job - c:\documents and settings\mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-28 12:49] 2009-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1035525444-839522115-1005UA.job - c:\documents and settings\mom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-28 12:49] 2009-11-06 c:\windows\Tasks\Norton Security Scan for mom.job - c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-03 23:58] . . ------- Supplementary Scan ------- . uSearch Page = hxxp://search.live.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms} uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1;*.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com mSearchAssistant = hxxp://search.live.com/sphome.aspx IE: &Search IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm Trusted Zone: turbotax.com DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB FF - ProfilePath - c:\documents and settings\mom\Application Data\Mozilla\Firefox\Profiles\zfoygp26.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q= FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q= FF - plugin: c:\documents and settings\mom\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\ExitReality\WebSpace\System\Mozilla\nperbrowser.dll FF - plugin: c:\program files\ExitReality\WebSpace\System\Mozilla\nperonline.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - WebBrowser-{5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file) HKCU-Run-73257811466259418521132921121980 - c:\program files\Antivirus 2009\av2009.exe HKLM-Run-IPPDetect - IPP4Detect.exe ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - c:\program files\Qualcomm\Eudora\EuShlExt.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-07 10:20 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(736) c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll . Completion time: 2009-11-07 10:28 ComboFix-quarantined-files.txt 2009-11-07 15:27 Pre-Run: 28,565,504,000 bytes free Post-Run: 28,551,753,728 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn - - End Of File - - EC6C8BD02B82E67BC2D557272CFB98C8 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:33:43 AM, on 11/7/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\SK9910DM.EXE C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\IncrediMail\bin\IMApp.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Lock\ILSvc.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: ERBHOMasterObject Class - {5A15CA85-DAB9-456c-95ED-06C6E3885C2A} - C:\Program Files\ExitReality\Webspace\System\ExitRealityHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [PCTVOICE] "pctspk.exe" O4 - HKLM\..\Run: [nwiz] "nwiz.exe " /install O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] "SK9910DM.EXE" O4 - HKLM\..\Run: [CTHelper] "CTHELPER.EXE" O4 - HKLM\..\Run: [Smart Start UP] "C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe " /Automation O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/Pog...rInstaller.CAB O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O20 - AppInit_DLLs: C:\WINDOWS\system32\wbsys.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Fling File Transfer (FlingService) - NCH Software - C:\Program Files\NCH Software\Fling\fling.exe O23 - Service: Google Update Service (gupdate1ca252e9ce6b2d0) (gupdate1ca252e9ce6b2d0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Internet Lock Service (INETLOCKSVC) - TopLang Software - C:\Program Files\Internet Lock\ILSvc.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- End of file - 11341 bytes |
07-Nov-2009, 01:31 PM
#19 | |||||
| I can't say whether chrome has security holes to allow viruses on but it might have, Combofix seems to have fixed the left overs next Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript then *Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware* * Click START then RUN * Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.  This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot. go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks. and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer and update whatever it suggests Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place I urge you to consider purchasing the protection component in Malwarebytes to prevent further infections of this nature Open Malwarebytes Antimalware, select the protection tab, press test to see if your system will benefit from it & if it says yes, then you can press the purchase button
__________________ Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue |
 |
| |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
| You Are Using:  |
Advertisements do not imply our endorsement of that product or service. All times are GMT -4. The time now is 09:44 AM. Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved. |  |
Facebook
Twitter
TechGuy.tv
TSG Mobile