1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need help with Win 7 Security Malware

Discussion in 'Virus & Other Malware Removal' started by welkermike, Dec 18, 2011.

Thread Status:
Not open for further replies.
  1. welkermike

    welkermike Thread Starter

    Joined:
    Jul 13, 2007
    Messages:
    32
    I have an HP Netbook that was hammered by the Win 7 AV thing, which I thought I handled, but now the PC was invaded by Win 7 Security malware; I ran combofix, and the log is below; I also ran HJT and the log is below...

    Here is the Combofix log:


    ComboFix 11-12-18.01 - Welker 12/18/2011 20:39:38.2.2 - x86 MINIMAL
    Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1012.619 [GMT -5:00]
    Running from: F:\ComboFix.exe
    AV: Norton Internet Security Netbook Edition *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    FW: Norton Internet Security Netbook Edition *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    SP: Norton Internet Security Netbook Edition *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    /wow section - STAGE 7
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\JavaServiceNotifier.dll
    c:\programdata\Tarma Installer
    c:\users\Welker\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.dll
    c:\users\Welker\AppData\Local\hgv.exe
    c:\users\Welker\AppData\Local\oyt.exe
    c:\users\Welker\AppData\Local\xyg.exe
    c:\users\Welker\AppData\Roaming\24A2.3D9
    c:\users\Welker\AppData\Roaming\AcroIEHelpe.txt
    c:\users\Welker\AppData\Roaming\Mozilla\Firefox\Profiles\rnlc8fwh.default\extensions\{c5351956-bd97-4689-8b86-1a162f43626b}
    c:\users\Welker\AppData\Roaming\Mozilla\Firefox\Profiles\rnlc8fwh.default\extensions\{c5351956-bd97-4689-8b86-1a162f43626b}\chrome.manifest
    c:\users\Welker\AppData\Roaming\Mozilla\Firefox\Profiles\rnlc8fwh.default\extensions\{c5351956-bd97-4689-8b86-1a162f43626b}\chrome\xulcache.jar
    c:\users\Welker\AppData\Roaming\Mozilla\Firefox\Profiles\rnlc8fwh.default\extensions\{c5351956-bd97-4689-8b86-1a162f43626b}\defaults\preferences\xulcache.js
    c:\users\Welker\AppData\Roaming\Mozilla\Firefox\Profiles\rnlc8fwh.default\extensions\{c5351956-bd97-4689-8b86-1a162f43626b}\install.rdf
    c:\users\Welker\AppData\Roaming\rnlc8fwh.default.tmp
    c:\users\Welker\AppData\Roaming\srvblck2.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-19 to 2011-12-19 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-19 01:54 . 2011-12-19 01:56 -------- d-----w- c:\users\Welker\AppData\Local\temp
    2011-12-19 01:54 . 2011-12-19 01:54 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-17 20:22 . 2011-12-16 15:27 79872 ----a-w- c:\windows\system32\I4p75D.com
    2011-12-17 17:42 . 2011-12-19 00:19 7680 ----a-w- c:\windows\system\svchost.exe
    2011-12-17 17:37 . 2011-12-17 17:37 53248 ----a-w- c:\windows\system32\FastUv32.dll
    2011-12-17 17:37 . 2011-12-17 17:37 157184 ----a-w- c:\windows\system32\xmlprw32.dll
    2011-12-16 06:00 . 2011-12-16 06:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-16 06:00 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-16 04:34 . 2011-12-16 04:34 -------- d-----w- c:\program files\STOPzilla!
    2011-12-16 04:34 . 2011-12-16 04:34 -------- d-----w- c:\program files\Common Files\iS3
    2011-12-16 04:34 . 2011-12-19 00:18 -------- d-----w- c:\programdata\STOPzilla!
    2011-12-15 15:06 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-12-15 15:06 . 2011-11-05 04:26 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-15 15:06 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-15 15:06 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-15 15:06 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-15 15:05 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-14 21:46 . 2011-12-14 21:46 -------- d-----w- c:\users\Welker\AppData\Roaming\CyberLink
    2011-12-14 21:45 . 2011-12-14 21:46 -------- d-----w- c:\users\Public\CyberLink
    2011-12-14 14:41 . 2011-12-16 05:59 -------- d-----w- c:\program files\Ask.com
    2011-12-07 22:12 . 2011-12-07 22:12 68648 ----a-r- c:\windows\system32\IS3Hks5.dll
    2011-12-07 22:12 . 2011-12-07 22:12 547880 ----a-r- c:\windows\system32\SZComp5.dll
    2011-12-07 22:12 . 2011-12-07 22:12 482344 ----a-r- c:\windows\system32\SZBase5.dll
    2011-12-07 22:12 . 2011-12-07 22:12 457768 ----a-r- c:\windows\system32\IS3DBA5.dll
    2011-12-07 22:12 . 2011-12-07 22:12 30248 ----a-r- c:\windows\system32\IS3XDat5.dll
    2011-12-07 22:12 . 2011-12-07 22:12 24616 ----a-r- c:\windows\system32\SZIO5.dll
    2011-12-07 22:12 . 2011-12-07 22:12 134184 ----a-r- c:\windows\system32\IS3HTUI5.dll
    2011-12-07 22:12 . 2011-12-07 22:12 740392 ----a-r- c:\windows\system32\IS3Base5.dll
    2011-12-07 22:12 . 2011-12-07 22:12 392232 ----a-r- c:\windows\system32\IS3UI5.dll
    2011-12-07 22:12 . 2011-12-07 22:12 232488 ----a-r- c:\windows\system32\IS3Win325.dll
    2011-12-07 22:12 . 2011-12-07 22:12 105512 ----a-r- c:\windows\system32\IS3Inet5.dll
    2011-12-07 22:12 . 2011-12-07 22:12 101416 ----a-r- c:\windows\system32\IS3Svc5.dll
    2011-11-23 20:15 . 2011-11-23 20:15 -------- d-----w- c:\program files\Cisco Systems
    2011-11-23 20:14 . 2011-11-23 20:14 -------- d-----w- c:\programdata\Cisco Systems
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-26 14:04 . 2011-10-26 14:04 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-10-26 14:04 . 2011-10-26 14:04 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-10-26 14:04 . 2011-10-26 14:04 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-10-26 14:04 . 2011-10-26 14:04 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-10-26 14:04 . 2011-10-26 14:04 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-10-26 14:04 . 2011-10-26 14:04 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-10-26 14:04 . 2011-10-26 14:04 367104 ----a-w- c:\windows\system32\html.iec
    2011-10-26 14:04 . 2011-10-26 14:04 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-10-26 14:04 . 2011-10-26 14:04 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-10-26 14:04 . 2011-10-26 14:04 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-10-26 14:04 . 2011-10-26 14:04 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-10-26 14:04 . 2011-10-26 14:04 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-10-26 14:04 . 2011-10-26 14:04 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-10-26 14:04 . 2011-10-26 14:04 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-10-26 14:04 . 2011-10-26 14:04 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-10-26 14:04 . 2011-10-26 14:04 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-10-26 14:04 . 2011-10-26 14:04 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-10-07 19:45 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-10-07 15:10 . 2011-10-07 15:10 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2011-10-07 14:49 . 2011-10-07 14:49 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-10-07 14:06 . 2011-10-07 14:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-07 04:13 . 2011-10-07 04:13 388096 ----a-r- c:\users\Welker\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-10-05 03:53 . 2011-10-05 03:53 277456 ----a-w- c:\users\Welker\AppData\Roaming\AcroIEHelpe.dll
    2011-09-29 16:03 . 2011-11-12 03:01 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-09-26 16:21 . 2011-09-26 16:21 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys
    2011-09-26 16:21 . 2011-09-26 16:21 61328 ----a-r- c:\windows\system32\drivers\is3srv.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
    @="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
    [HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
    2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
    @="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
    [HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
    2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
    @="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
    [HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
    2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
    @="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
    [HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
    2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
    @="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
    [HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
    2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Media Suite.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Media Suite.lnk
    backup=c:\windows\pss\HP Media Suite.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^Users^Welker^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
    path=c:\users\Welker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
    backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-22 09:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeData]
    2011-12-16 01:33 223744 ----a-w- c:\users\Welker\AppData\Local\Adobe\AdobeData\Adobedata.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]
    2011-08-24 02:20 887976 ----a-w- c:\program files\Ask.com\Updater\Updater.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2009-07-14 01:14 8704 ----a-w- c:\windows\System32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
    2011-06-08 14:45 822456 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyDownloads]
    2011-10-07 15:06 845848 ----a-w- c:\program files\Easy Downloads\easydownloads.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2010-04-23 09:16 173592 ----a-w- c:\windows\System32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Quick Launch]
    2010-04-09 22:42 601144 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2008-12-08 21:50 54576 ----a-w- c:\program files\Hp\HP Software Update\hpwuschd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWirelessAssistant]
    2010-04-05 18:11 8192 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
    2009-10-13 17:25 186904 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2010-04-23 09:16 141848 ----a-w- c:\windows\System32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
    2011-08-31 22:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
    2011-08-31 22:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2010-04-23 09:16 150552 ----a-w- c:\windows\System32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skyhook Wireless XPS Service]
    2010-04-13 02:06 632136 ----a-w- c:\program files\Skyhook Wireless\XPS\xpscontrolpanel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Speech Recognition]
    2009-07-14 01:14 51712 ----a-w- c:\windows\Speech\Common\sapisvr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2010-04-16 03:25 1721640 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
    2010-03-24 06:53 495708 ----a-w- c:\program files\IDT\WDM\sttray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZumoDrive]
    2010-05-06 05:11 2038 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk
    .
    R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2011-09-26 61328]
    R1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [2010-11-23 691248]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\ccHPx86.sys [2010-02-26 501888]
    R1 DVMIO;DeviceVM IO Service;c:\windows\system32\DRIVERS\dvmio.sys [2009-11-11 18136]
    R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101213.001\IDSvix86.sys [2010-12-01 353912]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\Ironx86.SYS [2010-04-29 116784]
    R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1107000.00C\SYMTDIV.SYS [2010-05-06 339504]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe [2010-02-26 126392]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-04-08 230944]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-04-08 267880]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 XPSVCOM;XPSVCOM;c:\windows\system32\DRIVERS\XPSVCOM.sys [2010-03-03 12416]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
    R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9691412ff1876250\aestsrv.exe [2009-03-03 81920]
    R4 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe [2010-04-13 338168]
    R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-15 136176]
    R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-15 136176]
    R4 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-04-05 103992]
    R4 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-01-25 92216]
    R4 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-04-09 26168]
    R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
    R4 XMLProvS;Network ProService;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R4 xpssvc;Skyhook Wireless XPS Service;c:\program files\Skyhook Wireless\XPS\xpssvc.exe [2010-04-13 699720]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\SYMDS.SYS [2009-08-30 328752]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\SYMEFA.SYS [2010-04-22 173104]
    S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [2011-09-26 61328]
    S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [2011-08-16 59080]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
    xmlpros REG_MULTI_SZ XMLProvS
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4FB2407C-C8E4-BBC8-BB1C-FCCB2EF5914B}]
    2010-04-19 03:47 702464 ----a-w- c:\program files\Hewlett-Packard\HP Media Suite\Home\HPMediaSuite.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B}]
    2009-07-14 01:14 141824 ----a-w- c:\windows\System32\wscript.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-18 c:\windows\Tasks\At1.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At10.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At11.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At12.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At13.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At14.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At15.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At16.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At17.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At18.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At19.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At2.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At20.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At21.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At22.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At23.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At24.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At25.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At26.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At27.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At28.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-19 c:\windows\Tasks\At29.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At3.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-19 c:\windows\Tasks\At30.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-19 c:\windows\Tasks\At31.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-19 c:\windows\Tasks\At32.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-19 c:\windows\Tasks\At33.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-19 c:\windows\Tasks\At34.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-19 c:\windows\Tasks\At35.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-19 c:\windows\Tasks\At36.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-19 c:\windows\Tasks\At37.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-19 c:\windows\Tasks\At38.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At39.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At4.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At40.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At41.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At42.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At43.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At44.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At45.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At46.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At47.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At48.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At5.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At6.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At7.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-18 c:\windows\Tasks\At8.job
    - c:\windows\system32\I4p75D.com_ [2011-12-16 15:27]
    .
    2011-12-18 c:\windows\Tasks\At9.job
    - c:\windows\system32\I4p75D.com [2011-12-17 15:27]
    .
    2011-12-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-15 19:54]
    .
    2011-12-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-15 19:54]
    .
    2011-12-17 c:\windows\Tasks\HPCeeScheduleForWelker.job
    - c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
    .
    2011-10-05 c:\windows\Tasks\task118156779.job
    - c:\windows\system32\cmd.exe [2011-06-09 12:17]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.bigseekpro.com/pivotstickfigure/{9A453512-D494-4A30-85EF-3C405945199F}
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
    FF - ProfilePath - c:\users\Welker\AppData\Roaming\Mozilla\Firefox\Profiles\rnlc8fwh.default\
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?babsrc=HP_ss&affID=100842&mntrId=bc08b5e600000000000074f06d3e665f
    FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=WCL2&o=100000082&locale=en_US&apn_uid=1120AE22-CB52-4AE1-9482-E635FDB3009B&apn_ptnrs=^AA2&apn_sauid=17ECF099-D2EB-4D67-ADEC-EC64DB49A847&apn_dtid=^YYYYYY^CL^US&&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: JavaString Helper: {184AA5E6-741D-464a-820E-94B3ABC2F3B4} - c:\users\Welker\AppData\Roaming\5030
    FF - Ext: Ask Toolbar: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: Ask Toolbar: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: Ask Toolbar: [email protected] - %profile%\extensions\[email protected]
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{9565115D-C7D6-46D3-BD63-B67B481A4368} - (no file)
    WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
    WebBrowser-{2C1E21B5-5666-4CD5-8152-96B690B7216E} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-JavaServiceNotifier - c:\programdata\JavaServiceNotifier.dll
    SafeBoot-64089048.sys
    MSConfigStartUp-GM81 Update - c:\users\Welker\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.DLL
    MSConfigStartUp-JavaServiceNotifier - c:\programdata\JavaServiceNotifier.dll
    AddRemove-{E92D47A1-D27D-430A-8368-0BAFD956507D} - c:\program files\InstallShield Installation Information\{E92D47A1-D27D-430A-8368-0BAFD956507D}\setup.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
    1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
    "{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,
    64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c
    "{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
    69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
    94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    "{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
    fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
    "{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
    b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:ac,e9,09,f0,49,bc,cc,01
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-12-18 21:00:25
    ComboFix-quarantined-files.txt 2011-12-19 02:00
    .
    Pre-Run: 97,783,853,056 bytes free
    Post-Run: 98,040,463,360 bytes free
    .
    - - End Of File - - 11EABF372BE1F02B462182F9957A0034

    And, the HJT comes in the next message...
     
  2. welkermike

    welkermike Thread Starter

    Joined:
    Jul 13, 2007
    Messages:
    32
    HJT Log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:40:23 PM, on 12/18/2011
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16421)
    Boot mode: Safe mode

    Running processes:
    C:\Windows\Explorer.EXE
    C:\Windows\system32\ctfmon.exe
    C:\ComboFix\CF13031.3XE
    C:\Windows\system32\conhost.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\ComboFix\CF13031.3XE
    C:\ComboFix\CF13031.3XE
    C:\Windows\system32\conhost.exe
    C:\Windows\PEV.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT/1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/pivotstickfigure/{9A453512-D494-4A30-85EF-3C405945199F}
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: 95.64.61.131 www.google.com
    O1 - Hosts: 95.64.61.132 www.bing.com
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\IPSBHO.DLL
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKCU\..\Run: [JavaServiceNotifier] rundll32.exe "C:\ProgramData\JavaServiceNotifier.dll",DllRegisterServer
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Norton Internet Security (NIS) - Unknown owner - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe

    --
    End of file - 3150 bytes
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1031857

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice