Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with my IE Hijacked


  • This topic is locked This topic is locked
6 replies to this topic

#1 siwaily

siwaily

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 16 January 2009 - 03:39 PM

DDS (Ver_09-01-07.01) - NTFSx86
Run by Norky at 20:31:17.84 on 16/01/2009
Internet Explorer: 7.0.6000.16609
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.770 [GMT 0:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Windows\system32\dlbkcoms.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\O2\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Norky\AppData\Local\rdwcvh.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\nend software\Radio Online\Radio Online.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Norky\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=PRESARIO&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=PRESARIO&pf=laptop
mSearch Page =
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
uRun: [BTBFirstRun] c:\program files\hewlett-packard\sdp\hprun.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [rdwcvh] "c:\users\norky\appdata\local\rdwcvh.exe" rdwcvh
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [O2] "c:\program files\o2\bin\sprtcmd.exe" /P O2
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [PC Remote Control] c:\program files\pc remote control\remote3.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-7-22 28544]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20080429.001\IDSvix86.sys [2008-4-29 261680]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-3-19 109616]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-10-3 37936]
R4 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe -service --> c:\windows\system32\dlbkcoms.exe -service [?]
R4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-5 202280]

=============== Created Last 30 ================

2009-01-15 00:17 <DIR> --d----- c:\users\norky\appdata\roaming\Thinstall
2009-01-15 00:01 <DIR> --d----- c:\program files\Studio V5
2009-01-14 19:40 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-11 22:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-10 23:26 <DIR> --d----- c:\users\norky\appdata\roaming\WeatherTray
2009-01-04 16:54 <DIR> --d----- c:\program files\3GP Player
2008-12-30 23:53 1,003,008 a------- c:\windows\system32\libeay32.dll
2008-12-30 23:53 189,440 a------- c:\windows\system32\ssleay32.dll
2008-12-30 23:53 189,440 a------- c:\windows\system32\libssl32.dll
2008-12-30 23:53 <DIR> --d----- C:\OpenSSL
2008-12-26 19:21 <DIR> --d----- c:\program files\Traduce Gratis

==================== Find3M ====================

2009-01-06 00:28 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 00:28 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 00:28 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-09 22:06 51,200 a------- c:\windows\inf\infpub.dat
2008-12-09 22:06 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-09 22:05 86,016 a------- c:\windows\inf\infstor.dat
2008-12-01 23:08 56 a---h--- c:\programdata\ezsidmv.dat
2008-12-01 23:08 56 a---h--- c:\progra~2\ezsidmv.dat
2008-11-01 03:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 03:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 03:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 03:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 03:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-11-01 03:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-11-01 01:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-22 03:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-22 01:22 2,048 a------- c:\windows\system32\tzres.dll
2008-10-21 05:25 296,960 a------- c:\windows\system32\gdi32.dll
2008-10-21 05:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-07-13 11:43 494 a------- c:\users\norky\appdata\roaming\wklnhst.dat
2008-06-12 08:40 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-17 23:50 174 a--sh--- c:\program files\desktop.ini
2008-03-19 22:37 32 a------- c:\programdata\ezsid.dat
2008-03-19 22:37 32 a------- c:\progra~2\ezsid.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-04-23 00:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-04-23 00:02 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-04-23 00:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 20:32:41.37 ===============


:thumbup2: :)

Attached Files


Edited by siwaily, 16 January 2009 - 03:44 PM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 26 January 2009 - 06:16 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 siwaily

siwaily
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 26 January 2009 - 06:39 PM

Dear PropagandaPanda thanks for your help.
I have run spypot a few days ago. and change my norton antivirus to norton Gaming Edition.

ComboFix 09-01-21.04 - Norky 01/26/2009 23:23:17.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.1118 [GMT 0:00]
Running from: c:\users\Norky\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Norky\AppData\Local\igoiawk.dat
c:\users\Norky\AppData\Local\igoiawk.exe
c:\users\Norky\AppData\Local\igoiawk_nav.dat
c:\users\Norky\AppData\Local\igoiawk_navps.dat
c:\windows\system32\x64

----- BITS: Possible infected sites -----

hxxp://sync.broadband.o2.co.uk:8080
.
((((((((((((((((((((((((( Files Created from 2008-12-26 to 2009-01-26 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 23:06 --------- d-----w c:\program files\Hewlett-Packard
2009-01-26 22:47 --------- d-----w c:\users\Norky\AppData\Roaming\Macrovision
2009-01-26 22:46 --------- d-----w c:\programdata\FLEXnet
2009-01-26 22:46 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-01-26 22:42 --------- d-----w c:\programdata\Macrovision
2009-01-26 22:42 --------- d-----w c:\program files\MSBuild
2009-01-26 22:42 --------- d-----w c:\program files\InstallShield
2009-01-26 22:42 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-25 21:15 --------- d-----w c:\users\Norky\AppData\Roaming\FileZilla
2009-01-25 02:46 --------- d-----w c:\programdata\Norton
2009-01-25 02:46 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-25 02:43 --------- d-----w c:\programdata\Symantec
2009-01-25 02:42 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-25 02:42 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-25 02:42 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-25 02:42 --------- d-----w c:\program files\Symantec
2009-01-25 02:41 --------- d-----w c:\programdata\NortonInstaller
2009-01-25 02:41 --------- d-----w c:\program files\NortonInstaller
2009-01-25 02:41 --------- d-----w c:\program files\Norton AntiVirus
2009-01-25 02:17 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-01-25 02:17 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-25 02:05 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-25 01:56 --------- d-----w c:\users\Norky\AppData\Roaming\Symantec
2009-01-23 20:47 --------- d-----w c:\users\Norky\AppData\Roaming\Paltalk
2009-01-23 20:47 --------- d-----w c:\program files\Paltalk Messenger
2009-01-22 23:01 816 ----a-w c:\users\Norky\AppData\Roaming\wklnhst.dat
2009-01-22 22:14 --------- d-----w c:\program files\OnlineFinancialSite
2009-01-21 22:05 --------- d-----w c:\program files\Tadawulfx Trader 4
2009-01-20 23:19 --------- d-----w c:\program files\PE Explorer
2009-01-20 23:12 --------- d-----w c:\users\Norky\AppData\Roaming\PE Explorer
2009-01-19 23:48 --------- d-----w c:\users\Norky\AppData\Roaming\Thinstall
2009-01-15 00:01 --------- d-----w c:\program files\Studio V5
2009-01-14 20:22 --------- d-----w c:\program files\Windows Mail
2009-01-13 12:53 --------- d-----w c:\users\Norky\AppData\Roaming\skypePM
2009-01-13 12:52 --------- d-----w c:\users\Norky\AppData\Roaming\Skype
2009-01-11 22:58 410,984 ----a-w c:\windows\System32\deploytk.dll
2009-01-11 22:58 --------- d-----w c:\program files\Java
2009-01-10 23:26 --------- d-----w c:\users\Norky\AppData\Roaming\WeatherTray
2009-01-04 16:54 --------- d-----w c:\program files\3GP Player
2008-12-30 12:10 --------- d-----w c:\program files\Common Files\Adobe
2008-12-26 19:33 --------- d-----w c:\program files\Traduce Gratis
2008-12-18 21:33 --------- d-----w c:\program files\AutoIt3
2008-12-16 02:42 288,768 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-12 03:08 25,136 ----a-r c:\windows\system32\drivers\SymIMV.sys
2008-12-01 23:08 56 ---ha-w c:\users\All Users\ezsidmv.dat
2008-12-01 23:08 56 ---ha-w c:\programdata\ezsidmv.dat
2008-12-01 23:07 --------- d-----w c:\program files\Common Files\Skype
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-04-17 23:50 174 --sha-w c:\program files\desktop.ini
2008-03-19 22:37 32 ----a-w c:\users\All Users\ezsid.dat
2008-03-19 22:37 32 ----a-w c:\programdata\ezsid.dat
2008-04-23 00:02 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-23 00:02 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-23 00:02 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BTBFirstRun"="c:\program files\Hewlett-Packard\SDP\hprun.exe" [11/08/2006 11:42 PM 20480]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [01/19/2008 07:33 AM 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [02/17/2005 12:15 AM 221184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 07:33 AM 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [10/09/2006 08:43 PM 729088]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [01/13/2007 03:36 AM 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [02/16/2007 10:08 AM 172032]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [02/13/2007 07:38 PM 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [12/04/2006 08:39 PM 46704]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03/01/2007 08:18 PM 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [01/10/2007 11:12 PM 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [01/11/2009 10:58 PM 136600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [01/02/2008 05:07 PM 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [01/02/2008 05:06 PM 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [01/02/2008 05:07 PM 133656]
"O2"="c:\program files\O2\bin\sprtcmd.exe" [03/08/2007 07:21 PM 198184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [04/12/2008 02:17 PM 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/15/2008 01:04 AM 39792]
"RtHDVCpl"="RtHDVCpl.exe" [03/09/2007 04:50 PM 4390912 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [11/08/2006 01:39 AM 44128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AEF34C22-DAEB-4BBF-A686-CA57A1255FE3}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{27362D1E-7ABE-4969-BFA3-B344E9D1D441}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{20D7F315-A970-4068-A51E-86DCBA0FC57D}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{7993B8BB-0DBD-450E-A4F7-D420B0EE6073}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{BFCBE758-CA94-472E-83B8-67124D52C9BE}"= UDP:c:\program files\O2\bin\wificfg.exe:sprtcmd.exe
"{E8B6DE5B-B35E-4548-80DB-5B456BFC5546}"= TCP:c:\program files\O2\bin\wificfg.exe:sprtcmd.exe
"{932E4E5E-018A-4C64-B4C3-AF5AC1FCDE83}"= UDP:c:\program files\O2\agent\bin\bcont.exe:bcont.exe
"{74392682-AF3B-4B4D-850D-909BB5741B61}"= TCP:c:\program files\O2\agent\bin\bcont.exe:bcont.exe
"{FCDC5762-D316-4B0B-ABEC-34B0B34B985A}"= UDP:c:\program files\Common Files\SupportSoft\bin\ssrc.exe:ssrc.exe
"{F5FDDDA0-E64D-41DA-8C64-6A8CBE38C36E}"= TCP:c:\program files\Common Files\SupportSoft\bin\ssrc.exe:ssrc.exe
"{BAD90BFD-95D2-40A3-9105-BF14FD7AFD66}"= UDP:c:\program files\O2\agent\bin\bcont_nm.exe:bcont_nm.exe
"{A1B2857E-60A1-4B2D-8CB8-678D7C59B44E}"= TCP:c:\program files\O2\agent\bin\bcont_nm.exe:bcont_nm.exe
"{69595686-EF2E-4DB9-AD57-C1EB94A9527B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{63C63958-D667-42A5-AE93-77443E1EF0E4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C0E83EA2-E6E7-497A-82B2-9D01575D004F}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{EF973B5E-54ED-4148-B5EC-0A8A3156C435}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{0E8F8BD6-9716-4E6C-BC11-6079D0D659D8}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{30336199-6299-4371-9F8D-CC2AEEFE188D}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{A9D71745-A231-4F69-B9CD-00691547A9BA}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{DBCADE11-8D45-488D-A50D-61ABBDC0E725}"= UDP:c:\windows\System32\dlbkcoms.exe:AIO Printer A920 Server
"{FABE316F-7BB5-4195-B99E-EDCDEBFE216F}"= TCP:c:\windows\System32\dlbkcoms.exe:AIO Printer A920 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\PPMate\\ppmate.exe"= c:\program files\PPMate\ppmate.exe:*:Enabled:PPMate
"c:\\Program Files\\PPMate\\ppamnet.exe"= c:\program files\PPMate\ppamnet.exe:*:Enabled:PPMate

R2 .norton2009Reset;Norton 2009 Reset;c:\programdata\Norton\Norton2009Reset.exe [01/25/2009 02:46 AM 280833]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [06/19/2008 05:24 PM 28544]
S0 SymEFA;Symantec Extended File Attributes; [x]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NAV\1002000.007\BHDrvx86.sys [12/12/2008 03:08 AM 255536]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NAV\1002000.007\ccHPx86.sys [01/25/2009 02:42 AM 362544]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090115.001\IDSvix86.sys [01/25/2009 02:42 AM 289840]
S2 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe [06/25/2007 09:17 PM 537840]
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe [12/12/2008 03:08 AM 115560]
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [06/05/2007 08:25 AM 202280]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01/25/2009 02:42 AM 99376]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\NAV\1002000.007\SYMNDISV.SYS [12/12/2008 03:08 AM 40496]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - Beep
*Deregistered* - BHDrvx86
*Deregistered* - bowser
*Deregistered* - ccHP
*Deregistered* - cdfs
*Deregistered* - CLFS
*Deregistered* - Compbatt
*Deregistered* - crcdisk
*Deregistered* - DfsC
*Deregistered* - DXGKrnl
*Deregistered* - eabfiltr
*Deregistered* - eeCtrl
*Deregistered* - EraserUtilRebootDrv
*Deregistered* - FileInfo
*Deregistered* - FltMgr
*Deregistered* - HTTP
*Deregistered* - IDSVix86
*Deregistered* - iScsiPrt
*Deregistered* - KSecDD
*Deregistered* - lltdio
*Deregistered* - luafv
*Deregistered* - MountMgr
*Deregistered* - mpsdrv
*Deregistered* - MRxDAV
*Deregistered* - mrxsmb
*Deregistered* - mrxsmb10
*Deregistered* - mrxsmb20
*Deregistered* - Msfs
*Deregistered* - msisadrv
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NativeWifiP
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - NDIS
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - netbt
*Deregistered* - Npfs
*Deregistered* - nsiproxy
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - pavboot
*Deregistered* - PEAUTH
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - RasSstp
*Deregistered* - rdbss
*Deregistered* - RDPCDD
*Deregistered* - RDPENCDD
*Deregistered* - rspndr
*Deregistered* - secdrv
*Deregistered* - Smb
*Deregistered* - spldr
*Deregistered* - SRTSP
*Deregistered* - SRTSPX
*Deregistered* - srv
*Deregistered* - srv2
*Deregistered* - srvnet
*Deregistered* - swenum
*Deregistered* - SYMDNS
*Deregistered* - SymEFA
*Deregistered* - SymEvent
*Deregistered* - SYMFW
*Deregistered* - SymIM
*Deregistered* - SYMNDISV
*Deregistered* - SYMREDRV
*Deregistered* - SYMTDI
*Deregistered* - Tcpip
*Deregistered* - tcpipreg
*Deregistered* - tdx
*Deregistered* - TermDD
*Deregistered* - tunmp
*Deregistered* - tunnel
*Deregistered* - umbus
*Deregistered* - VgaSave
*Deregistered* - volmgr
*Deregistered* - volmgrx
*Deregistered* - volsnap
*Deregistered* - Wanarpv6
*Deregistered* - Wdf01000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df69de1d-e96d-11dc-9481-001b24703e23}]
\shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-26 c:\windows\Tasks\User_Feed_Synchronization-{E5F18788-F91F-4CAA-B3DB-59004AE3D9E5}.job
- c:\windows\system32\msfeedssync.exe [01/19/2008 07:33 AM]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-igoiawk - c:\users\norky\appdata\local\igoiawk.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=PRESARIO&pf=laptop
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-26 23:26:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 01/26/2009 23:29:14
ComboFix-quarantined-files.txt 2009-01-26 23:29:11

Pre-Run: 107,381,817,344 bytes free
Post-Run: 107,776,249,856 bytes free

282 --- E O F --- 2009-01-23 11:15:09

and this is dss log
===================================================================================================


DDS (Ver_09-01-07.01) - NTFSx86
Run by Norky at 23:31:00.34 on 26/01/2009
Internet Explorer: 7.0.6000.16609
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.1009 [GMT 0:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\dlbkcoms.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\O2\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Norky\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=PRESARIO&pf=laptop
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.2.0.7\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [BTBFirstRun] c:\program files\hewlett-packard\sdp\hprun.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [O2] "c:\program files\o2\bin\sprtcmd.exe" /P O2
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-7-22 28544]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1002000.007\BHDrvx86.sys [2009-1-25 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1002000.007\cchpx86.sys [2009-1-25 362544]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090115.001\IDSvix86.sys [2009-1-25 289840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-25 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\nav\1002000.007\symndisv.sys [2009-1-25 40496]
R4 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe -service --> c:\windows\system32\dlbkcoms.exe -service [?]
R4 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.2.0.7\ccSvcHst.exe [2009-1-25 115560]
R4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-5 202280]
S4 .norton2009Reset;Norton 2009 Reset;c:\programdata\norton\Norton2009Reset.exe [2009-1-25 280833]

=============== Created Last 30 ================

2009-01-26 23:21 <DIR> --d----- C:\ComboFix
2009-01-26 22:47 <DIR> --d----- C:\InstallShield 2009 Projects
2009-01-26 22:47 <DIR> --d----- c:\users\norky\appdata\roaming\Macrovision
2009-01-26 22:46 <DIR> --d----- c:\programdata\FLEXnet
2009-01-26 22:46 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-26 22:42 <DIR> --d----- c:\programdata\Macrovision
2009-01-26 22:42 <DIR> --d----- c:\program files\InstallShield
2009-01-25 02:42 25,136 a----r-- c:\windows\system32\drivers\SymIMV.sys
2009-01-25 02:42 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-25 02:42 <DIR> --d----- c:\program files\Symantec
2009-01-25 02:41 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-01-25 02:41 <DIR> --d----- c:\programdata\Norton
2009-01-25 02:41 <DIR> --d----- c:\program files\Norton AntiVirus
2009-01-25 02:41 <DIR> --d----- c:\progra~2\Norton
2009-01-25 02:41 <DIR> --d----- c:\program files\NortonInstaller
2009-01-25 02:22 <DIR> --d----- c:\programdata\NortonInstaller
2009-01-25 02:22 <DIR> --d----- c:\progra~2\NortonInstaller
2009-01-25 02:05 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-25 02:05 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-25 02:05 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-25 02:05 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-25 01:56 <DIR> --d----- c:\users\norky\appdata\roaming\Symantec
2009-01-25 01:49 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-25 01:49 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-22 22:14 <DIR> --d----- c:\program files\OnlineFinancialSite
2009-01-20 23:11 <DIR> --d----- c:\users\norky\appdata\roaming\PE Explorer
2009-01-20 23:11 <DIR> --d----- c:\program files\PE Explorer
2009-01-18 21:57 161,792 a------- c:\windows\SWREG.exe
2009-01-18 21:57 98,816 a------- c:\windows\sed.exe
2009-01-16 23:13 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-01-16 23:13 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-16 23:13 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-01-16 21:07 <DIR> --d----- c:\program files\Tadawulfx Trader 4
2009-01-15 00:17 <DIR> --d----- c:\users\norky\appdata\roaming\Thinstall
2009-01-15 00:01 <DIR> --d----- c:\program files\Studio V5
2009-01-14 19:40 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-11 22:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-10 23:26 <DIR> --d----- c:\users\norky\appdata\roaming\WeatherTray
2009-01-04 16:54 <DIR> --d----- c:\program files\3GP Player
2008-12-30 23:53 1,003,008 a------- c:\windows\system32\libeay32.dll
2008-12-30 23:53 189,440 a------- c:\windows\system32\ssleay32.dll
2008-12-30 23:53 189,440 a------- c:\windows\system32\libssl32.dll
2008-12-30 23:53 <DIR> --d----- C:\OpenSSL

==================== Find3M ====================

2009-01-25 18:04 143,360 a------- c:\windows\inf\infstrng.dat
2009-01-25 18:04 86,016 a------- c:\windows\inf\infstor.dat
2009-01-25 18:04 51,200 a------- c:\windows\inf\infpub.dat
2009-01-22 23:01 816 a------- c:\users\norky\appdata\roaming\wklnhst.dat
2008-12-01 23:08 56 a---h--- c:\programdata\ezsidmv.dat
2008-12-01 23:08 56 a---h--- c:\progra~2\ezsidmv.dat
2008-11-01 03:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 03:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 03:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 03:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 03:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-11-01 03:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-11-01 01:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 a------- c:\windows\explorer.exe
2008-06-12 08:40 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-17 23:50 174 a--sh--- c:\program files\desktop.ini
2008-03-19 22:37 32 a------- c:\programdata\ezsid.dat
2008-03-19 22:37 32 a------- c:\progra~2\ezsid.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-04-23 00:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-04-23 00:02 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-04-23 00:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 23:31:31.52 ===============

Attached Files


Edited by siwaily, 26 January 2009 - 06:47 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 26 January 2009 - 07:37 PM

Hello siwaily.

Those logs look clean. How is your computer running now?

I see evidence in your log that you are using a cracked version of Norton. Per the site rules, we cannot promote any activity that involves defeating existing laws, including copyright laws.

I ask for permission to remove the crack using ComboFix. It is likely that the crack itself contains malware.

With Regards,
The Panda

#5 siwaily

siwaily
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 26 January 2009 - 08:06 PM

Dear Panda,
Thanks for your advice, but I'm poor guy I can't offered £40 or £50 to renew my anti virus.
anyway whats your recommendation to choose any other free anti virus?

thnaks for your help.

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 27 January 2009 - 08:11 AM

Hello.

Good decision. I'll give you a list of good free AVs.

Please first install Norton using Add/Remove Programs. Reboot after you uninstall.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    Driver::
    .norton2009Reset
    
    File::
    c:\programdata\norton\Norton2009Reset.exe
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the ComboFix log
-the F-Secure scan log

How is your computer running now?

With Regards,
The Panda

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 07 February 2009 - 10:37 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users