Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware? Problems with Google


  • This topic is locked This topic is locked
27 replies to this topic

#1 KNG

KNG

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 09 July 2009 - 12:38 AM

Hi everyone, I have been having problems with my computer since last night, when my computer became infected with various viruses or malware or something. I ran malwarebytes anti-malware which removed most of it. I ran it again today, but this time I received numerous errors with the code 722 (I think thats what it was), but it said that there were no more infected files. I don't believe this is true because when I go to Google and try to search for something, I get a lot of weird irrelevant results. The websites among the results are similarfind.com, craveonline.com, going.com, qualitylinksusa.com, bullz-eye.com, and more. Some of the settings on my computer have also been changed. For example, my computer wouldn't let me download anything. I have fixed this problem by changing my security options. I'm not sure what to do next though. Can anyone help? Thanks!
-Katie


DDS (Ver_09-06-26.01) - NTFSx86
Run by User at 0:26:42.98 on Thu 07/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.332 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AIM95\aim.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\M-Audio Uno\UnoInst.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\MRAI8BR1\dds[1].scr

============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6] "c:\program files\common files\aol\launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [AIM] c:\program files\aim95\aim.exe -cnetwait.odl
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [HostManager] c:\program files\common files\aol\1135394154\ee\AOLSoftware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [USBToolTip] "c:\program files\pinnacle\shared files\\programs\usbtip\USBTip.exe"
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\windows\system32\lsp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} - hxxp://www.activeworlds.com/products/ActiveWorldsDownload.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} - hxxp://kattwalk.viewnetcam.com/JpegInst.cab
DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} - hxxp://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164675779953
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
TCP: {2135B4FE-9555-4D5B-9247-CAAFBAF9FB5B} = 192.168.1.1,76.85.229.110,76.85.229.111
TCP: {A7FCC5F8-C595-485F-8402-224FB1E53C1B} = 24.94.165.25,24.94.163.113
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
LSA: Notification Packages = cli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\aqlxq88y.default\

============= SERVICES / DRIVERS ===============

R2 UnoInstallerService;Uno Installer;c:\program files\m-audio uno\UnoInst.exe [2008-2-16 106496]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
S2 lanmanserverwinmgmt;Server lanmanserverwinmgmt;c:\windows\system32\acelpdeci.exe srv --> c:\windows\system32\acelpdeci.exe srv [?]
S2 uflej;uflej;c:\windows\system32\drivers\bxcdkegzyj.sys [2009-7-7 72960]
S3 EVOLUSB;%EVOL_USB_SvcDesc%;c:\windows\system32\drivers\evolusb.sys [2008-2-16 21984]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys --> c:\windows\system32\drivers\usb22ldr.sys [?]
S3 USBMN2X2;M-Audio USB MidiSport 2x2;c:\windows\system32\drivers\usbmn2x2.sys --> c:\windows\system32\drivers\usbmn2x2.sys [?]
S4 Xgiv3;Xgiv3;c:\windows\system32\drivers\xgiv3m.sys --> c:\windows\system32\drivers\Xgiv3m.sys [?]

=============== Created Last 30 ================

2009-07-08 23:11 <DIR> --ds---- C:\ComboFix
2009-07-08 23:10 389,120 a------- c:\windows\system32\CF7095.exe
2009-07-08 23:05 389,120 a------- c:\windows\system32\CF5965.exe
2009-07-08 23:04 389,120 a------- c:\windows\system32\CF5792.exe
2009-07-08 23:00 389,120 a------- c:\windows\system32\CF5054.exe
2009-07-08 23:00 389,120 a------- c:\windows\system32\CF4917.exe
2009-07-08 02:42 40,448 a------- c:\windows\system32\asfadf32.dll
2009-07-08 02:42 880 a------- c:\windows\system32\cwcz
2009-07-07 23:59 180,224 a------- c:\windows\system32\lsp.dll
2009-07-07 23:29 16,384 a--sh--- c:\windows\system32\12520437n.dll
2009-07-07 23:28 <DIR> --d----- c:\program files\sfx
2009-07-07 23:27 150 a--s---- c:\windows\system32\3712545721.dat
2009-07-07 23:27 59,904 ---shr-- c:\windows\system32\acelpdeci.exe
2009-07-05 17:30 1,361 a------- c:\windows\system32\WLAN.INI
2009-06-30 17:49 <DIR> --d----- c:\program files\MSECache
2009-06-10 03:03 <DIR> --d----- c:\windows\ie8updates
2009-06-09 20:59 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 20:59 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-09 20:59 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-09 20:59 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-04 17:48 165,034 a------- c:\windows\hpoins21.dat
2009-05-15 13:23 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2007-07-27 11:58 24,192 a------- c:\documents and settings\user\usbsermptxp.sys
2007-07-27 11:58 22,768 a------- c:\documents and settings\user\usbsermpt.sys
2006-09-20 21:26 284 a------- c:\docume~1\user\applic~1\ViewerApp.dat

============= FINISH: 0:27:31.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 10 July 2009 - 02:58 AM

IMPORTANT!! Please disable these programs (if present) before proceed with our fixes.. . Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

1. SpySweeper
2. Spyware Doctor
3. Windows Defender
4. Trojan Hunter
5. WinPatrol
6. Spybot S&D
7. Lavasoft Ad-Aware
8. Zone Alarm
9. AVG8



Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download the OTM by OldTimer
  • Save it to your Desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :services
    uflej
    
    :files
    c:\windows\system32\drivers\bxcdkegzyj.sys
    c:\windows\system32\asfadf32.dll
    c:\windows\system32\cwcz
    c:\windows\system32\lsp.dll
    c:\windows\system32\12520437n.dll
    c:\program files\sfx
    c:\windows\system32\3712545721.dat
    c:\windows\system32\acelpdeci.exe
    
    :reg
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Run RSIT again... Post these logs in your next reply..

1. OTMoveIt3
2. DDS.txt

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 KNG

KNG
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 10 July 2009 - 12:57 PM

Thanks for the reply

My dad installed Norton Antivirus on my computer yesterday and ran a scan. It only found 1 risk...a cookie..and deleted it. My google is still not working properly, though. Should I disable Norton as well before following your instructions?

Katie

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 10 July 2009 - 11:32 PM

Should I disable Norton as well before following your instructions?


Yup :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 KNG

KNG
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 11 July 2009 - 12:15 AM

Ok....I'm having a big problem.

I downloaded the comedian. Something else popped up..I think it was called ERUNT..asked me if I wanted to download, and I said yes.
I downloaded OTM and everything...copy and pasted the code and clicked MOVEIT. Thats when things get bad. Everything dissapears from my screen except my wallpaper image and my cursor. Nothing happens for a few minutes, so I restart my computer. After a few minutes a blue screen comes up. It doesnt give me enough time to read it but it says something like there's an error and my computer is being shut down for protection.....what do I do?? (I'm on my laptop to post this problem, obviously. I cant even get on the internet on my other computer now).

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 11 July 2009 - 04:04 AM

reboot the computer.. can you get into Desktop now?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 KNG

KNG
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 11 July 2009 - 07:39 AM

I have rebooted it several times. I log in, but after a few minutes it does the same thing and reboots on its own.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 11 July 2009 - 09:24 AM

Can you reboot into Safe Mode?

If yes, do this step in Safe Mode


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 KNG

KNG
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 11 July 2009 - 10:18 AM

I downloaded combofix a few days ago from combofix.org but I never used it because I read how dangerous it could be without supervision. Should I uninstall it first?

-Edit-
Also, I'm on the 'infected' computer right now in safe mode with networking. It hasn't restarted or anything yet, thankfully.

Edited by KNG, 11 July 2009 - 12:19 PM.


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 11 July 2009 - 02:31 PM

Ok, just delete the old ComboFix, download a fresh one from above.. Run it in Safe Mode, and post the log here :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 KNG

KNG
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 11 July 2009 - 02:49 PM

How do I disable norton in safe mode? I tried reading the link you had posted about it but I cant figure out how to do it in safe mode. I dont see the icon for it, and I cant open norton normally. I tried opening it in normal mode, but again, the icon is no longer there. It wont let me open norton in normal mode anyway. The computer restarts.

Edited by KNG, 11 July 2009 - 04:35 PM.


#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 12 July 2009 - 01:55 AM

In Safe Mode, just run ComboFix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 KNG

KNG
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 12 July 2009 - 09:07 AM

Here is the Combofix log. I do want to say that my google search is now working. Awesome. :thumbup2: I'll add the other log in a new post so its easier to read.
ComboFix 09-07-11.02 - User 07/12/2009 8:26.2.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.732 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\Install.inf
c:\windows\Installer\5653f.msi
c:\windows\Installer\b69166.msi
c:\windows\Installer\CASIO Score Navigation System for WindowsXP.msi
c:\windows\isRS-000.tmp
c:\windows\system32\acelpdeci.exe
c:\windows\system32\aderotig.ini
c:\windows\system32\ajazabav.ini
c:\windows\system32\asesofuv.ini
c:\windows\system32\atevovap.ini
c:\windows\system32\atiziyaj.ini
c:\windows\system32\awatalav.ini
c:\windows\system32\azedeyeg.ini
c:\windows\system32\drivers\bxcdkegzyj.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\ebokubey.ini
c:\windows\system32\ebufogip.ini
c:\windows\system32\edumekid.ini
c:\windows\system32\efekeyij.ini
c:\windows\system32\efigolin.ini
c:\windows\system32\ejobiwoy.ini
c:\windows\system32\ekipepor.ini
c:\windows\system32\enivopin.ini
c:\windows\system32\enozidij.ini
c:\windows\system32\epiyeniw.ini
c:\windows\system32\esepituy.ini
c:\windows\system32\esifuhun.ini
c:\windows\system32\etilohor.ini
c:\windows\system32\etuyepul.ini
c:\windows\system32\evojidab.ini
c:\windows\system32\ewoneyif.ini
c:\windows\system32\eyakemor.ini
c:\windows\system32\ezeyanip.ini
c:\windows\system32\ibazigam.ini
c:\windows\system32\idamolud.ini
c:\windows\system32\idulazoy.ini
c:\windows\system32\ifegurib.ini
c:\windows\system32\ilipowev.ini
c:\windows\system32\inuhurij.ini
c:\windows\system32\inuzokad.ini
c:\windows\system32\ipobered.ini
c:\windows\system32\isesaper.ini
c:\windows\system32\itudizog.ini
c:\windows\system32\lsp.dll
c:\windows\system32\obewakuh.ini
c:\windows\system32\obilefog.ini
c:\windows\system32\ofakeyot.ini
c:\windows\system32\ojahayah.ini
c:\windows\system32\okapomak.ini
c:\windows\system32\omejimop.ini
c:\windows\system32\omufetat.ini
c:\windows\system32\onupalob.ini
c:\windows\system32\opavuhuz.ini
c:\windows\system32\opebatuj.ini
c:\windows\system32\orisesip.ini
c:\windows\system32\orusefin.ini
c:\windows\system32\osegunak.ini
c:\windows\system32\osuyuzub.ini
c:\windows\system32\otosisef.ini
c:\windows\system32\owokapos.ini
c:\windows\system32\oyebagah.ini
c:\windows\system32\oyoniduj.ini
c:\windows\system32\ufazemab.ini
c:\windows\system32\ufigivas.ini
c:\windows\system32\ufovunuy.ini
c:\windows\system32\ugekimur.ini
c:\windows\system32\uhezuwov.ini
c:\windows\system32\ujojupes.ini
c:\windows\system32\ujukutem.ini
c:\windows\system32\ukirowup.ini
c:\windows\system32\ukuhiney.ini
c:\windows\system32\ulibujin.ini
c:\windows\system32\ulojavuh.ini
c:\windows\system32\ululutim.ini
c:\windows\system32\uwimarer.ini
c:\windows\system32\uyeberiv.ini
c:\windows\system32\uyobekil.ini
c:\windows\system32\uyojevuj.ini
c:\windows\system32\uziwohif.ini

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LANMANSERVERWINMGMT
-------\Legacy_PODMENA
-------\Legacy_PODMENADRV
-------\Legacy_SFX
-------\Legacy_SFXDRV
-------\Legacy_UFLEJ
-------\Service_lanmanserverwinmgmt
-------\Service_uflej


((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.

2009-07-12 13:38 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-11 20:47 . 2009-07-11 20:47 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-07-11 20:44 . 2009-07-09 22:03 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-07-11 19:44 . 2009-07-11 19:44 -------- d-----r- c:\program files\Norton Support
2009-07-11 11:09 . 2009-07-09 22:04 89104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\NAVENG.SYS
2009-07-11 11:09 . 2009-07-09 22:04 876144 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\NAVEX15.SYS
2009-07-11 11:09 . 2009-07-09 22:04 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\EECTRL.SYS
2009-07-11 11:09 . 2009-07-09 22:04 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\ERASER.SYS
2009-07-11 11:09 . 2009-07-09 22:04 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\NAVENG32.DLL
2009-07-11 11:09 . 2009-07-09 22:04 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\NAVEX32A.DLL
2009-07-11 11:09 . 2009-07-09 22:03 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\ECMSVR32.DLL
2009-07-11 11:09 . 2009-07-09 22:03 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090710.067\CCERASER.DLL
2009-07-11 06:06 . 2009-07-11 06:06 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2009-07-11 04:48 . 2009-07-11 04:48 -------- d-----w- C:\_OTM
2009-07-11 04:45 . 2009-07-11 04:46 -------- d-----w- c:\program files\ERUNT
2009-07-10 17:58 . 2009-07-09 22:04 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSXpx86.sys
2009-07-10 17:58 . 2009-07-09 22:03 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSxpx86.dll
2009-07-10 17:58 . 2009-06-22 22:51 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\Scxpx86.dll
2009-07-10 17:58 . 2009-07-09 22:04 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSviA64.sys
2009-07-10 17:58 . 2009-07-09 22:04 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSvix86.sys
2009-07-10 13:09 . 2009-07-10 13:09 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Symantec
2009-07-10 01:05 . 2009-07-09 22:04 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSXpx86.sys
2009-07-10 01:05 . 2009-07-09 22:04 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSviA64.sys
2009-07-10 01:05 . 2009-07-09 22:04 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSvix86.sys
2009-07-10 01:05 . 2009-07-09 22:03 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSxpx86.dll
2009-07-10 01:05 . 2009-06-22 22:51 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\Scxpx86.dll
2009-07-09 22:04 . 2009-07-09 22:04 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-07-09 22:04 . 2009-07-09 22:04 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-09 22:04 . 2009-07-09 22:04 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-09 22:04 . 2009-07-09 22:04 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2009-07-09 22:04 . 2009-07-09 22:04 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvia64.sys
2009-07-09 22:04 . 2009-07-09 22:04 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-07-09 22:04 . 2009-07-09 22:04 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-07-09 22:04 . 2009-07-09 22:04 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-07-09 22:03 . 2009-07-09 22:03 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\idsxpx86.dll
2009-07-09 22:03 . 2009-07-09 22:03 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-07-09 22:03 . 2009-07-09 22:03 -------- d-----w- c:\windows\system32\drivers\NAV
2009-07-09 22:03 . 2009-07-09 22:03 -------- d-----w- c:\program files\Norton AntiVirus
2009-07-09 22:03 . 2009-07-09 22:03 -------- d-----w- c:\program files\Windows Sidebar
2009-07-09 22:03 . 2009-07-09 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-09 22:03 . 2009-07-09 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-09 22:03 . 2009-07-09 22:03 -------- d-----w- c:\program files\NortonInstaller
2009-07-08 07:42 . 2009-07-08 07:42 40448 ----a-w- c:\windows\system32\asfadf32.dll
2009-07-08 04:29 . 2009-07-08 04:29 16384 --sha-w- c:\windows\system32\12520437n.dll
2009-07-08 04:28 . 2009-07-08 22:00 -------- d-----w- c:\program files\sfx
2009-07-08 04:27 . 2009-07-08 07:42 150 --s-a-w- c:\windows\system32\3712545721.dat
2009-06-30 22:49 . 2009-06-30 22:49 -------- d-----w- c:\program files\MSECache
2009-06-22 22:51 . 2009-06-22 22:51 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-12 13:41 . 2007-10-15 19:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-11 05:53 . 2005-12-22 14:38 94208 ----a-w- c:\windows\DUMP4b60.tmp
2009-07-10 07:00 . 2006-04-21 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-09 22:04 . 2006-04-21 21:22 -------- d-----w- c:\program files\Symantec
2009-07-09 22:04 . 2006-04-21 21:21 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-09 22:04 . 2009-07-09 22:04 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-09 22:04 . 2009-07-09 22:04 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-08 20:16 . 2007-12-24 17:05 -------- d-----w- c:\program files\WolfQuest
2009-07-08 19:12 . 2009-01-30 21:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 19:12 . 2009-05-10 16:09 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-01 20:21 . 2005-12-24 01:58 81720 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-17 16:27 . 2009-01-30 21:54 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-01-30 21:54 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 19:51 . 2005-12-30 04:03 -------- d-----w- c:\program files\XviD
2009-06-15 21:20 . 2008-02-10 05:06 -------- d-----w- c:\program files\AIM95
2009-06-11 04:42 . 2009-06-11 04:37 -------- d-----w- c:\documents and settings\User\Application Data\HPAppData
2009-06-04 22:49 . 2009-06-04 22:14 -------- d-----w- c:\documents and settings\User\Application Data\HP
2009-06-04 22:48 . 2009-06-04 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2009-06-04 22:48 . 2009-06-04 21:47 165034 ----a-w- c:\windows\hpoins21.dat
2009-06-04 22:13 . 2008-02-22 02:08 -------- d-----w- c:\program files\HP
2009-06-04 22:13 . 2009-06-04 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-06-04 21:52 . 2009-06-04 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-06-04 21:51 . 2009-06-04 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-06-04 21:49 . 2008-02-22 02:30 -------- d-----w- c:\program files\Common Files\HP
2009-05-28 15:26 . 2009-05-28 15:26 -------- d-----w- c:\documents and settings\User\Application Data\Sony Corporation
2009-05-28 15:22 . 2005-12-22 23:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-28 15:19 . 2009-05-28 15:19 -------- d-----w- c:\program files\Sony
2009-05-28 15:19 . 2009-05-28 15:19 -------- d-----w- c:\documents and settings\User\Application Data\InstallShield
2009-05-16 20:54 . 2006-06-14 18:19 227 ----a-w- c:\windows\PowerReg.dat
2009-05-16 20:53 . 2009-05-16 20:53 -------- d-----w- c:\program files\Hasbro Interactive
2009-05-15 22:18 . 2009-05-15 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-05-15 20:11 . 2007-08-13 00:42 -------- d-----w- c:\program files\Norton 360
2009-05-15 18:23 . 2005-12-22 23:11 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-04-07 06:59 . 2007-12-31 00:46 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2007-12-31 00:46 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2007-12-31 00:46 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2007-12-31 00:46 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2007-12-31 00:46 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-06-07 05:46 . 2005-06-07 05:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

2007-05-11 08:06 . 2007-05-11 08:06 40048 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

2005-12-24 03:19 . 2005-06-02 09:34 67160 c:\program files\AIM\bak\aim.exe

2006-11-10 18:35 . 2006-11-10 18:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe

2007-03-01 04:06 . 2007-03-01 04:06 2321600 c:\program files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe

2005-11-03 03:01 . 2005-11-03 03:01 50792 c:\program files\Common Files\AOL\1135394154\ee\bak\AOLSoftware.exe

2005-11-03 03:01 . 2005-11-03 03:01 50792 c:\program files\Common Files\AOL\Launch\bak\AOLLaunch.exe

2007-12-22 20:44 . 2007-12-22 20:44 69632 c:\program files\Common Files\Real\Update_OB\bak\RealOneMessageCenter.exe

2007-12-22 20:44 . 2007-12-22 20:44 185896 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2007-06-01 21:51 . 2007-06-01 21:51 257088 c:\program files\iTunes\bak\iTunesHelper.exe
2007-06-01 22:51 . 2007-06-01 22:51 257088 c:\program files\iTunes\iTunesHelper.exe

2006-02-26 09:04 . 2005-11-10 21:03 36975 c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe

2006-07-08 21:25 . 2005-06-13 09:30 192512 c:\program files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe
2009-04-20 03:50 . 2005-06-13 07:30 192512 c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

2007-04-27 14:41 . 2007-04-27 14:41 282624 c:\program files\QuickTime\bak\qttask.exe

2007-10-23 23:43 . 2007-08-30 22:43 4670704 c:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe

2004-03-11 07:26 . 2004-03-11 07:26 406016 c:\windows\system32\bak\PSDrvCheck.exe
2004-03-11 06:26 . 2004-03-11 06:26 406016 c:\windows\system32\PSDrvCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\Common Files\AOL\Launch\AOLLaunch.exe" [N/A]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [N/A]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [N/A]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [N/A]
"AIM"="c:\program files\AIM95\aim.exe" [2004-08-10 61440]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"HostManager"="c:\program files\Common Files\AOL\1135394154\ee\AOLSoftware.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [N/A]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2005-06-13 192512]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [N/A]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-01 257088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-07-27 68096]
"DXDllRegExe"="dxdllreg.exe" [N/A]

c:\documents and settings\User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-5-28 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-4-17 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-7-8 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-7-8 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=usbmn2x2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuCallbackProxy.exe"=
"c:\\Program Files\\Sony Corporation\\Picture Package\\Picture Package Applications\\Residence.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23456:TCP"= 23456:TCP:masterserver.unity3d.com
"50001:UDP"= 50001:UDP:facilitator.unity3d.com
"23456:UDP"= 23456:UDP:masterserver.unity3d.com
"38038:UDP"= 38038:UDP:wolfquest.org
"8085:TCP"= 8085:TCP:sfx

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [7/9/2009 5:04 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [7/9/2009 5:04 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [7/9/2009 5:04 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSXpx86.sys [7/10/2009 12:58 PM 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [7/9/2009 5:04 PM 115560]
R2 UnoInstallerService;Uno Installer;c:\program files\M-Audio Uno\UnoInst.exe [2/16/2008 7:03 PM 106496]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 10:09 PM 24652]
S3 EVOLUSB;%EVOL_USB_SvcDesc%;c:\windows\system32\drivers\evolusb.sys [2/16/2008 7:03 PM 21984]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys --> c:\windows\system32\drivers\usb22ldr.sys [?]
S3 USBMN2X2;M-Audio USB MidiSport 2x2;c:\windows\system32\drivers\usbmn2x2.sys --> c:\windows\system32\drivers\usbmn2x2.sys [?]
S4 Xgiv3;Xgiv3;c:\windows\system32\DRIVERS\Xgiv3m.sys --> c:\windows\system32\DRIVERS\Xgiv3m.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10910

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A0DD4082-2817-1102-CFAE-B4796FD16311} /qb
.
.
------- Supplementary Scan -------
.
TCP: {2135B4FE-9555-4D5B-9247-CAAFBAF9FB5B} = 192.168.1.1,76.85.229.110,76.85.229.111
TCP: {A7FCC5F8-C595-485F-8402-224FB1E53C1B} = 24.94.165.25,24.94.163.113
DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} - hxxp://www.activeworlds.com/products/ActiveWorldsDownload.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\aqlxq88y.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 08:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-1957994488-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{132676A0-2097-71A8-532B-C92B76B6075D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaaigbahcfchckpaajlllcjfknkohp"=hex:64,61,70,6a,61,63,65,64,00,e0
"oamgobhcmpilaoopjbdhpmalaifhnm"=hex:6a,61,6c,68,67,65,6f,61,69,65,6e,6d,6e,6b,
67,62,62,6f,70,6c,00,fd
"nacgmgplndcnaehoipkbaikpiedo"=hex:6a,61,6c,68,67,65,6f,61,69,65,6e,6d,6e,6b,
67,62,62,6f,70,6c,00,fd

[HKEY_USERS\S-1-5-21-448539723-1957994488-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,13,f8,ea,02,43,1e,4f,82,60,d0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,13,f8,ea,02,43,1e,4f,82,60,d0,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,60,e8,db,75,cd,
2c,bc,b1,c8,28,51,af,b0,29,a3,98,86,2f,e1,2a,27,0b,36,ac,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,7f,43,20,aa,b6,
ac,6e,5b,71,3b,04,66,8b,46,0d,96,45,da,ed,b8,d7,26,7e,d6,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,36,40,8a,e7,ec,
54,95,98,25,da,ec,7e,55,20,c9,26,b3,a7,f8,e2,00,3a,64,76,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,8e,d3,f4,3c,92,
e3,98,0b,3e,1e,9e,e0,57,5a,93,61,4b,34,11,e1,ff,40,fa,48,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,67,95,03,b6,d2,
99,d0,c8,cd,44,cd,b9,a6,33,6c,cd,47,a4,64,2b,f7,3e,6c,c2,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,17,3f,05,35,ae,
cf,61,65,b0,18,ed,a7,3f,8d,37,a4,4f,df,72,11,63,b2,e1,55,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,80,9a,a8,16,ce,
0b,0e,aa,31,77,e1,ba,b1,f8,68,02,33,24,d6,d6,ff,1f,ca,22,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,6f,42,48,f2,ec,
5f,a7,0f,83,6c,56,8b,a0,85,96,ab,12,ca,32,09,27,27,9e,df,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,f8,3b,c1,83,ff,
ce,ae,74,51,fa,6e,91,28,9e,14,cc,a0,b8,84,f9,63,65,fc,76,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,10,8e,2e,03,b5,
59,fe,d1,b1,cd,45,5a,a8,c4,f8,b9,76,be,cf,09,b4,29,d3,04,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,a2,20,5e,b4,b7,
1e,5e,9a,e3,0e,66,d5,eb,bc,2f,6b,e4,62,b6,c0,bf,ce,7b,b2,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,c8,10,1b,53,0e,
59,5a,17,fa,ea,66,7f,d4,3b,6b,70,84,6b,55,90,e2,b0,da,44,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2292)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-07-12 9:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-12 14:03

Pre-Run: 92,553,961,472 bytes free
Post-Run: 92,638,662,656 bytes free

461 --- E O F --- 2009-06-10 08:04

Edited by KNG, 12 July 2009 - 09:17 AM.


#14 KNG

KNG
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 12 July 2009 - 09:13 AM

Here is the other log. I hope its the right one. If not just let me know and I'll get the right one. :thumbup2: Thanks!


DDS (Ver_09-06-26.01) - NTFSx86
Run by User at 9:12:17.70 on Sun 07/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.378 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\M-Audio Uno\UnoInst.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6] "c:\program files\common files\aol\launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [AIM] c:\program files\aim95\aim.exe -cnetwait.odl
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [HostManager] c:\program files\common files\aol\1135394154\ee\AOLSoftware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [USBToolTip] "c:\program files\pinnacle\shared files\\programs\usbtip\USBTip.exe"
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} - hxxp://www.activeworlds.com/products/ActiveWorldsDownload.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} - hxxp://kattwalk.viewnetcam.com/JpegInst.cab
DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} - hxxp://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164675779953
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
TCP: {2135B4FE-9555-4D5B-9247-CAAFBAF9FB5B} = 192.168.1.1,76.85.229.110,76.85.229.111
TCP: {A7FCC5F8-C595-485F-8402-224FB1E53C1B} = 24.94.165.25,24.94.163.113
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\aqlxq88y.default\

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-7-9 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-7-9 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-7-9 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090709.001\IDSXpx86.sys [2009-7-10 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-7-9 115560]
R2 UnoInstallerService;Uno Installer;c:\program files\m-audio uno\UnoInst.exe [2008-2-16 106496]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090711.024\NAVENG.SYS [2009-7-12 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090711.024\NAVEX15.SYS [2009-7-12 876144]
S3 EVOLUSB;%EVOL_USB_SvcDesc%;c:\windows\system32\drivers\evolusb.sys [2008-2-16 21984]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys --> c:\windows\system32\drivers\usb22ldr.sys [?]
S3 USBMN2X2;M-Audio USB MidiSport 2x2;c:\windows\system32\drivers\usbmn2x2.sys --> c:\windows\system32\drivers\usbmn2x2.sys [?]
S4 Xgiv3;Xgiv3;c:\windows\system32\drivers\xgiv3m.sys --> c:\windows\system32\drivers\Xgiv3m.sys [?]

=============== Created Last 30 ================

2009-07-12 09:00 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-12 08:38 50,176 a------- c:\windows\system32\proquota.exe
2009-07-12 08:25 161,792 a------- c:\windows\SWREG.exe
2009-07-12 08:25 155,136 a------- c:\windows\PEV.exe
2009-07-12 08:25 98,816 a------- c:\windows\sed.exe
2009-07-12 08:25 <DIR> --ds---- C:\ComboFix
2009-07-11 14:44 <DIR> --d--r-- c:\program files\Norton Support
2009-07-10 23:48 <DIR> --d----- C:\_OTM
2009-07-09 17:04 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-07-09 17:04 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-09 17:04 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-07-09 17:04 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-09 17:04 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-09 17:03 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-07-09 17:03 <DIR> --d----- c:\program files\Norton AntiVirus
2009-07-09 17:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-07-09 17:03 <DIR> --d----- c:\program files\NortonInstaller
2009-07-09 17:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-07-08 02:42 40,448 a------- c:\windows\system32\asfadf32.dll
2009-07-08 02:42 880 a------- c:\windows\system32\cwcz
2009-07-07 23:29 16,384 a--sh--- c:\windows\system32\12520437n.dll
2009-07-07 23:28 <DIR> --d----- c:\program files\sfx
2009-07-07 23:27 150 a--s---- c:\windows\system32\3712545721.dat
2009-07-05 17:30 1,361 a------- c:\windows\system32\WLAN.INI
2009-06-30 17:49 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2009-07-11 00:53 94,208 a------- c:\windows\DUMP4b60.tmp
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-04 17:48 165,034 a------- c:\windows\hpoins21.dat
2009-05-15 13:23 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2007-07-27 11:58 24,192 a------- c:\documents and settings\user\usbsermptxp.sys
2007-07-27 11:58 22,768 a------- c:\documents and settings\user\usbsermpt.sys
2006-09-20 21:26 284 a------- c:\docume~1\user\applic~1\ViewerApp.dat

============= FINISH: 9:12:52.48 ===============

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 12 July 2009 - 04:09 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

AWF::
c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe
c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
c:\program files\AIM\bak\aim.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe
c:\program files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe
c:\program files\Common Files\AOL\1135394154\ee\bak\AOLSoftware.exe
c:\program files\Common Files\AOL\Launch\bak\AOLLaunch.exe
c:\program files\Common Files\Real\Update_OB\bak\RealOneMessageCenter.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe
c:\program files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe
c:\program files\QuickTime\bak\qttask.exe
c:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe
c:\windows\system32\bak\PSDrvCheck.exe

File::
c:\windows\system32\asfadf32.dll
c:\windows\system32\12520437n.dll
c:\windows\system32\3712545721.dat

Folder::
c:\program files\sfx

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users