Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

uacinit.dll Infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 Domhnall

Domhnall

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 14 July 2009 - 02:43 AM

Two days ago, I was somehow infected with System Secure. After a lengthy process of Safe Mode loading, Process Explorer finagling, and many failed attempts at running Malwarebytes Anti-Malware, I was eventually able to clear my system, or so I thought. Upon running Malwarebytes again (along with Spybot and Adware, though in this instance they were less than helpful), I found that uacinit.dll and a registry item were still on my computer. I opted to remove them and restart, only to find that they were yet again on the computer. I did a little research on the house's other computer and found out that it's apparently a backdoor trojan, or something along these lines; I immediately disconnected the infected computer from the internet. I'm in the process of changing passwords from all the sites I had visited, as per suggestions from similar topics I found here, but that might take a while and I decided that I had better check here to see if the computer can be saved in the meantime.

The virus doesn't actually seem to be doing anything as of yet, besides blocking access to SuperAntiSpyware, but I doubt that it does whatever it does in a flashy manner.

In addition to the following DDS.txt file, I also have the log files from HijackThis, Ad-Aware, Malwarebytes, and Rooter (although Rooter failed to find anything, so I doubt that log file will be of use to anyone). The preparation guide to posting doesn't mention them, so I won't post them immediately; however, if you think they will help I would be glad to post them.

Thanks in advance for your help.




DDS.txt:

DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 3:15:17.00 on Tue 07/14/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.405 [GMT -4:00]

AV: F-Secure Client Security 7.12 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Client Security 7.12 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
svchost.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
L:\Malwarebytes' Anti-Malware\xxxx.exe
C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Documents and Settings\HP_Administrator\Application Data\U3\43172216A880C513\LaunchPad.exe
L:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\hp_administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [F-Secure Manager] "c:\program files\f-secure\common\FSM32.EXE" /splash
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunOnce: [SymLnch] "c:\documents and settings\hp_administrator\application data\symantec\layouts\norton internet security\15.0\symalllanguages\nis_retail\20070826\support\symlnch\symlnch.exe" "c:\documents and settings\hp_administrator\application data\symantec\layouts\norton internet security\15.0\symalllanguages\nis_retail\20070826\Setup.exe" "/REALUPREBOOT /temp /patched"
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\f-secure\fsps\program\FSLSP.DLL
Trusted Zone: antimalwareguard.com
Trusted Zone: antimalwareguard.com
Trusted Zone: trymedia.com
DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} - hxxp://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: {38101905-d80f-4788-96f6-986a8186178a} - c:\windows\system32\flashd32.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-11-2 59808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-4 64160]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\f-secure\hips\fshs.sys [2008-11-2 70752]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure\anti-virus\minifilter\fsgk.sys [2008-11-2 72288]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-2 38160]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
RUnknown tcbpnt;tcbpnt; [x]
S0 pretgke;pretgke;c:\windows\system32\drivers\fcyizigi.sys --> c:\windows\system32\drivers\fcyizigi.sys [?]
S0 wwnphu;wwnphu;c:\windows\system32\drivers\taebyj.sys --> c:\windows\system32\drivers\taebyj.sys [?]
S0 yrpditnn;yrpditnn;c:\windows\system32\drivers\kqtrp.sys --> c:\windows\system32\drivers\kqtrp.sys [?]
S2 ybcmhwx;ybcmhwx;c:\windows\system32\drivers\iwgkbqxa.sys --> c:\windows\system32\drivers\iwgkbqxa.sys [?]
S3 EraserUtilDrv10741;EraserUtilDrv10741;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10741.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10741.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 pcmstub;pcmstub;c:\windows\system32\pcmstub.sys [2004-8-10 2304]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure\anti-virus\win2k\fsfilter.sys [2008-11-2 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure\anti-virus\win2k\fsrec.sys [2008-11-2 25184]

=============== Created Last 30 ================

2009-07-14 01:42 304 a---h--- C:\aaw7boot.cmd
2009-07-14 01:00 1,741 a------- C:\error.htm
2009-07-14 01:00 0 a------- C:\infect.htm
2009-07-12 22:41 40,960 ---shr-- c:\windows\system32\flashd32.dll
2009-07-08 21:13 <DIR> --d----- C:\Python26
2009-07-08 21:08 <DIR> --d----- c:\program files\Blender Foundation
2009-07-01 13:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\realtech VR
2009-07-01 13:47 <DIR> --d----- c:\program files\realtech VR
2009-06-23 00:15 216,679 a------- C:\lua-5.1.4.tar.gz
2009-06-14 19:15 <DIR> --d----- C:\wxWidgets-2.8.10
2009-06-14 19:14 12,811,696 a------- C:\wxMSW-2.8.10-Setup.exe
2009-06-14 19:06 22,822,954 a------- C:\wxWidgets-2.8.10.zip
2009-06-14 17:29 827,419 a------- C:\SDL-devel-1.2.13-mingw32.tar (1).gz
2009-06-14 17:28 1,634,605 a------- C:\w32api-3.13-mingw32-dev.tar.gz
2009-06-14 17:19 <DIR> --d----- C:\Dev-Cpp
2009-06-14 17:18 9,326,468 a------- C:\devcpp-4.9.9.2_setup.exe
2009-06-14 17:12 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Dev-Cpp
2009-06-14 17:11 2,465,979 a------- C:\devcpp-4.9.9.2_nomingw_setup.exe
2009-06-14 15:57 234,721 a------- C:\mingw32-make-3.81-20080326-2.tar.gz
2009-06-14 15:57 1,645,646 a------- C:\gcc-objc-3.4.5-20060117-3.tar.gz
2009-06-14 15:57 12,243,868 a------- C:\gcc-java-3.4.5-20060117-3.tar.gz
2009-06-14 15:57 10,164,498 a------- C:\gcc-ada-3.4.5-20060117-3.tar.gz
2009-06-14 15:57 2,048,441 a------- C:\gcc-g77-3.4.5-20060117-3.tar.gz
2009-06-14 15:56 4,058,117 a------- C:\gcc-g++-3.4.5-20060117-3.tar.gz
2009-06-14 15:56 2,812,535 a------- C:\gcc-core-3.4.5-20060117-3.tar.gz
2009-06-14 15:56 8,925,501 a------- C:\binutils-2.19.1-mingw32-bin.tar.gz
2009-06-14 15:56 565,306 a------- C:\mingwrt-3.15.2-mingw32-dev.tar.gz
2009-06-14 15:54 140,095 a------- C:\MinGW-5.1.4.exe

==================== Find3M ====================

2009-07-13 22:50 4 ----h--- c:\windows\fonts\mlog
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-04 01:40 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-04 01:40 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-28 22:45 4,338 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2006-12-01 00:55 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 3:18:30.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:54 AM

Posted 24 July 2009 - 11:29 PM

Hello Domhnall,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Domhnall

Domhnall
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 26 July 2009 - 12:30 PM

Don't worry about the delay; I know how many people come here for help. It's easy to get overwhelmed, I'm sure.

Here's the HijackThis log, and thanks for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:45 PM, on 7/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\HP_Administrator\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\HP_Administrator\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/REALUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe

--
End of file - 9339 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:54 AM

Posted 26 July 2009 - 04:18 PM

Hello,

That's for sure. I haven't looked today, but last night there were not quite 600 logs waiting. :thumbup2: Thank you for understanding.....some people don't. :)

All right....you have a rootkit. I know you tried, but none of those scanners/cleaners would be able to see it.

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Domhnall

Domhnall
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 26 July 2009 - 08:31 PM

All right, here you go. Combofix log is first, and HijackThis is second.



Combofix log:

ComboFix 09-07-25.08 - HP_Administrator 07/26/2009 20:46.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.641 [GMT -4:00]
Running from: F:\ComboFix.exe
AV: F-Secure Client Security 7.12 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Client Security 7.12 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-380631819-2058286335-36685605-1008
c:\recycler\S-1-5-21-380631819-2058286335-36685605-1010
c:\recycler\S-1-5-21-380631819-2058286335-36685605-500
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\FONTS\cooecp.tlb
c:\windows\FONTS\logcde.dll
c:\windows\Fonts\mlog
c:\windows\FONTS\windef.dll
c:\windows\FONTS\windef.Log
c:\windows\FONTS\winpaged.ocx
c:\windows\Installer\101d0a1.msi
c:\windows\Installer\10e3eb28.msp
c:\windows\Installer\10e3eb2c.msp
c:\windows\Installer\10e3eb30.msp
c:\windows\Installer\10e3eb34.msp
c:\windows\Installer\10e3eb38.msp
c:\windows\Installer\10e3eb3c.msp
c:\windows\Installer\10ef2a2f.msp
c:\windows\Installer\10ef2a33.msp
c:\windows\Installer\10ef2a37.msp
c:\windows\Installer\10ef2a3b.msp
c:\windows\Installer\10ef2a3f.msp
c:\windows\Installer\10ef2a43.msp
c:\windows\Installer\11150355.msp
c:\windows\Installer\11150359.msp
c:\windows\Installer\112f7edf.msp
c:\windows\Installer\112f7ee3.msp
c:\windows\Installer\113b6041.msp
c:\windows\Installer\113b6045.msp
c:\windows\Installer\1152f7de.msp
c:\windows\Installer\1152f7e2.msp
c:\windows\Installer\115ca433.msp
c:\windows\Installer\115ca445.msp
c:\windows\Installer\117055d1.msp
c:\windows\Installer\119c2507.msp
c:\windows\Installer\119c251a.msp
c:\windows\Installer\119c252d.msp
c:\windows\Installer\119c253f.msp
c:\windows\Installer\11aafae.msp
c:\windows\Installer\1211a4.msi
c:\windows\Installer\1465de68.msp
c:\windows\Installer\14745e1.msi
c:\windows\Installer\14a5a8e.msp
c:\windows\Installer\14a5a92.msp
c:\windows\Installer\14ae5f7.msp
c:\windows\Installer\14ae60a.msp
c:\windows\Installer\14ae627.msp
c:\windows\Installer\160d031b.msp
c:\windows\Installer\160d031f.msp
c:\windows\Installer\160d0323.msp
c:\windows\Installer\160d0327.msp
c:\windows\Installer\160d032b.msp
c:\windows\Installer\160d032f.msp
c:\windows\Installer\1615d46e.msp
c:\windows\Installer\1615d472.msp
c:\windows\Installer\1615d476.msp
c:\windows\Installer\1615d47a.msp
c:\windows\Installer\1615d47e.msp
c:\windows\Installer\1615d482.msp
c:\windows\Installer\1651db.msi
c:\windows\Installer\1661436.msp
c:\windows\Installer\166143a.msp
c:\windows\Installer\166288e8.msp
c:\windows\Installer\166288ec.msp
c:\windows\Installer\16ff61e.msp
c:\windows\Installer\16ff622.msp
c:\windows\Installer\16ff626.msp
c:\windows\Installer\16ff62a.msp
c:\windows\Installer\16ff62e.msp
c:\windows\Installer\16ff632.msp
c:\windows\Installer\17c6103.msp
c:\windows\Installer\17c6107.msp
c:\windows\Installer\17c610b.msp
c:\windows\Installer\17c610f.msp
c:\windows\Installer\17c6113.msp
c:\windows\Installer\17c6117.msp
c:\windows\Installer\18489a3.msp
c:\windows\Installer\18489a7.msp
c:\windows\Installer\1992ff.msp
c:\windows\Installer\1a20c82.msp
c:\windows\Installer\1a20c86.msp
c:\windows\Installer\1b2f3119.msp
c:\windows\Installer\1b2f311d.msp
c:\windows\Installer\1b2f3121.msp
c:\windows\Installer\1b2f3125.msp
c:\windows\Installer\1b2f3129.msp
c:\windows\Installer\1b2f312d.msp
c:\windows\Installer\1b35f44.msp
c:\windows\Installer\1b3c3715.msp
c:\windows\Installer\1b3c3719.msp
c:\windows\Installer\1b3c371d.msp
c:\windows\Installer\1b3c3721.msp
c:\windows\Installer\1b3c3725.msp
c:\windows\Installer\1b3c3729.msp
c:\windows\Installer\1b87e589.msp
c:\windows\Installer\1b87e58d.msp
c:\windows\Installer\1c9cd63.msp
c:\windows\Installer\1ca5214.msp
c:\windows\Installer\1d71d87.msp
c:\windows\Installer\1d71d8b.msp
c:\windows\Installer\1dfd21b.msp
c:\windows\Installer\1dfd21f.msp
c:\windows\Installer\1e4c2e0.msp
c:\windows\Installer\1e4c2e4.msp
c:\windows\Installer\1f8358.msi
c:\windows\Installer\1f8359.msi
c:\windows\Installer\1f8361.msi
c:\windows\Installer\1fb089f.msi
c:\windows\Installer\1fb08b1.msp
c:\windows\Installer\1fb08c4.msp
c:\windows\Installer\1fb08d7.msp
c:\windows\Installer\1fb08ea.msp
c:\windows\Installer\1fb08fd.msp
c:\windows\Installer\1fb0910.msp
c:\windows\Installer\1fb0923.msp
c:\windows\Installer\1fc04fb.msp
c:\windows\Installer\1fc0515.msp
c:\windows\Installer\1fc0528.msp
c:\windows\Installer\1fc053b.msp
c:\windows\Installer\205d6caa.msp
c:\windows\Installer\205d6cae.msp
c:\windows\Installer\205d6cb2.msp
c:\windows\Installer\205d6cb6.msp
c:\windows\Installer\205d6cba.msp
c:\windows\Installer\205d6cbe.msp
c:\windows\Installer\2062a8d0.msp
c:\windows\Installer\2062a8d4.msp
c:\windows\Installer\2062a8d8.msp
c:\windows\Installer\2062a8dc.msp
c:\windows\Installer\2062a8e0.msp
c:\windows\Installer\2062a8e4.msp
c:\windows\Installer\20cc28f.msp
c:\windows\Installer\20cc293.msp
c:\windows\Installer\21588e88.msi
c:\windows\Installer\21588e8f.msi
c:\windows\Installer\21588e95.msi
c:\windows\Installer\245b9c0.msp
c:\windows\Installer\245b9c4.msp
c:\windows\Installer\2485c21.msp
c:\windows\Installer\2485c25.msp
c:\windows\Installer\24f6f381.msi
c:\windows\Installer\258ab00f.msp
c:\windows\Installer\258ab013.msp
c:\windows\Installer\258ab017.msp
c:\windows\Installer\258ab01b.msp
c:\windows\Installer\258ab01f.msp
c:\windows\Installer\258ab023.msp
c:\windows\Installer\258e81d7.msp
c:\windows\Installer\258e81db.msp
c:\windows\Installer\258e81df.msp
c:\windows\Installer\258e81e3.msp
c:\windows\Installer\258e81e7.msp
c:\windows\Installer\258e81eb.msp
c:\windows\Installer\2ab08115.msp
c:\windows\Installer\2ab08119.msp
c:\windows\Installer\2ab0811d.msp
c:\windows\Installer\2ab08121.msp
c:\windows\Installer\2ab08125.msp
c:\windows\Installer\2ab08129.msp
c:\windows\Installer\2c2f5.msp
c:\windows\Installer\2c307.msp
c:\windows\Installer\2d161.msp
c:\windows\Installer\2d175.msp
c:\windows\Installer\2d217.msp
c:\windows\Installer\2ea86d79.msp
c:\windows\Installer\2f993ce.msp
c:\windows\Installer\2f993d2.msp
c:\windows\Installer\2fb52233.msp
c:\windows\Installer\2fd39f3f.msp
c:\windows\Installer\2fd39f43.msp
c:\windows\Installer\2fd39f47.msp
c:\windows\Installer\2fd39f4b.msp
c:\windows\Installer\2fd39f4f.msp
c:\windows\Installer\2fd39f53.msp
c:\windows\Installer\31add.msp
c:\windows\Installer\34fa58e0.msp
c:\windows\Installer\34fa58e4.msp
c:\windows\Installer\34fa58e8.msp
c:\windows\Installer\34fa58ec.msp
c:\windows\Installer\34fa58f0.msp
c:\windows\Installer\34fa58f4.msp
c:\windows\Installer\3879fe1.msp
c:\windows\Installer\3879fe5.msp
c:\windows\Installer\3879fe9.msp
c:\windows\Installer\3879fed.msp
c:\windows\Installer\3879ff1.msp
c:\windows\Installer\3879ff5.msp
c:\windows\Installer\3a20a168.msp
c:\windows\Installer\3a20a16c.msp
c:\windows\Installer\3a20a170.msp
c:\windows\Installer\3a20a174.msp
c:\windows\Installer\3a20a178.msp
c:\windows\Installer\3a20a17c.msp
c:\windows\Installer\3aa4c.msp
c:\windows\Installer\3aa5f.msp
c:\windows\Installer\3aa73.msp
c:\windows\Installer\3aa96.msp
c:\windows\Installer\3aa97.msp
c:\windows\Installer\3aaaa.msp
c:\windows\Installer\3aabd.msp
c:\windows\Installer\3f46d6d5.msp
c:\windows\Installer\3f46d6d9.msp
c:\windows\Installer\3f46d6dd.msp
c:\windows\Installer\3f46d6e1.msp
c:\windows\Installer\3f46d6e5.msp
c:\windows\Installer\3f46d6e9.msp
c:\windows\Installer\4048963.msp
c:\windows\Installer\4048975.msp
c:\windows\Installer\4048988.msp
c:\windows\Installer\446d1f5c.msp
c:\windows\Installer\446d1f60.msp
c:\windows\Installer\446d1f64.msp
c:\windows\Installer\446d1f68.msp
c:\windows\Installer\446d1f6c.msp
c:\windows\Installer\446d1f70.msp
c:\windows\Installer\46b699.msp
c:\windows\Installer\46b69d.msp
c:\windows\Installer\46b6a1.msp
c:\windows\Installer\46b6a5.msp
c:\windows\Installer\46b6a9.msp
c:\windows\Installer\46b6ad.msp
c:\windows\Installer\4fb06.msp
c:\windows\Installer\4fb0a.msp
c:\windows\Installer\5178c21.msp
c:\windows\Installer\5178c25.msp
c:\windows\Installer\5178c29.msp
c:\windows\Installer\5178c2d.msp
c:\windows\Installer\5178c31.msp
c:\windows\Installer\5178c35.msp
c:\windows\Installer\51861.msp
c:\windows\Installer\51865.msp
c:\windows\Installer\58b649.msi
c:\windows\Installer\5ed835.msi
c:\windows\Installer\5eda69.msi
c:\windows\Installer\61428.msp
c:\windows\Installer\695fac7.msp
c:\windows\Installer\695facb.msp
c:\windows\Installer\695facf.msp
c:\windows\Installer\695fad3.msp
c:\windows\Installer\695fad7.msp
c:\windows\Installer\695fadb.msp
c:\windows\Installer\6a33cd2.msp
c:\windows\Installer\6a33cd6.msp
c:\windows\Installer\6a33cda.msp
c:\windows\Installer\6a33cde.msp
c:\windows\Installer\6a33ce2.msp
c:\windows\Installer\6a33ce6.msp
c:\windows\Installer\6aac2aa.msp
c:\windows\Installer\6aac2ae.msp
c:\windows\Installer\6b55d543.msp
c:\windows\Installer\6c89bc7.msp
c:\windows\Installer\6c89bcb.msp
c:\windows\Installer\6eeb2ef.msp
c:\windows\Installer\6eeb2f3.msp
c:\windows\Installer\6fd0aef.msp
c:\windows\Installer\6fd0af3.msp
c:\windows\Installer\7069466.msp
c:\windows\Installer\706946a.msp
c:\windows\Installer\7ca1bc.msi
c:\windows\Installer\7d971b0c.msp
c:\windows\Installer\7ec147.msp
c:\windows\Installer\7ec14b.msp
c:\windows\Installer\7ec14f.msp
c:\windows\Installer\7ec153.msp
c:\windows\Installer\7ec157.msp
c:\windows\Installer\7ec15b.msp
c:\windows\Installer\7f9d0.msp
c:\windows\Installer\7f9d2.msp
c:\windows\Installer\7f9e9.msp
c:\windows\Installer\7f9f0.msi
c:\windows\Installer\7fa02.msp
c:\windows\Installer\7fa15.msp
c:\windows\Installer\85ac48.msp
c:\windows\Installer\85ac51.msi
c:\windows\Installer\85ac63.msp
c:\windows\Installer\890db8.msp
c:\windows\Installer\8af062d.msp
c:\windows\Installer\8af0631.msp
c:\windows\Installer\8af0635.msp
c:\windows\Installer\8af0639.msp
c:\windows\Installer\8af063d.msp
c:\windows\Installer\8af0641.msp
c:\windows\Installer\8af0645.msp
c:\windows\Installer\8af0649.msp
c:\windows\Installer\9ec78.msp
c:\windows\Installer\a3e2b35.msp
c:\windows\Installer\a3e2b39.msp
c:\windows\Installer\a3e2b3d.msp
c:\windows\Installer\a3e2b41.msp
c:\windows\Installer\a3e2b45.msp
c:\windows\Installer\a3e2b49.msp
c:\windows\Installer\a7d09.msp
c:\windows\Installer\aa3b1a6.msi
c:\windows\Installer\b1b94.msi
c:\windows\Installer\bbc89dd.msp
c:\windows\Installer\bbc89e1.msp
c:\windows\Installer\bbc89e5.msp
c:\windows\Installer\bbc89e9.msp
c:\windows\Installer\bbc89ed.msp
c:\windows\Installer\bbc89f1.msp
c:\windows\Installer\bc8d812.msp
c:\windows\Installer\bc8d816.msp
c:\windows\Installer\bc8d81a.msp
c:\windows\Installer\bc8d81e.msp
c:\windows\Installer\bc8d822.msp
c:\windows\Installer\bc8d826.msp
c:\windows\Installer\bd161ae.msp
c:\windows\Installer\bd161b2.msp
c:\windows\Installer\beed3d3.msp
c:\windows\Installer\beed3d7.msp
c:\windows\Installer\c150143.msp
c:\windows\Installer\c150147.msp
c:\windows\Installer\c254841.msp
c:\windows\Installer\c254845.msp
c:\windows\Installer\c2c4dfc.msp
c:\windows\Installer\c2c4e00.msp
c:\windows\Installer\d93b815.msi
c:\windows\Installer\d93b827.msp
c:\windows\Installer\d93b83a.msp
c:\windows\Installer\d93b84d.msp
c:\windows\Installer\f3178.msp
c:\windows\Installer\f318b.msp
c:\windows\Installer\f319e.msp
c:\windows\Installer\f31b2.msp
c:\windows\Installer\f31c5.msp
c:\windows\Installer\f31d8.msp
c:\windows\Installer\f31eb.msp
c:\windows\Installer\f9b03.msi
c:\windows\run.log
c:\windows\system32\drivers\UACyuhneocijnwejjems.sys
c:\windows\system32\msbdy.exe
c:\windows\system32\mscep.exe
c:\windows\system32\mscieod.exe
c:\windows\system32\msciie.exe
c:\windows\system32\msciolk.exe
c:\windows\system32\msckmj.exe
c:\windows\system32\mscys.exe
c:\windows\system32\msczaylw.exe
c:\windows\system32\msdai.exe
c:\windows\system32\msdbtf.exe
c:\windows\system32\msdcbogb.exe
c:\windows\system32\msddr.exe
c:\windows\system32\msdept.exe
c:\windows\system32\msdfre.exe
c:\windows\system32\msdgbgkh.exe
c:\windows\system32\msdhvt.exe
c:\windows\system32\msdhw.exe
c:\windows\system32\msdhwr.exe
c:\windows\system32\msdio.exe
c:\windows\system32\msdmua.exe
c:\windows\system32\msdnn.exe
c:\windows\system32\msdor.exe
c:\windows\system32\msdrvk.exe
c:\windows\system32\msdzh.exe
c:\windows\system32\mseagrr.exe
c:\windows\system32\msebo.exe
c:\windows\system32\msecbd.exe
c:\windows\system32\msedzvdw.exe
c:\windows\system32\msemz.exe
c:\windows\system32\msenxa.exe
c:\windows\system32\mseny.exe
c:\windows\system32\mseoo.exe
c:\windows\system32\msepiwy.exe
c:\windows\system32\mserem.exe
c:\windows\system32\mseutaqr.exe
c:\windows\system32\msfape.exe
c:\windows\system32\msfdudg.exe
c:\windows\system32\msffp.exe
c:\windows\system32\msfhg.exe
c:\windows\system32\msfirj.exe
c:\windows\system32\msfiwgdq.exe
c:\windows\system32\msflb.exe
c:\windows\system32\msflpt.exe
c:\windows\system32\msfmhbm.exe
c:\windows\system32\msfnuvx.exe
c:\windows\system32\msfpfs.exe
c:\windows\system32\msfqhft.exe
c:\windows\system32\msfrvr.exe
c:\windows\system32\msfsl.exe
c:\windows\system32\msftsdaj.exe
c:\windows\system32\msfumbl.exe
c:\windows\system32\msfwoz.exe
c:\windows\system32\msfxh.exe
c:\windows\system32\msfzpl.exe
c:\windows\system32\msfzweeu.exe
c:\windows\system32\msgaoj.exe
c:\windows\system32\msgcyg.exe
c:\windows\system32\msgdor.exe
c:\windows\system32\msgfrq.exe
c:\windows\system32\msgfv.exe
c:\windows\system32\msgghqbq.exe
c:\windows\system32\msggr.exe
c:\windows\system32\msgimm.exe
c:\windows\system32\msgjg.exe
c:\windows\system32\msgjz.exe
c:\windows\system32\msgks.exe
c:\windows\system32\msglt.exe
c:\windows\system32\msgmplik.exe
c:\windows\system32\msgova.exe
c:\windows\system32\msgoy.exe
c:\windows\system32\msgpsr.exe
c:\windows\system32\msgqje.exe
c:\windows\system32\msgtrku.exe
c:\windows\system32\msgxivmv.exe
c:\windows\system32\msgxver.exe
c:\windows\system32\msgzgsn.exe
c:\windows\system32\mshdfocl.exe
c:\windows\system32\mshglkr.exe
c:\windows\system32\mshgwo.exe
c:\windows\system32\mshif.exe
c:\windows\system32\mshkiqp.exe
c:\windows\system32\mshkv.exe
c:\windows\system32\mshmca.exe
c:\windows\system32\mshpr.exe
c:\windows\system32\mshqdsqz.exe
c:\windows\system32\mshrdy.exe
c:\windows\system32\mshtcysb.exe
c:\windows\system32\mshwl.exe
c:\windows\system32\mshwssne.exe
c:\windows\system32\mshzcppm.exe
c:\windows\system32\msibi.exe
c:\windows\system32\msibj.exe
c:\windows\system32\msiexxk.exe
c:\windows\system32\msijc.exe
c:\windows\system32\msilf.exe
c:\windows\system32\msiooq.exe
c:\windows\system32\msitep.exe
c:\windows\system32\msiup.exe
c:\windows\system32\msivc.exe
c:\windows\system32\msixj.exe
c:\windows\system32\msixmkgy.exe
c:\windows\system32\msixpqun.exe
c:\windows\system32\msiybir.exe
c:\windows\system32\msjbfdij.exe
c:\windows\system32\msjbuxmd.exe
c:\windows\system32\msjdbjz.exe
c:\windows\system32\msjeoqui.exe
c:\windows\system32\msjfocal.exe
c:\windows\system32\msjng.exe
c:\windows\system32\msjosmjx.exe
c:\windows\system32\msjpe.exe
c:\windows\system32\msjrf.exe
c:\windows\system32\msjrkd.exe
c:\windows\system32\msjtfvxy.exe
c:\windows\system32\msjul.exe
c:\windows\system32\msjuzrrs.exe
c:\windows\system32\msjvtah.exe
c:\windows\system32\msjwbqw.exe
c:\windows\system32\msjyhw.exe
c:\windows\system32\mskbbeb.exe
c:\windows\system32\mskccaa.exe
c:\windows\system32\mskdfi.exe
c:\windows\system32\mskdyhy.exe
c:\windows\system32\mskgmg.exe
c:\windows\system32\mskilj.exe
c:\windows\system32\mskioch.exe
c:\windows\system32\mskjopr.exe
c:\windows\system32\mskoev.exe
c:\windows\system32\mskqqeo.exe
c:\windows\system32\mskyczip.exe
c:\windows\system32\mskzbkvm.exe
c:\windows\system32\mskzcs.exe
c:\windows\system32\mslfd.exe
c:\windows\system32\mslfikva.exe
c:\windows\system32\msljiu.exe
c:\windows\system32\msljtljq.exe
c:\windows\system32\msljundb.exe
c:\windows\system32\mslkm.exe
c:\windows\system32\msllooor.exe
c:\windows\system32\msllw.exe
c:\windows\system32\mslmc.exe
c:\windows\system32\mslmwe.exe
c:\windows\system32\mslnrt.exe
c:\windows\system32\mslpgowl.exe
c:\windows\system32\mslpunuk.exe
c:\windows\system32\mslqdfb.exe
c:\windows\system32\mslqpuzm.exe
c:\windows\system32\mslssud.exe
c:\windows\system32\mslwjxo.exe
c:\windows\system32\mslxer.exe
c:\windows\system32\msmaev.exe
c:\windows\system32\msmcmjqh.exe
c:\windows\system32\msmefn.exe
c:\windows\system32\msmexbk.exe
c:\windows\system32\msmhzyr.exe
c:\windows\system32\msmibm.exe
c:\windows\system32\msmkvke.exe
c:\windows\system32\msmlu.exe
c:\windows\system32\msmmuv.exe
c:\windows\system32\msmohr.exe
c:\windows\system32\msmov.exe
c:\windows\system32\msmpq.exe
c:\windows\system32\msmqa.exe
c:\windows\system32\msmugpn.exe
c:\windows\system32\msmxxsni.exe
c:\windows\system32\msnbaxp.exe
c:\windows\system32\msnikf.exe
c:\windows\system32\msnpdti.exe
c:\windows\system32\msnqyycb.exe
c:\windows\system32\msnrn.exe
c:\windows\system32\msnskqje.exe
c:\windows\system32\msnucxzy.exe
c:\windows\system32\msnvff.exe
c:\windows\system32\msnzhtv.exe
c:\windows\system32\msoesyym.exe
c:\windows\system32\msofow.exe
c:\windows\system32\msoir.exe
c:\windows\system32\msollu.exe
c:\windows\system32\msolo.exe
c:\windows\system32\msolyo.exe
c:\windows\system32\msopr.exe
c:\windows\system32\msorcku.exe
c:\windows\system32\msosli.exe
c:\windows\system32\msotcju.exe
c:\windows\system32\msotw.exe
c:\windows\system32\msouvj.exe
c:\windows\system32\msovo.exe
c:\windows\system32\msoyb.exe
c:\windows\system32\msoyqpq.exe
c:\windows\system32\msoysts.exe
c:\windows\system32\mspbybd.exe
c:\windows\system32\mspbzy.exe
c:\windows\system32\mspglkl.exe
c:\windows\system32\mspkukre.exe
c:\windows\system32\msppv.exe
c:\windows\system32\mspqf.exe
c:\windows\system32\mspsnu.exe
c:\windows\system32\mspto.exe
c:\windows\system32\mspvh.exe
c:\windows\system32\mspwyar.exe
c:\windows\system32\msqbdj.exe
c:\windows\system32\msqce.exe
c:\windows\system32\msqclrr.exe
c:\windows\system32\msqexj.exe
c:\windows\system32\msqgb.exe
c:\windows\system32\msqgzftb.exe
c:\windows\system32\msqhd.exe
c:\windows\system32\msqkrnw.exe
c:\windows\system32\msqqfp.exe
c:\windows\system32\msqrkyrk.exe
c:\windows\system32\msqrxx.exe
c:\windows\system32\msqtortr.exe
c:\windows\system32\msqwft.exe
c:\windows\system32\msqwrk.exe
c:\windows\system32\msqxhel.exe
c:\windows\system32\msqzutu.exe
c:\windows\system32\msrakdr.exe
c:\windows\system32\msrdejpi.exe
c:\windows\system32\msrdzlx.exe
c:\windows\system32\msredevi.exe
c:\windows\system32\msregnpl.exe
c:\windows\system32\msrga.exe
c:\windows\system32\msrgvzz.exe
c:\windows\system32\msrjew.exe
c:\windows\system32\msrjgorh.exe
c:\windows\system32\msrka.exe
c:\windows\system32\msrleut.exe
c:\windows\system32\msrmql.exe
c:\windows\system32\msrpjf.exe
c:\windows\system32\msrqu.exe
c:\windows\system32\msrri.exe
c:\windows\system32\msrrp.exe
c:\windows\system32\msryfn.exe
c:\windows\system32\msrzro.exe
c:\windows\system32\mssdi.exe
c:\windows\system32\mssemtu.exe
c:\windows\system32\mssjvx.exe
c:\windows\system32\msskbc.exe
c:\windows\system32\msslin.exe
c:\windows\system32\mssmc.exe
c:\windows\system32\mssppma.exe
c:\windows\system32\msstcsa.exe
c:\windows\system32\mssty.exe
c:\windows\system32\msswb.exe
c:\windows\system32\msswz.exe
c:\windows\system32\mssxpq.exe
c:\windows\system32\mssxuov.exe
c:\windows\system32\mstailhu.exe
c:\windows\system32\mstayev.exe
c:\windows\system32\mstbp.exe
c:\windows\system32\mstdv.exe
c:\windows\system32\mstdy.exe
c:\windows\system32\mstfmfms.exe
c:\windows\system32\mstgv.exe
c:\windows\system32\msthxo.exe
c:\windows\system32\mstiu.exe
c:\windows\system32\mstkswlz.exe
c:\windows\system32\mstlz.exe
c:\windows\system32\mstmayo.exe
c:\windows\system32\mstni.exe
c:\windows\system32\mstoyosa.exe
c:\windows\system32\mstqy.exe
c:\windows\system32\msttl.exe
c:\windows\system32\msttslki.exe
c:\windows\system32\mstwn.exe
c:\windows\system32\mstya.exe
c:\windows\system32\mstygg.exe
c:\windows\system32\msuai.exe
c:\windows\system32\msuars.exe
c:\windows\system32\msubmx.exe
c:\windows\system32\msucjk.exe
c:\windows\system32\msufmv.exe
c:\windows\system32\msugaxp.exe
c:\windows\system32\msugxaam.exe
c:\windows\system32\msujd.exe
c:\windows\system32\msujv.exe
c:\windows\system32\msujviv.exe
c:\windows\system32\msukda.exe
c:\windows\system32\msuketfm.exe
c:\windows\system32\msumueuw.exe
c:\windows\system32\msunarub.exe
c:\windows\system32\msunmzi.exe
c:\windows\system32\msuoynq.exe
c:\windows\system32\msuqucga.exe
c:\windows\system32\msuslt.exe
c:\windows\system32\msuzmb.exe
c:\windows\system32\msvehcbj.exe
c:\windows\system32\msveiii.exe
c:\windows\system32\msvnjqf.exe
c:\windows\system32\msvok.exe
c:\windows\system32\msvpweve.exe
c:\windows\system32\msvsnt.exe
c:\windows\system32\msvvi.exe
c:\windows\system32\msvwjhb.exe
c:\windows\system32\msvxdrc.exe
c:\windows\system32\mswccw.exe
c:\windows\system32\mswiw.exe
c:\windows\system32\mswpzft.exe
c:\windows\system32\mswvvvv.exe
c:\windows\system32\mswxofw.exe
c:\windows\system32\mswxvhu.exe
c:\windows\system32\mswyf.exe
c:\windows\system32\mswygtb.exe
c:\windows\system32\msxdse.exe
c:\windows\system32\msxfd.exe
c:\windows\system32\msxiweex.exe
c:\windows\system32\msxkerrm.exe
c:\windows\system32\msxltcv.exe
c:\windows\system32\msxne.exe
c:\windows\system32\msxpoj.exe
c:\windows\system32\msxrya.exe
c:\windows\system32\msxsln.exe
c:\windows\system32\msxxf.exe
c:\windows\system32\msxzy.exe
c:\windows\system32\msybgs.exe
c:\windows\system32\msybiod.exe
c:\windows\system32\msycxzq.exe
c:\windows\system32\msydv.exe
c:\windows\system32\msymcrwa.exe
c:\windows\system32\msymsdbn.exe
c:\windows\system32\msynr.exe
c:\windows\system32\msypm.exe
c:\windows\system32\msyppm.exe
c:\windows\system32\msypvey.exe
c:\windows\system32\msyqc.exe
c:\windows\system32\msyqqgtk.exe
c:\windows\system32\msyria.exe
c:\windows\system32\msyry.exe
c:\windows\system32\msysf.exe
c:\windows\system32\msyumkm.exe
c:\windows\system32\msyuu.exe
c:\windows\system32\msyvoj.exe
c:\windows\system32\msyxhrun.exe
c:\windows\system32\msyyu.exe
c:\windows\system32\msyzds.exe
c:\windows\system32\msyzs.exe
c:\windows\system32\mszau.exe
c:\windows\system32\mszfvihq.exe
c:\windows\system32\mszgfqfe.exe
c:\windows\system32\mszhbrez.exe
c:\windows\system32\mszhe.exe
c:\windows\system32\mszkcs.exe
c:\windows\system32\mszomqqq.exe
c:\windows\system32\mszpb.exe
c:\windows\system32\mszpx.exe
c:\windows\system32\mszpxam.exe
c:\windows\system32\mszqoyg.exe
c:\windows\system32\mszrfuud.exe
c:\windows\system32\mszslaqm.exe
c:\windows\system32\msztb.exe
c:\windows\system32\mszvpdy.exe
c:\windows\system32\mszxd.exe
c:\windows\system32\mszyytxa.exe
c:\windows\system32\mszzreyy.exe
c:\windows\system32\pcmstub.sys
c:\windows\system32\UACfjnrvsmccguuoiheu.dll
c:\windows\system32\UACghejfgtmpslbflwca.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjwfvqtrfhxhexdcpg.dll
c:\windows\system32\UACnfkdcomekptroymnw.dll
c:\windows\system32\UACpjgxwcigckxagtnbq.db
c:\windows\system32\uactmp.db
c:\windows\system32\UACwkotdmhrgvgumeyrs.dll
c:\windows\system32\UACxcbeewlrbopdwadox.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_6TO4
-------\Legacy_PCMSTUB
-------\Service_pcmstub


((((((((((((((((((((((((( Files Created from 2009-06-27 to 2009-07-27 )))))))))))))))))))))))))))))))
.

2009-07-20 18:19 . 2009-07-20 18:19 -------- d-----w- C:\temp
2009-07-13 09:56 . 2007-10-23 13:27 110592 ----a-w- c:\documents and settings\HP_Administrator\Application Data\U3\temp\cleanup.exe
2009-07-13 09:38 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\HP_Administrator\Application Data\U3\temp\Launchpad Removal.exe
2009-07-13 09:38 . 2009-07-14 21:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2009-07-13 03:42 . 2009-07-13 03:42 -------- d-sh--w- c:\documents and settings\Administrator.HINATA\PrivacIE
2009-07-13 03:42 . 2009-07-13 03:42 -------- d-sh--w- c:\documents and settings\Administrator.HINATA\IETldCache
2009-07-13 02:41 . 2009-07-13 02:41 40960 --sh--r- c:\windows\system32\flashd32.dll
2009-07-09 01:13 . 2009-07-09 01:13 -------- d-----w- C:\Python26
2009-07-09 01:08 . 2009-07-09 01:08 -------- d-----w- c:\program files\Blender Foundation
2009-07-01 17:51 . 2009-07-01 17:51 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\realtech_VR
2009-07-01 17:48 . 2009-07-01 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\realtech VR
2009-07-01 17:47 . 2009-07-01 17:47 -------- d-----w- c:\program files\realtech VR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-27 01:10 . 2009-03-29 23:31 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-14 04:47 . 2009-03-03 02:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-14 04:47 . 2008-04-14 00:54 65744 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-13 09:11 . 2009-03-03 02:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 19:17 . 2009-03-05 00:09 -------- d-----w- c:\program files\Prism
2009-07-09 05:49 . 2009-06-21 05:33 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-09 05:49 . 2009-06-21 05:33 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-09 05:49 . 2009-06-21 05:33 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-29 06:32 . 2009-01-25 03:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 06:32 . 2009-01-25 03:27 -------- d-----w- c:\program files\SpywareBlaster
2009-06-23 06:37 . 2007-06-16 20:51 -------- d-----w- c:\program files\Steam
2009-06-20 04:30 . 2009-03-29 23:32 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 15:27 . 2009-03-03 02:46 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-03-03 02:46 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 19:04 . 2009-06-14 21:12 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Dev-Cpp
2009-06-14 23:14 . 2009-06-14 23:14 12811696 ----a-w- C:\wxMSW-2.8.10-Setup.exe
2009-06-14 23:06 . 2009-06-14 23:06 22822954 ----a-w- C:\wxWidgets-2.8.10.zip
2009-06-14 21:18 . 2009-06-14 21:18 9326468 ----a-w- C:\devcpp-4.9.9.2_setup.exe
2009-06-14 21:11 . 2009-06-14 21:11 2465979 ----a-w- C:\devcpp-4.9.9.2_nomingw_setup.exe
2009-06-14 19:54 . 2009-06-14 19:54 140095 ----a-w- C:\MinGW-5.1.4.exe
2009-06-04 05:40 . 2009-06-04 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-04 05:40 . 2009-06-05 17:53 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-04 05:40 . 2009-06-04 05:40 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-04 05:40 . 2009-06-04 05:40 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-04 05:40 . 2009-06-04 05:40 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-04 05:37 . 2009-06-04 05:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-04 05:37 . 2006-09-17 16:41 -------- d-----w- c:\program files\Lavasoft
2009-05-19 05:36 . 2009-06-15 20:11 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 05:36 . 2009-06-15 20:11 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 05:36 . 2009-06-15 20:11 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 05:36 . 2009-06-15 20:11 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 05:36 . 2009-06-15 20:10 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 05:36 . 2009-06-15 20:10 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 05:36 . 2009-06-15 20:11 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 05:36 . 2009-06-15 20:10 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-13 21:10 . 2009-05-13 21:10 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-29 02:45 . 2008-05-03 00:48 4338 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-05-13 21:15 . 2008-06-20 04:16 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2006-12-01 04:55 . 2006-12-01 02:55 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-14 1830128]
"Google Update"="c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-04 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 169984]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-12 517768]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2008-06-19 182936]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymLnch"="c:\documents and settings\HP_Administrator\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" [2007-08-27 687976]

c:\documents and settings\Administrator.HINATA\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-6 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{38101905-D80F-4788-96F6-986A8186178A}"= "c:\windows\system32\flashd32.dll" [2009-07-13 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"comHost"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\vampire the masquerade - bloodlines\\vampire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17300:TCP"= 17300:TCP:BitComet 17300 TCP
"17300:UDP"= 17300:UDP:BitComet 17300 UDP

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [11/2/2008 11:03 PM 59808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/4/2009 1:40 AM 64160]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\F-Secure\HIPS\fshs.sys [11/2/2008 11:03 PM 70752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2009 12:43 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 12:43 PM 55024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [11/2/2008 11:03 PM 72288]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 12:43 PM 7408]
S0 pretgke;pretgke;c:\windows\system32\drivers\fcyizigi.sys --> c:\windows\system32\drivers\fcyizigi.sys [?]
S0 wwnphu;wwnphu;c:\windows\system32\drivers\taebyj.sys --> c:\windows\system32\drivers\taebyj.sys [?]
S0 yrpditnn;yrpditnn;c:\windows\system32\drivers\kqtrp.sys --> c:\windows\system32\drivers\kqtrp.sys [?]
S2 ybcmhwx;ybcmhwx;c:\windows\system32\drivers\iwgkbqxa.sys --> c:\windows\system32\drivers\iwgkbqxa.sys [?]
S3 EraserUtilDrv10741;EraserUtilDrv10741;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [11/2/2008 11:03 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [11/2/2008 11:03 PM 25184]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/8/2008 4:33 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 06:19]

2009-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-375724482-1527148427-1044765706-1008Core.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-04 16:54]

2009-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-375724482-1527148427-1044765706-1008UA.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-04 16:54]

2009-07-27 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-Secure\ANTI-V~1\fsav.exe [2008-11-03 09:18]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
Trusted Zone: trymedia.com
DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} - hxxp://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0j8wdm56.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 21:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\F-Secure\FWES\Program\fsdc.dll

- - - - - - - > 'lsass.exe'(816)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\program files\F-Secure\FWES\Program\fsdc.dll

- - - - - - - > 'explorer.exe'(3636)
c:\windows\system32\flashd32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll

- - - - - - - > 'csrss.exe'(728)
c:\program files\F-Secure\FWES\Program\fsdc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\common\FSMA32.EXE
c:\program files\F-Secure\Anti-Virus\fsgk32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\F-Secure\common\FSMB32.EXE
c:\program files\F-Secure\common\FCH32.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\F-Secure\common\FAMEH32.EXE
c:\program files\F-Secure\Anti-Virus\fsqh.exe
c:\program files\F-Secure\common\FNRB32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\program files\F-Secure\FSAUA\program\fsaua.exe
c:\program files\F-Secure\common\FIH32.exe
c:\program files\F-Secure\FWES\program\fsdfwd.exe
c:\windows\system32\dllhost.exe
c:\program files\F-Secure\Anti-Virus\fsav32.exe
c:\windows\system32\wscntfy.exe
c:\program files\F-Secure\FSGUI\fsguidll.exe
.
**************************************************************************
.
Completion time: 2009-07-27 21:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-27 01:15

Pre-Run: 59,432,521,728 bytes free
Post-Run: 61,263,892,480 bytes free

971 --- E O F --- 2009-04-01 03:46



HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:19 PM, on 7/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\HP_Administrator\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\HP_Administrator\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/REALUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe

--
End of file - 9064 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:54 AM

Posted 26 July 2009 - 08:43 PM

Hello there,

Youch....that was a lot of stuff deleted, plus the rootkit. Still some to do though.......

First you should know that you're actually doing more harm than good by running 2 Anti Virus programs. (Norton and F Secure) When you do this both programs compete for resources, and the end result is neither does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable or uninstall the other one, and use it as an on demand only scan occasionally.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\drivers\fcyizigi.sys
c:\windows\system32\drivers\taebyj.sys
c:\windows\system32\drivers\kqtrp.sys
c:\windows\system32\drivers\iwgkbqxa.sys

Driver::
fcyizigi
taebyj
kqtrp
iwgkbqxa


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. Please also let me know how it's running now. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Domhnall

Domhnall
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 26 July 2009 - 10:04 PM

It always ran fine, I was just suspicious after finding something that Malware would detect but was unable to get rid of. I did some research online, and decided I would be better off coming here for help.

Also, about Norton...I uninstalled that about a year ago. I remember, because the site I downloaded F-Secure from said to get rid of my old anti-virus before installing F-Secure, and it said it in big, bold letters, so I made sure to do it. I had noticed it left some files on my computer, but I thought that was harmless. Is it still running on my computer somehow?

Anyway, the new logs; ComboFix is first, again. HijackThis increased in size, for some reason.

ComboFix:

ComboFix 09-07-25.08 - HP_Administrator 07/26/2009 22:42.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.561 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: F-Secure Client Security 7.12 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Client Security 7.12 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

FILE ::
"c:\windows\system32\drivers\fcyizigi.sys"
"c:\windows\system32\drivers\iwgkbqxa.sys"
"c:\windows\system32\drivers\kqtrp.sys"
"c:\windows\system32\drivers\taebyj.sys"
.

((((((((((((((((((((((((( Files Created from 2009-06-27 to 2009-07-27 )))))))))))))))))))))))))))))))
.

2009-07-20 18:19 . 2009-07-20 18:19 -------- d-----w- C:\temp
2009-07-13 09:56 . 2007-10-23 13:27 110592 ----a-w- c:\documents and settings\HP_Administrator\Application Data\U3\temp\cleanup.exe
2009-07-13 09:38 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\HP_Administrator\Application Data\U3\temp\Launchpad Removal.exe
2009-07-13 09:38 . 2009-07-14 21:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2009-07-13 02:41 . 2009-07-13 02:41 40960 --sh--r- c:\windows\system32\flashd32.dll
2009-07-09 01:13 . 2009-07-09 01:13 -------- d-----w- C:\Python26
2009-07-09 01:08 . 2009-07-09 01:08 -------- d-----w- c:\program files\Blender Foundation
2009-07-01 17:51 . 2009-07-01 17:51 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\realtech_VR
2009-07-01 17:48 . 2009-07-01 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\realtech VR
2009-07-01 17:47 . 2009-07-01 17:47 -------- d-----w- c:\program files\realtech VR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-27 01:10 . 2009-03-29 23:31 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-14 04:47 . 2009-03-03 02:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-14 04:47 . 2008-04-14 00:54 65744 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-13 09:11 . 2009-03-03 02:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 19:17 . 2009-03-05 00:09 -------- d-----w- c:\program files\Prism
2009-07-09 05:49 . 2009-06-21 05:33 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-09 05:49 . 2009-06-21 05:33 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-09 05:49 . 2009-06-21 05:33 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-29 06:32 . 2009-01-25 03:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 06:32 . 2009-01-25 03:27 -------- d-----w- c:\program files\SpywareBlaster
2009-06-23 06:37 . 2007-06-16 20:51 -------- d-----w- c:\program files\Steam
2009-06-20 04:30 . 2009-03-29 23:32 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 15:27 . 2009-03-03 02:46 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-03-03 02:46 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 19:04 . 2009-06-14 21:12 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Dev-Cpp
2009-06-14 23:14 . 2009-06-14 23:14 12811696 ----a-w- C:\wxMSW-2.8.10-Setup.exe
2009-06-14 23:06 . 2009-06-14 23:06 22822954 ----a-w- C:\wxWidgets-2.8.10.zip
2009-06-14 21:18 . 2009-06-14 21:18 9326468 ----a-w- C:\devcpp-4.9.9.2_setup.exe
2009-06-14 21:11 . 2009-06-14 21:11 2465979 ----a-w- C:\devcpp-4.9.9.2_nomingw_setup.exe
2009-06-14 19:54 . 2009-06-14 19:54 140095 ----a-w- C:\MinGW-5.1.4.exe
2009-06-04 05:40 . 2009-06-04 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-04 05:40 . 2009-06-05 17:53 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-04 05:40 . 2009-06-04 05:40 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-04 05:40 . 2009-06-04 05:40 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-04 05:40 . 2009-06-04 05:40 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-04 05:37 . 2009-06-04 05:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-04 05:37 . 2006-09-17 16:41 -------- d-----w- c:\program files\Lavasoft
2009-05-19 05:36 . 2009-06-15 20:11 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 05:36 . 2009-06-15 20:11 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 05:36 . 2009-06-15 20:11 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 05:36 . 2009-06-15 20:11 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 05:36 . 2009-06-15 20:10 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 05:36 . 2009-06-15 20:10 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 05:36 . 2009-06-15 20:11 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 05:36 . 2009-06-15 20:10 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-13 21:10 . 2009-05-13 21:10 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-29 02:45 . 2008-05-03 00:48 4338 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-05-13 21:15 . 2008-06-20 04:16 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2006-12-01 04:55 . 2006-12-01 02:55 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-14 1830128]
"Google Update"="c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-04 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 169984]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-12 517768]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2008-06-19 182936]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymLnch"="c:\documents and settings\HP_Administrator\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" [2007-08-27 687976]

c:\documents and settings\Administrator.HINATA\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-6 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{38101905-D80F-4788-96F6-986A8186178A}"= "c:\windows\system32\flashd32.dll" [2009-07-13 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"comHost"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\vampire the masquerade - bloodlines\\vampire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17300:TCP"= 17300:TCP:BitComet 17300 TCP
"17300:UDP"= 17300:UDP:BitComet 17300 UDP

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [11/2/2008 11:03 PM 59808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/4/2009 1:40 AM 64160]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\F-Secure\HIPS\fshs.sys [11/2/2008 11:03 PM 70752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2009 12:43 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 12:43 PM 55024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [11/2/2008 11:03 PM 72288]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 12:43 PM 7408]
S0 pretgke;pretgke;c:\windows\system32\drivers\fcyizigi.sys --> c:\windows\system32\drivers\fcyizigi.sys [?]
S0 wwnphu;wwnphu;c:\windows\system32\drivers\taebyj.sys --> c:\windows\system32\drivers\taebyj.sys [?]
S0 yrpditnn;yrpditnn;c:\windows\system32\drivers\kqtrp.sys --> c:\windows\system32\drivers\kqtrp.sys [?]
S2 ybcmhwx;ybcmhwx;c:\windows\system32\drivers\iwgkbqxa.sys --> c:\windows\system32\drivers\iwgkbqxa.sys [?]
S3 EraserUtilDrv10741;EraserUtilDrv10741;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [11/2/2008 11:03 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [11/2/2008 11:03 PM 25184]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/8/2008 4:33 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 06:19]

2009-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-375724482-1527148427-1044765706-1008Core.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-04 16:54]

2009-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-375724482-1527148427-1044765706-1008UA.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-04 16:54]

2009-07-27 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-Secure\ANTI-V~1\fsav.exe [2008-11-03 09:18]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
Trusted Zone: trymedia.com
DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} - hxxp://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0j8wdm56.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 22:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\F-Secure\FWES\Program\fsdc.dll

- - - - - - - > 'lsass.exe'(816)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\program files\F-Secure\FWES\Program\fsdc.dll

- - - - - - - > 'explorer.exe'(3476)
c:\windows\system32\flashd32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll

- - - - - - - > 'csrss.exe'(728)
c:\program files\F-Secure\FWES\Program\fsdc.dll
.
Completion time: 2009-07-27 22:51
ComboFix-quarantined-files.txt 2009-07-27 02:50
ComboFix2.txt 2009-07-27 01:15

Pre-Run: 61,269,286,912 bytes free
Post-Run: 61,254,471,680 bytes free

242 --- E O F --- 2009-04-01 03:46




HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:43 PM, on 7/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\HP_Administrator\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\HP_Administrator\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/REALUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe

--
End of file - 9377 bytes

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:54 AM

Posted 26 July 2009 - 11:00 PM

Hello,

Norton is famous for it's dirty uninstalls. :thumbup2: Yes, several entries in the logs for it. Let's get rid of them :

The Norton uninstall tool uninstalls ALL Norton 2004/2005/2006/2007/2008/2009 products from your computer. It also uninstalls Norton Ghost 10.0/9.0/2003. http://service1.symantec.com/SUPPORT/tsgen...005033108162039

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\HP_Administrator\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\HP_Administrator\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/REALUPREBOOT /temp /patched"
O15 - Trusted Zone: http://*.trymedia.com (HKLM)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

In your reply, please post a new HiajckThis log so I can be sure all those entries are gone. :)

F Secure is right.....it's best to only run one AntiVirus program, other wise you get much higher resource usage with the two trying to detect at once, and even system instability, especially with Norton being so heavy to begin with.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Domhnall

Domhnall
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 27 July 2009 - 12:13 AM

Here you go, the latest HijackThis log. Just an idle question: am I supposed to leave these entries?

O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe


HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:47 AM, on 7/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe
C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: F-Secure BlackLight Sensor - F-Secure Corporation - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe

--
End of file - 8752 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:54 AM

Posted 27 July 2009 - 12:43 AM

You ran the removal tool and those are still there?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Domhnall

Domhnall
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 27 July 2009 - 01:50 AM

I feel stupid; I missed all of that about the Remover tool in your original post. Sorry about that. Ran it, and here's the updated HijackThis log.

Side note: When I started my computer again, it opened Internet Explorer and tried to visit this site:
http://www.symantec.com/techsupp/servlet/P...000096.000001d8

It failed because the computer's not connected right now, but I'm assuming that's to notify me that Norton was removed?

Anyway, the log.

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:50 AM, on 7/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 7948 bytes

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:54 AM

Posted 27 July 2009 - 03:10 AM

Hi there,

Don't feel stupid......I've always felt the people I help do a pretty amazing job considering they're frustrated and being asked by a stranger to trust them with their computers. :)

That log looks great, sans Norton entries. :thumbup2:

The following will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

Great tips and info-----> http://mvps.org/winhelp2002/unwanted.htm

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Domhnall

Domhnall
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 27 July 2009 - 03:46 AM

I can't thank you enough for helping me with this (and staying up until 4 in the morning; I can't imagine how tired you must be if you do that constantly).

Here's hoping to fewer problems, patient posters, and better hours.

Get some well-deserved sleep and take care yourself.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:54 AM

Posted 27 July 2009 - 04:37 AM

You're most welcome. Thank you.......I'm tired, but I'm all right. I tend to get my days and nights mixed up sometimes so this isn't unusual. :thumbup2:

Happy computing Posted Image
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:54 AM

Posted 29 July 2009 - 08:33 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users