Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I infected?


  • This topic is locked This topic is locked
15 replies to this topic

#1 cienmashow

cienmashow

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:10:30 AM

Posted 20 April 2010 - 04:48 PM

Hi All

Thanks for being there. I am a total novice when it comes to computers and computer terms and descriptions. I believe my wife has installed either a keyboard strike recorder or some other covert spy-ware. In fact as I was logging in to Hijack this, my "clear recent history" icon popped up.
My wife works for a university and has had much training on computer forensics etc. and the recovery of erased hard drives, etc etc. She is an investigator at this university. She and I have discussed divorce. She has been able to tell me about the details of emails from an account that I had kept secure.

Can someone assist me in interpreting the findings of my Hijack This PC scan and log? I haven't 'fixed' any items as I have no idea which are malicious or not. Is there a list posted where I can look for spy-ware she has introduced into my PC?

Any assistance would be greatly appreciated.

I've followed instructions posted on preparation guide before use.

I have followed your instructions and have run logs as recommended.

Ive run hijack this and retained log.
Ive run DDS and retained log.
I have also run GMER and retained log.

Please advise me as to where I should proceed with this information.

Thanks,
Cinemashow

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 13:52:48.46 on Tue 04/20/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1031 [GMT -7:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32nvvsvc.exe
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32rundll32.exe
C:Windowssystem32svchost.exe -k NetworkService
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Windowssystem32taskeng.exe
C:hpsupporthpsysdrv.exe
C:Program FilesHewlett-PackardOn-Screen OSD IndicatorOSD.exe
C:WindowsRtHDVCpl.exe
C:Windowssystem32schtasks.exe
C:Program FilesHPHP Software UpdatehpwuSchd2.exe
C:WindowsSystem32rundll32.exe
C:Windowssystem32taskeng.exe
C:Program FilesPortrait DisplaysHP My Displaydthtml.exe
C:Program FilesCommon FilesPortrait DisplaysSharedHookManager.exe
C:Program FilesMicrosoft IntelliType Proitype.exe
C:Program FilesMicrosoft IntelliPointipoint.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesHewlett-PackardHP AdvisorHPAdvisor.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Windowsehomeehtray.exe
C:Program FilesMicrosoft IntelliPointdpupdchk.exe
C:Windowsehomeehmsas.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCommon FilesPortrait DisplaysSharedDTSRVC.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:Program FilesNorton 360Engine3.8.0.41ccSvcHst.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Windowssystem32svchost.exe -k imgsvc
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32WUDFHost.exe
C:Windowssystem32DRIVERSxaudio.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:Windowssystem32DllHost.exe
C:Program FilesNorton 360Engine3.8.0.41ccSvcHst.exe
C:WindowsMicrosoft.NetFrameworkv3.0WPFPresentationFontCache.exe
C:Program FilesiPodbiniPodService.exe
C:Windowssystem32wbemunsecapp.exe
C:Windowssystem32wbemwmiprvse.exe
C:hpkbdkbd.exe
c:Program FilesHewlett-PackardHP Health Checkhphc_service.exe
C:Windowssystem32SearchIndexer.exe
C:Windowssystem32p2phost.exe
C:Program FilesWindows DefenderMSASCui.exe
C:WindowsSystem32svchost.exe -k secsvcs
C:Program FilesiTunesiTunes.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceHelper.exe
C:Program FilesCommon FilesAppleApple Application Supportdistnoted.exe
C:Windowssystem32wuauclt.exe
C:Windowssystem32WUDFHost.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesDivXDivX UpdateDivXUpdate.exe
C:Windowssystem32conime.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32SearchProtocolHost.exe
C:Windowssystem32SearchFilterHost.exe
C:Windowssystem32DllHost.exe
C:Windowssystem32DllHost.exe
C:UsersOwnerDesktopdds.scr
C:Windowssystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:program filesyahoo!companioninstallscpnyt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:program filesnorton 360engine3.8.0.41coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:program filesnorton 360engine3.8.0.41IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:program filesnorton 360engine3.8.0.41coIEPlg.dll
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
uRun: [HPAdvisor] c:program fileshewlett-packardhp advisorHPAdvisor.exe view=DOCKVIEW,SYSTRAY
uRun: [WMPNSCFG] c:program fileswindows media playerWMPNSCFG.exe
uRun: [ehTray.exe] c:windowsehomeehTray.exe
mRun: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun: [hpsysdrv] c:hpsupporthpsysdrv.exe
mRun: [KBD] c:hpkbdKbdStub.EXE
mRun: [OsdMaestro] "c:program fileshewlett-packardon-screen osd indicatorOSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateReg] "c:windowssystem32jureg.exe"
mRun: [HP Software Update] c:program fileshphp software updateHPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [DT HPW] c:program filesportrait displayshp my displayDTHtml.exe -startup_folder
mRun: [SunJavaUpdateSched] "c:program filescommon filesjavajava updatejusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [itype] "c:program filesmicrosoft intellitype proitype.exe"
mRun: [IntelliPoint] "c:program filesmicrosoft intellipointipoint.exe"
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [DivXUpdate] "c:program filesdivxdivx updateDivXUpdate.exe" /CHECKNOW
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupsnapfi~1.lnk - c:program filessnapfish picture moverSnapfishMediaDetector.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:progra~1micros~3office12EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~3office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~3office12REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:program filesnorton 360engine3.8.0.41CoIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:usersownerappdataroamingmozillafirefoxprofilesc1s1hgh0.default
FF - component: c:programdatanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nortoncoffplgncomponentscoFFPlgn.dll
FF - component: c:programdatanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nortonipsffplgncomponentsIPSFFPl.dll
FF - plugin: c:program filesdivxdivx plus web playernpdivx32.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpdeployJava1.dll
FF - plugin: c:program filesmusicnotesnpmusicn.dll
FF - plugin: c:program filesmusicnotesNPSibelius.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:windowssystem32driversn3600308000.029SymEFA.sys [2010-2-7 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:windowssystem32driversn3600308000.029BHDrvx86.sys [2010-2-7 259632]
R1 ccHP;Symantec Hash Provider;c:windowssystem32driversn3600308000.029cchpx86.sys [2010-2-7 482432]
R1 IDSVix86;IDSVix86;c:programdatanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nortondefinitionsipsdefs20100415.001IDSvix86.sys [2010-4-18 343088]
R2 N360;Norton 360;c:program filesnorton 360engine3.8.0.41ccSvcHst.exe [2010-2-7 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filescommon filessymantec sharedeengineEraserUtilRebootDrv.sys [2010-2-9 102448]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:windowssystem32driversHCW85BDA.sys [2009-7-14 1443584]
R3 SYMNDISV;Symantec Network Filter Driver;c:windowssystem32driversn3600308000.029symndisv.sys [2010-2-7 48688]
S3 FontCache;Windows Font Cache Service;c:windowssystem32svchost.exe -k LocalServiceAndNoImpersonation [2010-2-6 21504]

=============== Created Last 30 ================

2010-04-20 17:52:56 0 d-----w- c:program filescommon filesDivX Shared
2010-04-20 17:52:30 0 d-----w- c:program filesDivX
2010-04-20 17:44:21 0 d-----w- c:programdataDivX
2010-04-19 21:16:37 0 d-----w- c:usersownerappdataroamingPeerNetworking
2010-04-19 17:58:26 0 d-----w- c:program filesTrend Micro
2010-04-16 15:47:17 0 d-----w- c:programdataSun
2010-04-16 15:46:39 411368 ----a-w- c:windowssystem32deployJava1.dll
2010-04-13 21:47:31 79360 ----a-w- c:windowssystem32driversmrxsmb20.sys
2010-04-13 21:47:31 212992 ----a-w- c:windowssystem32driversmrxsmb10.sys
2010-04-13 21:47:31 106496 ----a-w- c:windowssystem32driversmrxsmb.sys
2010-04-13 21:47:26 3600776 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-04-13 21:47:26 3548040 ----a-w- c:windowssystem32ntoskrnl.exe
2010-04-13 21:47:22 420352 ----a-w- c:windowssystem32vbscript.dll
2010-04-13 21:47:20 62464 ----a-w- c:windowssystem32l3codeca.acm
2010-04-13 21:47:20 220672 ----a-w- c:windowssystem32l3codecp.acm
2010-04-13 21:47:16 904576 ----a-w- c:windowssystem32driverstcpip.sys
2010-04-13 21:47:15 25088 ----a-w- c:windowssystem32driverstunnel.sys
2010-04-13 21:47:15 200704 ----a-w- c:windowssystem32iphlpsvc.dll
2010-04-13 21:46:46 172032 ----a-w- c:windowssystem32wintrust.dll
2010-04-13 21:46:38 98304 ----a-w- c:windowssystem32cabview.dll
2010-04-10 06:21:23 0 d-----w- c:program filesiPod
2010-04-10 06:21:21 0 d-----w- c:programdata{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-10 06:21:21 0 d-----w- c:program filesiTunes
2010-04-10 06:16:28 0 d-----w- c:program filesBonjour
2010-04-06 18:48:03 0 d-----w- c:program filesMicrosoft IntelliPoint
2010-04-06 18:45:41 0 d-----w- c:program filesMicrosoft IntelliType Pro
2010-03-31 01:58:24 353592 ----a-w- c:windowssystem32DivXControlPanelApplet.cpl
2010-03-23 01:19:36 0 d-----w- c:program filesaaa PEP STUFF
2010-03-23 01:18:52 0 d-----w- c:program filestamasoftware

==================== Find3M ====================

2010-04-10 06:17:12 51200 ----a-w- c:windowsinfinfpub.dat
2010-04-10 06:17:12 143360 ----a-w- c:windowsinfinfstrng.dat
2010-04-10 06:17:12 143360 ----a-w- c:windowsinfinfstor.dat
2010-04-01 17:17:37 2804 ----a-w- c:usersownerappdataroamingwklnhst.dat
2010-02-24 17:16:06 181632 ------w- c:windowssystem32MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:windowssystem32wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:windowssystem32iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:windowssystem32iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:windowssystem32ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:windowssystem32nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:windowssystem32httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:windowssystem32drivershttp.sys
2010-02-12 18:46:14 91424 ----a-w- c:windowssystem32dnssd.dll
2010-02-12 18:46:14 107808 ----a-w- c:windowssystem32dns-sd.exe
2010-02-08 04:27:12 107368 ----a-r- c:windowssystem32GEARAspi.dll
2010-02-06 18:29:59 665600 ----a-w- c:windowsinfdrvindex.dat
2010-02-06 16:45:15 37665 ----a-w- c:windowsfontsGlobalUserInterface.CompositeFont
2010-02-06 16:25:07 174 --sha-w- c:program filesdesktop.ini
2010-02-06 16:03:35 101888 ----a-w- c:windowssystem32ifxcardm.dll
2010-02-06 16:03:28 82432 ----a-w- c:windowssystem32axaltocm.dll
2010-02-06 02:41:13 2421760 ----a-w- c:windowssystem32wucltux.dll
2010-02-06 02:41:00 87552 ----a-w- c:windowssystem32wudriver.dll
2010-02-06 02:40:49 33792 ----a-w- c:windowssystem32wuapp.exe
2010-02-06 02:40:49 171608 ----a-w- c:windowssystem32wuwebv.dll
2010-02-05 23:32:35 102451 ----a-w- c:windowshpqins13.dat
2010-02-05 23:29:13 319456 ----a-w- c:windowsDIFxAPI.dll
2010-02-05 23:29:11 315392 ----a-w- c:windowsHideWin.exe
2010-02-05 22:52:24 356576 ----a-w- c:windowsfontsmonbaiti.ttf
2010-01-25 12:00:35 471552 ----a-w- c:windowssystem32secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:windowssystem32secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:windowssystem32secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:windowssystem32secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:windowssystem32msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:windowssystem32RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:windowssystem32RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:windowssystem32RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:windowssystem32RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:windowssystem32tzres.dll
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfc.dat

============= FINISH: 13:53:31.36 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-24 00:47:26
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:UsersOwnerAppDataLocalTempkwlcapow.sys


---- System - GMER 1.0.15 ----

SSDT 88370590 ZwAlertResumeThread
SSDT 88377068 ZwAlertThread
SSDT 883772E8 ZwAllocateVirtualMemory
SSDT 88268B00 ZwAlpcConnectPort
SSDT 88375478 ZwAssignProcessToJobObject
SSDT 88375940 ZwCreateMutant
SSDT 883751F8 ZwCreateSymbolicLinkObject
SSDT 882C5110 ZwCreateThread
SSDT 88375538 ZwDebugActiveProcess
SSDT 88374140 ZwDuplicateObject
SSDT 88377C78 ZwFreeVirtualMemory
SSDT 88375A10 ZwImpersonateAnonymousToken
SSDT 88377EC0 ZwImpersonateThread
SSDT 8826B098 ZwLoadDriver
SSDT 883748B0 ZwMapViewOfSection
SSDT 88375880 ZwOpenEvent
SSDT 8835C570 ZwOpenProcess
SSDT 882AE110 ZwOpenProcessToken
SSDT 88375700 ZwOpenSection
SSDT 883741E8 ZwOpenThread
SSDT 883753A8 ZwProtectVirtualMemory
SSDT 882A1268 ZwResumeThread
SSDT 882C4110 ZwSetContextThread
SSDT 88374820 ZwSetInformationProcess
SSDT 883755F8 ZwSetSystemInformation
SSDT 883757C0 ZwSuspendProcess
SSDT 88373DE8 ZwSuspendThread
SSDT 882A8510 ZwTerminateProcess
SSDT 88360050 ZwTerminateThread
SSDT 882C3120 ZwUnmapViewOfSection
SSDT 88377258 ZwWriteVirtualMemory
SSDT 883752C8 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 822B5880 8 Bytes [90, 05, 37, 88, 68, 70, 37, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 822B5894 4 Bytes CALL 65B3900B
.text ntkrnlpa.exe!KeSetEvent + 13D 822B58A0 4 Bytes [00, 8B, 26, 88]
.text ntkrnlpa.exe!KeSetEvent + 191 822B58F4 4 Bytes [78, 54, 37, 88]
.text ntkrnlpa.exe!KeSetEvent + 1F5 822B5958 4 Bytes [40, 59, 37, 88]
.text ...
.text C:Windowssystem32DRIVERSnvlddmkm.sys section is writeable [0x8EC07340, 0x3DA8C7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:Program FilesMozilla Firefoxfirefox.exe[5004] ntdll.dll!LdrLoadDll 76FA9390 5 Bytes JMP 00FC003A

---- Devices - GMER 1.0.15 ----

AttachedDevice Drivertdx DeviceTcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice Drivertdx DeviceUdp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice Drivertdx DeviceRawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

ComboFix 10-04-19.08 - Owner 04/20/2010 14:24:18.1.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1100 [GMT -7:00]
Running from: c:usersOwnerDesktopComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:$recycle.binS-1-5-21-2152478756-3922319563-605102323-500
c:$recycle.binS-1-5-21-4194855376-1262279368-2893538698-500
c:usersdave krausDocumentsMy Documents.url

.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-20 21:28 . 2010-04-20 21:28 -------- d-----w- c:usersDefaultAppDataLocaltemp
2010-04-20 18:52 . 2010-04-20 18:52 57344 ----a-w- c:programdataDivXRunAsUserRUNASUSERPROCESS.dll
2010-04-20 17:53 . 2010-04-20 17:44 754984 ----a-w- c:programdataDivXSetupResource.dll
2010-04-20 17:53 . 2010-04-20 17:53 56766 ----a-w- c:programdataDivXDivXPlusShortcutsUninstaller.exe
2010-04-20 17:53 . 2010-04-06 19:04 1180952 ----a-w- c:programdataDivXSetupDivXSetup.exe
2010-04-20 17:53 . 2010-04-20 17:53 56978 ----a-w- c:programdataDivXWebPlayerUninstaller.exe
2010-04-20 17:53 . 2010-04-20 17:53 57409 ----a-w- c:programdataDivXControlPanelUninstaller.exe
2010-04-20 17:53 . 2010-04-20 17:53 53600 ----a-w- c:programdataDivXUpdateUninstaller.exe
2010-04-20 17:53 . 2010-04-20 17:53 52963 ----a-w- c:programdataDivXMSVC80CRTRedistUninstaller.exe
2010-04-20 17:52 . 2010-04-20 17:52 54073 ----a-w- c:programdataDivXQt4.5Uninstaller.exe
2010-04-20 17:52 . 2010-04-20 17:52 -------- d-----w- c:program filesCommon FilesDivX Shared
2010-04-20 17:52 . 2010-04-20 17:53 -------- d-----w- c:program filesDivX
2010-04-20 17:44 . 2010-04-20 17:44 144696 ----a-w- c:programdataDivXRunAsUserRUNASUSERPROCESS.exe
2010-04-20 17:44 . 2010-04-20 17:53 -------- d-----w- c:programdataDivX
2010-04-19 21:16 . 2010-04-19 21:16 -------- d-----w- c:usersOwnerAppDataRoamingPeerNetworking
2010-04-19 17:58 . 2010-04-19 17:58 -------- d-----w- c:program filesTrend Micro
2010-04-19 17:44 . 2010-02-07 19:34 84912 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsVirusDefs20100419.002NAVENG.SYS
2010-04-19 17:44 . 2010-02-07 19:34 371248 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsVirusDefs20100419.002EECTRL.SYS
2010-04-19 17:44 . 2010-02-07 19:34 2747440 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsVirusDefs20100419.002CCERASER.DLL
2010-04-19 17:44 . 2010-02-07 19:34 259440 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsVirusDefs20100419.002ECMSVR32.DLL
2010-04-19 17:44 . 2010-02-07 19:34 177520 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsVirusDefs20100419.002NAVENG32.DLL
2010-04-19 17:44 . 2010-02-07 19:34 1647984 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsVirusDefs20100419.002NAVEX32A.DLL
2010-04-19 17:44 . 2010-02-07 19:34 1324720 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsVirusDefs20100419.002NAVEX15.SYS
2010-04-19 17:44 . 2010-02-07 19:34 102448 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsVirusDefs20100419.002ERASER.SYS
2010-04-18 16:00 . 2009-10-28 22:37 343088 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsIPSDefs20100415.001IDSvix86.sys
2010-04-18 16:00 . 2009-10-28 22:37 811896 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsIPSDefs20100415.001Scxpx86.dll
2010-04-18 16:00 . 2009-10-28 22:37 488312 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsIPSDefs20100415.001IDSxpx86.dll
2010-04-18 16:00 . 2009-10-28 22:37 329592 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsIPSDefs20100415.001IDSXpx86.sys
2010-04-18 16:00 . 2009-10-28 22:37 466992 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsIPSDefs20100415.001IDSviA64.sys
2010-04-16 15:46 . 2010-04-13 00:29 411368 ----a-w- c:windowssystem32deployJava1.dll
2010-04-16 15:33 . 2010-02-13 01:41 558448 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortoncoFFPlgncomponentscoFFPlgn.dll
2010-04-16 15:33 . 2010-02-02 03:20 165240 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonIPSFFPlgncomponentsIPSFFPl.dll
2010-04-13 21:47 . 2010-02-23 11:10 212992 ----a-w- c:windowssystem32driversmrxsmb10.sys
2010-04-13 21:47 . 2010-02-23 11:10 79360 ----a-w- c:windowssystem32driversmrxsmb20.sys
2010-04-13 21:47 . 2010-02-23 11:10 106496 ----a-w- c:windowssystem32driversmrxsmb.sys
2010-04-13 21:47 . 2010-02-18 14:07 3600776 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-04-13 21:47 . 2010-02-18 14:07 3548040 ----a-w- c:windowssystem32ntoskrnl.exe
2010-04-13 21:47 . 2010-03-05 14:01 420352 ----a-w- c:windowssystem32vbscript.dll
2010-04-13 21:47 . 2010-02-18 14:07 904576 ----a-w- c:windowssystem32driverstcpip.sys
2010-04-13 21:47 . 2010-02-18 13:30 200704 ----a-w- c:windowssystem32iphlpsvc.dll
2010-04-13 21:47 . 2010-02-18 11:28 25088 ----a-w- c:windowssystem32driverstunnel.sys
2010-04-13 21:46 . 2009-12-23 11:33 172032 ----a-w- c:windowssystem32wintrust.dll
2010-04-13 21:46 . 2010-01-13 17:34 98304 ----a-w- c:windowssystem32cabview.dll
2010-04-11 10:00 . 2009-10-28 22:37 343088 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsIPSDefs20100402.001IDSvix86.sys
2010-04-11 10:00 . 2009-10-28 22:37 811896 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsIPSDefs20100402.001Scxpx86.dll
2010-04-11 10:00 . 2009-10-28 22:37 488312 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsIPSDefs20100402.001IDSxpx86.dll
2010-04-11 10:00 . 2009-10-28 22:37 466992 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsIPSDefs20100402.001IDSviA64.sys
2010-04-11 10:00 . 2009-10-28 22:37 329592 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsIPSDefs20100402.001IDSXpx86.sys
2010-04-10 06:21 . 2010-04-10 06:21 -------- d-----w- c:program filesiPod
2010-04-10 06:21 . 2010-04-10 06:21 -------- d-----w- c:programdata{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-10 06:21 . 2010-04-10 06:21 -------- d-----w- c:program filesiTunes
2010-04-10 06:19 . 2010-04-10 06:19 -------- d-----w- c:program filesQuickTime
2010-04-10 06:16 . 2010-04-10 06:16 -------- d-----w- c:program filesBonjour
2010-04-10 06:15 . 2010-04-10 06:15 73000 ----a-w- c:programdataApple ComputerInstaller CacheiTunes 9.1.0.79SetupAdmin.exe
2010-04-06 18:48 . 2010-04-06 18:48 -------- d-----w- c:program filesMicrosoft IntelliPoint
2010-04-06 18:45 . 2010-04-06 18:46 -------- d-----w- c:program filesMicrosoft IntelliType Pro
2010-03-31 14:53 . 2010-03-31 14:53 690952 ----a-w- c:programdataMicrosofteHomePackagesMCESpotlightMCESpotlightSpotlightResources.dll
2010-03-23 01:19 . 2010-03-23 01:19 -------- d-----w- c:program filesaaa PEP STUFF
2010-03-23 01:18 . 2010-03-23 01:18 -------- d-----w- c:program filestamasoftware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 15:47 . 2010-02-05 23:39 -------- d-----w- c:program filesCommon FilesJava
2010-04-16 15:46 . 2010-02-05 23:39 -------- d-----w- c:program filesJava
2010-04-14 10:19 . 2006-11-02 11:18 -------- d-----w- c:program filesWindows Mail
2010-04-14 10:04 . 2010-02-19 00:08 -------- d-----w- c:programdataMicrosoft Help
2010-04-10 06:21 . 2010-02-12 17:54 -------- d-----w- c:program filesCommon FilesApple
2010-04-06 18:54 . 2010-02-06 02:50 92808 ----a-w- c:usersOwnerAppDataLocalGDIPFONTCACHEV1.DAT
2010-04-01 17:17 . 2010-02-09 05:19 2804 ----a-w- c:usersOwnerAppDataRoamingwklnhst.dat
2010-02-24 17:16 . 2010-02-06 10:13 181632 ------w- c:windowssystem32MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 14:54 916480 ----a-w- c:windowssystem32wininet.dll
2010-02-23 06:33 . 2010-03-31 14:54 71680 ----a-w- c:windowssystem32iesetup.dll
2010-02-23 06:33 . 2010-03-31 14:54 109056 ----a-w- c:windowssystem32iesysprep.dll
2010-02-23 04:55 . 2010-03-31 14:54 133632 ----a-w- c:windowssystem32ieUnatt.exe
2010-02-23 01:06 . 2010-02-05 23:38 -------- d-----w- c:program filesCommon FilesAdobe
2010-02-20 23:06 . 2010-03-10 11:00 24064 ----a-w- c:windowssystem32nshhttp.dll
2010-02-20 23:05 . 2010-03-10 11:00 30720 ----a-w- c:windowssystem32httpapi.dll
2010-02-20 20:53 . 2010-03-10 11:00 411648 ----a-w- c:windowssystem32drivershttp.sys
2010-02-16 04:50 . 2010-02-06 03:22 680 ----a-w- c:usersOwnerAppDataLocald3d9caps.dat
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:windowssystem32dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:windowssystem32dns-sd.exe
2010-02-09 05:16 . 2010-02-09 05:16 652296 ----a-w- c:programdataMicrosofteHomePackagesSportsTemplateSportsTemplateCoreMicrosoft.MediaCenter.Sports.UI.dll
2010-02-09 05:16 . 2010-02-09 05:16 416128 ----a-w- c:programdataMicrosofteHomePackagesNetTVBrowseNetTVResources.dll
2010-02-08 04:27 . 2010-02-08 04:27 124976 ----a-w- c:windowssystem32driversSYMEVENT.SYS
2010-02-08 04:27 . 2010-02-08 04:27 26600 ----a-r- c:windowssystem32driversGEARAspiWDM.sys
2010-02-08 04:27 . 2010-02-08 04:27 25648 ----a-r- c:windowssystem32driversSymIMV.sys
2010-02-08 04:27 . 2010-02-08 04:27 1291104 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonSyKnAppSSyKnAppS.dll
2010-02-08 04:27 . 2010-02-08 04:27 136840 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonSyKnAppSpatch25.dll
2010-02-08 04:27 . 2010-02-08 04:27 107368 ----a-r- c:windowssystem32GEARAspi.dll
2010-02-08 04:27 . 2010-02-08 04:27 771440 ----a-w- c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonCLTcltLMSx.dll
2010-02-07 05:23 . 2010-02-07 05:23 0 ----a-w- c:windowsnsreg.dat
2010-02-06 18:29 . 2006-11-02 10:25 665600 ----a-w- c:windowsinfdrvindex.dat
2010-02-06 16:03 . 2006-11-02 10:32 101888 ----a-w- c:windowssystem32ifxcardm.dll
2010-02-06 16:03 . 2006-11-02 10:32 82432 ----a-w- c:windowssystem32axaltocm.dll
2010-02-06 02:41 . 2010-02-06 02:41 53472 ----a-w- c:windowssystem32wuauclt.exe
2010-02-06 02:41 . 2010-02-06 02:41 44768 ----a-w- c:windowssystem32wups2.dll
2010-02-06 02:41 . 2010-02-06 02:41 2421760 ----a-w- c:windowssystem32wucltux.dll
2010-02-06 02:41 . 2010-02-06 02:41 1929952 ----a-w- c:windowssystem32wuaueng.dll
2010-02-06 02:41 . 2010-02-06 02:41 87552 ----a-w- c:windowssystem32wudriver.dll
2010-02-06 02:41 . 2010-02-06 02:41 575704 ----a-w- c:windowssystem32wuapi.dll
2010-02-06 02:41 . 2010-02-06 02:41 35552 ----a-w- c:windowssystem32wups.dll
2010-02-06 02:40 . 2010-02-06 02:40 33792 ----a-w- c:windowssystem32wuapp.exe
2010-02-06 02:40 . 2010-02-06 02:40 171608 ----a-w- c:windowssystem32wuwebv.dll
2010-02-05 23:32 . 2010-02-05 23:32 102451 ----a-w- c:windowshpqins13.dat
2010-02-05 23:29 . 2010-02-05 23:29 319456 ----a-w- c:windowsDIFxAPI.dll
2010-02-05 23:29 . 2010-02-05 23:29 315392 ----a-w- c:windowsHideWin.exe
2010-02-05 22:56 . 2006-11-02 08:51 12800 ------w- c:windowssystem32driverssffp_sd.sys
2010-02-05 22:56 . 2006-11-02 08:51 12800 ------w- c:windowssystem32driverssffp_mmc.sys
2010-02-05 22:56 . 2006-11-02 08:51 13312 ------w- c:windowssystem32driverssffdisk.sys
2010-01-25 12:00 . 2010-02-24 09:49 471552 ----a-w- c:windowssystem32secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 09:48 152576 ----a-w- c:windowssystem32secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 09:48 152064 ----a-w- c:windowssystem32secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 09:49 471552 ----a-w- c:windowssystem32secproc.dll
2010-01-25 11:58 . 2010-02-24 09:48 332288 ----a-w- c:windowssystem32msdrm.dll
2010-01-25 08:21 . 2010-02-24 09:49 526336 ----a-w- c:windowssystem32RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 09:49 346624 ----a-w- c:windowssystem32RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 09:49 347136 ----a-w- c:windowssystem32RMActivate_ssp.exe
2010-01-25 08:21 . 2010-02-24 09:48 518144 ----a-w- c:windowssystem32RMActivate.exe
2010-01-23 09:26 . 2010-02-24 09:51 2048 ----a-w- c:windowssystem32tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Sidebar"="c:program filesWindows Sidebarsidebar.exe" [2009-04-11 1233920]
"HPAdvisor"="c:program filesHewlett-PackardHP AdvisorHPAdvisor.exe" [2009-08-05 1644088]
"WMPNSCFG"="c:program filesWindows Media PlayerWMPNSCFG.exe" [2008-01-19 202240]
"ehTray.exe"="c:windowsehomeehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"Windows Defender"="c:program filesWindows DefenderMSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:hpsupporthpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:hpKBDKbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:program filesHewlett-PackardOn-Screen OSD IndicatorOSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 4702208]
"SunJavaUpdateReg"="c:windowssystem32jureg.exe" [2007-04-07 54936]
"HP Software Update"="c:program filesHPHP Software UpdateHPWuSchd2.exe" [2007-05-09 54840]
"NvCplDaemon"="c:windowssystem32NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:windowssystem32NvMcTray.dll" [2008-05-23 92704]
"DT HPW"="c:program filesPortrait DisplaysHP My DisplayDTHtml.exe" [2007-06-30 278528]
"SunJavaUpdateSched"="c:program filesCommon FilesJavaJava Updatejusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:program filesAdobeReader 8.0ReaderReader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:program filesCommon FilesAdobeARM1.0AdobeARM.exe" [2010-03-24 952768]
"itype"="c:program filesMicrosoft IntelliType Proitype.exe" [2009-05-21 1501064]
"IntelliPoint"="c:program filesMicrosoft IntelliPointipoint.exe" [2009-05-26 1468296]
"QuickTime Task"="c:program filesQuickTimeQTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:program filesiTunesiTunesHelper.exe" [2010-03-26 142120]
"DivXUpdate"="c:program filesDivXDivX UpdateDivXUpdate.exe" [2010-04-12 1135912]

c:programdataMicrosoftWindowsStart MenuProgramsStartup
Snapfish Media Detector.lnk - c:program filesSnapfish Picture MoverSnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalSymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinDefend]
@="Service"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerSvc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:98,ba,17,6e,4d,a7,ca,01

S0 SymEFA;Symantec Extended File Attributes;c:windowssystem32driversN3600308000.029SYMEFA.SYS [2010-02-08 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:windowsSystem32DriversN3600308000.029BHDrvx86.sys [2010-02-08 259632]
S1 ccHP;Symantec Hash Provider;c:windowsSystem32DriversN3600308000.029ccHPx86.sys [2010-02-08 482432]
S1 IDSVix86;IDSVix86;c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsipsdefs20100415.001IDSvix86.sys [2009-10-28 343088]
S2 N360;Norton 360;c:program filesNorton 360Engine3.8.0.41ccSvcHst.exe [2010-02-08 117640]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filesCommon FilesSymantec SharedEENGINEEraserUtilRebootDrv.sys [2010-02-07 102448]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:windowssystem32driversHCW85BDA.sys [2009-07-15 1443584]
S3 SYMNDISV;Symantec Network Filter Driver;c:windowsSystem32DriversN3600308000.029SYMNDISV.SYS [2010-02-08 48688]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - KWLCAPOW
*Deregistered* - kwlcapow

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:windowsTasksUser_Feed_Synchronization-{F626E4B7-5E15-48FE-ACAB-E2A71DAB3573}.job
- c:windowssystem32msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:progra~1MICROS~3Office12EXCEL.EXE/3000
FF - ProfilePath - c:usersOwnerAppDataRoamingMozillaFirefoxProfilesc1s1hgh0.default
FF - component: c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortoncoFFPlgncomponentscoFFPlgn.dll
FF - component: c:programdataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonIPSFFPlgncomponentsIPSFFPl.dll
FF - plugin: c:program filesDivXDivX Plus Web Playernpdivx32.dll
FF - plugin: c:program filesMozilla FirefoxpluginsnpdeployJava1.dll
FF - plugin: c:program filesMusicnotesnpmusicn.dll
FF - plugin: c:program filesMusicnotesNPSibelius.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsMicrosoft.NETFrameworkv3.5Windows Presentation FoundationDotNetAssistantExtension

---- FIREFOX POLICIES ----
c:program filesMozilla Firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesMozilla Firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesMozilla Firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesMozilla Firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesMozilla Firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesMozilla Firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 14:28
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesN360]
"ImagePath"=""c:program filesNorton 360Engine3.8.0.41ccSvcHst.exe" /s "N360" /m "c:program filesNorton 360Engine3.8.0.41diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}0000AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumDISPLAYDefault_Monitor4&3b1740d6&0&UID256Properties{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumDISPLAYDefault_Monitor4&3b1740d6&0&UID256Properties{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumDISPLAYHWP26A24&3b1740d6&0&UID256Device ParametersMODES]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumDISPLAYHWP26A24&3b1740d6&0&UID256Properties{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumDISPLAYHWP26A24&3b1740d6&0&UID256Properties{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumDISPLAYSAM00A14&3b1740d6&0&UID256Properties{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumDISPLAYSAM00A14&3b1740d6&0&UID256Properties{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
Completion time: 2010-04-20 14:30:59
ComboFix-quarantined-files.txt 2010-04-20 21:30

Pre-Run: 170,805,215,232 bytes free
Post-Run: 170,858,057,728 bytes free

- - End Of File - - 5E7AC03DA99E243289683F85A10527A4

Thanks Orange blossom.
I really appreciate any help you able to provide.
Waiting for your analysis and instructions.
Thank you,
Cinemashow

Not my analysis. Please be patient, it may be a couple more days or so before your topic is picked up. ~ OB

Merged log containing posts to initial logless post. ~ OB

Edited by Orange Blossom, 24 April 2010 - 09:41 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:30 PM

Posted 25 April 2010 - 06:48 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 cienmashow

cienmashow
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:10:30 AM

Posted 26 April 2010 - 10:09 PM

QUOTE(m0le @ Apr 25 2010, 04:48 PM) View Post
Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif





clapping.gif

Thank you for your assistance m0le .

Any help provided would be greatly appreciated. I'm new to Bleeping computer and need some guidance.
Thanks for the help !
cinemashow

Edited by cienmashow, 26 April 2010 - 10:11 PM.


#4 cienmashow

cienmashow
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:10:30 AM

Posted 26 April 2010 - 10:19 PM

clapping.gif

Thank you for your assistance m0le .

Any help provided would be greatly appreciated. I'm new to Bleeping computer and need some guidance.
Thanks for the help !
cinemashow

Edited by cienmashow, 26 April 2010 - 10:19 PM.


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:30 PM

Posted 27 April 2010 - 06:21 PM

Hi,

Well, the first thing I'd ask is have you been infected before on this machine. If so then the PC is compromised - meaning that it can be vulnerable from spyware and the only proper permanent fix is a reinstall.

If you've not been infected previously then we may be able to clean up the PC and reassure you/inform you of what is happening.

Please do not run Combofix on your own. You yourself said that you were a novice and Combofix is capable of killing your machine stone dead without proper instruction from a malware response team member.


Okay, so answer the first question and we'll take it from there.

m0le
Posted Image
m0le is a proud member of UNITE

#6 cienmashow

cienmashow
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:10:30 AM

Posted 27 April 2010 - 11:26 PM

clapping.gif

Hi m0le

This computer has a new hard drive in it...but not because of any viral infection. I thought my old hard drive was making a noise so I had best buy install a new hard drive under warranty.

I will say that my browser was very very slow and timed out frequently with the old hard drive. After installing the new hard drive, this hasn't been a problem. I had a registry error correction program running, I've always had Nortons installed etc. I fiddled with help desk from Nortons configuring settings, contacted my ISP and fiddled with settings...but the old drive was still super slow. Inexplicably.

Browsing speed is fine with new hard drive-now.

As I mentioned. I have very strong suspicions that Ive been seriously compromised.

Thank for any and all help m0le

Cinemashow

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:30 PM

Posted 28 April 2010 - 04:24 PM

Okay, let's run two programs which find and remove malware.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Let's see if that throws up anything.
Posted Image
m0le is a proud member of UNITE

#8 cienmashow

cienmashow
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:10:30 AM

Posted 30 April 2010 - 12:04 AM

QUOTE(m0le @ Apr 28 2010, 02:24 PM) View Post
Okay, let's run two programs which find and remove malware.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Let's see if that throws up anything.



#9 cienmashow

cienmashow
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:10:30 AM

Posted 30 April 2010 - 12:06 AM

clapping.gif

hi m0le
heres results of scan by malware

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/29/2010 9:46:55 PM
mbam-log-2010-04-29 (21-46-55).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 273332
Time elapsed: 52 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\dave kraus\Favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.

heres the other reports from malewarebytes
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/29/2010 9:46:55 PM
mbam-log-2010-04-29 (21-46-55).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 273332
Time elapsed: 52 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\dave kraus\Favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:30 PM

Posted 30 April 2010 - 01:37 PM

Did you run SAS too? smile.gif
Posted Image
m0le is a proud member of UNITE

#11 cienmashow

cienmashow
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:10:30 AM

Posted 30 April 2010 - 05:01 PM

Hi m0le
I ran SAS as well. I didn't get a chance to retrieve the results. You have to restart your computer and open. I will perform this task and send you results this evening. It showed one tracking item. I had the progr remove the tracking item.
Thanks for your help!
cinemashow

#12 cienmashow

cienmashow
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:10:30 AM

Posted 01 May 2010 - 12:05 AM

icon_thumb.gif icon_thumb.gif
Hi m0le
here are the results from the SAS scan
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/29/2010 at 10:38 PM

Application Version : 4.36.1006

Core Rules Database Version : 4870
Trace Rules Database Version: 2682

Scan type : Complete Scan
Total Scan Time : 00:29:18

Memory items scanned : 807
Memory threats detected : 0
Registry items scanned : 6853
Registry threats detected : 0
File items scanned : 30550
File threats detected : 29

Adware.Tracking Cookie
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@2o7[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@xm.xtendmedia[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.gamersmedia[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@cdn4.specificclick[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ad.yieldmanager[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@serving-sys[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@media6degrees[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@adx.bidsystem[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@bannertgt[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@media.adfrontiers[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@livenation.122.2o7[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@pointroll[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.pointroll[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@adecn[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@warnerbros.112.2o7[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@247realmedia[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@specificclick[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@specificmedia[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@revsci[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@adbrite[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@invitemedia[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.undertone[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@bs.serving-sys[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@oasn04.247realmedia[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@rotator.adjuggler[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@trafficmp[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@content.yieldmanager[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@content.yieldmanager[3].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.bridgetrack[1].txt

Thanks for any input or suggestions you might have.
Thanks for your work on my case. It is appreciated.
Please advise
Thanks,
Cinemashow

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:30 PM

Posted 01 May 2010 - 03:03 AM

The SAS scan does not show anything malicious, just tracking cookies. No sign of a compromised system so far.


We are going to run Dr Web. This runs in safe mode as below.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Posted Image
m0le is a proud member of UNITE

#14 cienmashow

cienmashow
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:10:30 AM

Posted 01 May 2010 - 09:12 PM

Got it m0le
Ill run it tomorrow....working today
thanks for your help !
cinemashow

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:30 PM

Posted 05 May 2010 - 06:47 PM

Hi,

I have not had a reply from you for 4 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users