Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Log for your perusal


  • Please log in to reply
1 reply to this topic

#1 Gavriel

Gavriel

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 05 August 2010 - 02:45 AM

So I've been having a hell of a time trying to fix a search hijacker that has grabbed both my firefox and ie searches. I've run All kinds of malware removal programs and have pored over my hijack this logs for the last several days to no avail. So I've finally brought out the big guns and ran combofix. Unfortunately it didn't fix it immediately, but perhaps someone here could help me find the solution I've been looking for. It's notable that the hijaker always produces an icon in firefox that looks like either a green globe or a blue looping line. If anyone has a good solution for this, please post!

ComboFix 10-08-04.05 - Gavriel 08/05/2010 0:25.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1320 [GMT -7:00]
Running from: c:\documents and settings\Justin\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-07-30 01:30 . 2010-07-30 01:30 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-07-28 22:41 . 2010-07-28 22:41 2605008 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-07-22 18:37 . 2010-07-22 18:37 -------- d-----w- c:\documents and settings\Justin\Application DataComodoGroup
2010-07-21 23:21 . 2010-07-21 23:21 503808 ----a-w- c:\documents and settings\Justin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7e741f73-n\msvcp71.dll
2010-07-21 23:21 . 2010-07-21 23:21 499712 ----a-w- c:\documents and settings\Justin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7e741f73-n\jmc.dll
2010-07-21 23:21 . 2010-07-21 23:21 348160 ----a-w- c:\documents and settings\Justin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7e741f73-n\msvcr71.dll
2010-07-21 23:21 . 2010-07-21 23:21 61440 ----a-w- c:\documents and settings\Justin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-22e3f4af-n\decora-sse.dll
2010-07-21 23:21 . 2010-07-21 23:21 12800 ----a-w- c:\documents and settings\Justin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-22e3f4af-n\decora-d3d.dll
2010-07-21 23:21 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-21 06:27 . 2010-07-21 06:27 -------- d-----w- c:\program files\COMODO
2010-07-21 05:11 . 2010-07-21 05:11 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-07-21 05:09 . 2010-07-21 05:09 -------- d-----w- c:\documents and settings\Justin\Application Data\AnvSoft
2010-07-21 05:01 . 2010-07-21 05:06 -------- d-----w- c:\program files\mkvtoavis
2010-07-21 05:01 . 2010-07-21 05:06 -------- d-----w- c:\program files\mkvtoavi
2010-07-20 20:56 . 2010-07-20 20:56 1615200 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgssie.dll
2010-07-20 20:56 . 2010-07-20 20:56 1373536 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgssff.dll
2010-07-20 20:56 . 2010-07-20 20:56 1107296 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgxpl.dll
2010-07-20 20:56 . 2010-07-20 20:56 921440 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgemc.exe
2010-07-20 20:56 . 2010-07-20 20:56 4368224 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgcorex.dll
2010-07-15 17:34 . 2010-07-15 17:34 242896 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgtdix.sys
2010-07-15 17:34 . 2010-07-15 17:34 216200 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgldx86.sys
2010-07-15 17:33 . 2010-07-15 17:33 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 17:32 . 2010-07-15 17:32 1038688 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgupd.exe
2010-07-15 17:32 . 2010-07-15 17:32 1690464 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgupd.dll
2010-07-15 17:32 . 2010-07-15 17:32 624920 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-15 17:32 . 2010-07-15 17:32 813336 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avginet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-04 23:46 . 2010-03-19 07:59 0 ----a-w- c:\documents and settings\Justin\Local Settings\Application Data\prvlcl.dat
2010-08-04 08:02 . 2009-03-09 23:17 -------- d-----w- c:\documents and settings\Justin\Application Data\uTorrent
2010-07-30 19:00 . 2010-06-10 06:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-07-30 01:31 . 2008-03-07 05:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-29 00:21 . 2010-02-18 01:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-28 19:00 . 2008-04-29 01:55 31296 ----a-w- c:\documents and settings\Justin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-28 18:52 . 2008-11-17 00:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-28 18:51 . 2010-01-22 23:30 -------- d-----w- c:\program files\Project64 1.6
2010-07-21 23:21 . 2008-07-03 20:46 -------- d-----w- c:\program files\Common Files\Java
2010-07-21 23:21 . 2008-07-03 20:46 -------- d-----w- c:\program files\Java
2010-07-21 05:22 . 2010-06-30 18:40 -------- d-----w- c:\documents and settings\Justin\Application Data\HandBrake
2010-07-15 17:33 . 2008-06-06 05:06 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 17:33 . 2008-06-06 05:06 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-13 22:02 . 2010-07-21 05:51 142734 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-06-30 18:40 . 2010-06-30 18:40 -------- d-----w- c:\program files\Handbrake
2010-06-29 21:53 . 2010-06-29 21:53 117427 ----a-w- c:\documents and settings\Justin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\digitaleditions\digitaleditions.exe
2010-06-29 21:37 . 2010-06-29 21:31 -------- d-----w- c:\documents and settings\Justin\Application Data\Notepad++
2010-06-29 21:31 . 2010-06-29 21:31 -------- d-----w- c:\program files\Notepad++
2010-06-27 19:21 . 2010-06-27 19:21 -------- d-----w- c:\documents and settings\Justin\Application Data\Malwarebytes
2010-06-27 19:21 . 2010-06-27 19:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-27 19:21 . 2010-06-27 19:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-06-23 23:33 . 2010-06-23 23:32 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-23 23:33 . 2008-03-05 00:32 -------- d-----w- c:\program files\iTunes
2010-06-23 23:32 . 2008-04-06 08:45 -------- d-----w- c:\program files\iPod
2010-06-23 23:27 . 2008-03-05 00:32 -------- d-----w- c:\program files\QuickTime
2010-06-23 23:22 . 2008-03-05 00:32 -------- d-----w- c:\program files\Bonjour
2010-06-23 23:18 . 2010-06-23 23:18 72504 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-19 22:06 . 2010-02-18 17:43 117760 ----a-w- c:\documents and settings\Justin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-19 08:46 . 2010-06-19 08:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Webroot
2010-06-19 08:26 . 2010-06-19 08:26 -------- d-----w- c:\program files\MSSOAP
2010-06-19 08:25 . 2010-06-19 08:25 -------- d-----w- c:\program files\Webroot
2010-06-19 08:25 . 2010-06-19 08:25 -------- d-----w- c:\documents and settings\Justin\Application Data\Webroot
2010-06-19 08:22 . 2010-06-19 08:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2010-06-19 08:21 . 2010-06-19 08:21 164 ----a-w- c:\windows\install.dat
2010-06-10 06:59 . 2010-06-10 06:59 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\McAfee
2010-06-10 06:52 . 2010-06-10 06:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2010-06-06 22:54 . 2010-06-06 22:48 -------- d-----w- c:\documents and settings\Justin\Application Data\DeepBurner
2010-06-06 22:46 . 2010-06-06 22:46 -------- d-----w- c:\program files\Astonsoft
2010-06-02 17:40 . 2008-04-21 08:43 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-21 21:23 . 2010-05-21 21:23 30884 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-11-06 22:14 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2009-12-19 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2009-12-15 515560]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-01-08 392424]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-3-3 995328]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 23:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 17:33 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 05:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 22:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 15:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 22:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-10-18 18:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-11-12 22:54 13672448 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-11-12 22:54 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 05:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-30 08:09 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"uejufsxj"=c:\documents and settings\Justin\Local Settings\Application Data\nvbkbxfei\yrwkiqntssd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"uejufsxj"=c:\documents and settings\Justin\Local Settings\Application Data\nvbkbxfei\yrwkiqntssd.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/5/2008 10:06 PM 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/5/2008 10:06 PM 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 3:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 3:49 PM 74480]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\Justin\My Documents\Downloads\VCdRom.sys [12/19/2001 11:45 AM 8576]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 10:33 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 10:33 AM 308136]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [4/20/2008 3:57 PM 176128]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 3:50 PM 7408]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [4/20/2008 3:57 PM 13532]
S0 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys --> c:\windows\system32\drivers\CFRMD.sys [?]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [6/19/2010 1:26 AM 1201640]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/12/2009 11:21 PM 25832]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [12/15/2009 12:43 AM 515560]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SJYPKT
.
Contents of the 'Scheduled Tasks' folder

2010-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-08-05 c:\windows\Tasks\COMODO System Cleaner Update.job
- c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 22:41]

2010-07-30 c:\windows\Tasks\wrSpySweeper_L074833C87D324369A8BDB57EB649D402.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-06-19 22:19]

2010-07-30 c:\windows\Tasks\wrSpySweeper_L074833C87D324369A8BDB57EB649D402.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-06-19 22:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-Nitro PDF Printer Monitor - c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
AddRemove-FastCAD - c:\program files\ProFantasy\CC3\CC3\UNINST.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-05 00:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(724)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4152)
c:\windows\system32\WININET.dll
c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-05 00:36:36
ComboFix-quarantined-files.txt 2010-08-05 07:36

Pre-Run: 89,345,875,968 bytes free
Post-Run: 91,634,593,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 060B026276045678AC1A8CBB5304045A


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:43 PM

Posted 13 August 2010 - 07:27 AM

Hello Gavriel

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users