Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to remove "Filter hijack"


  • Please log in to reply
12 replies to this topic

#1 mtl#4

mtl#4

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 16 September 2010 - 01:30 PM

After my son used my computer (Disney and other gaming sites), my browsers kept re-directing. Nothing found using Norton. Used "hijackthis" and was able to clean that up. BUT - it will not get rid of:
"O18 - Filter hijack: text/html - {74d4b3bf-3b2f-48d2-8ace-54970be380fd} - C:\WINDOWS\msvideo.dll"

Followed Bleeping's instructions. Cannot get GMER to run without stalling, restarting or shutting down computer, so I can't get that file up for you.

Thank you SO MUCH for your time and help.

Here's the data (except "ark.txt")"

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 0:53:41.53 on Wed 09/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1051 [GMT -7:00]

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
mStart Page = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360 premier edition\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360 premier edition\engine\3.8.0.41\IPSBHO.DLL
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\6.0.472.59\npchrome_frame.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
Trusted Zone: trymedia.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/61.12/uploader2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244524086265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {DABA1849-E884-4DC0-B7E6-41E49B5D7C37} - hxxps://ive-crdc.kp.org/Integrations/iSiteEmr/,DanaInfo=foncdap1.font.ca.kp.org+iSiteExt.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://ive-crdc.kp.org/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ive-crdc.kp.org/dana-cached/sc/JuniperSetupClient.cab
Filter: text/html - {74d4b3bf-3b2f-48d2-8ace-54970be380fd} -
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\6.0.472.59\npchrome_frame.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360 premier edition\engine\3.8.0.41\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\u5a5t32c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\u5a5t32c.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-3 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-3 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-3 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100910.001\IDSXpx86.sys [2010-9-13 331640]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-12-10 91392]
R2 N360;Norton 360;c:\program files\norton 360 premier edition\engine\3.8.0.41\ccSvcHst.exe [2010-2-3 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100914.052\NAVENG.SYS [2010-9-14 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100914.052\NAVEX15.SYS [2010-9-14 1362608]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-8-25 468768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9fedca83d61a8;Google Update Service (gupdate1c9fedca83d61a8);c:\program files\google\update\GoogleUpdate.exe [2009-7-7 133104]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2010-3-7 25856]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-8-25 82048]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 STSService;STSService;"c:\program files\soundtaxi media suite\stsservice.exe" --> c:\program files\soundtaxi media suite\STSService.exe [?]

=============== Created Last 30 ================

2010-09-15 07:53:04 0 ----a-w- c:\documents and settings\hp_administrator\defogger_reenable
2010-09-15 06:19:47 0 d-----w- c:\program files\Trend Micro
2010-08-31 08:20:37 0 d-----w- c:\program files\Microsoft Expression
2010-08-31 07:21:14 0 d-----w- c:\program files\PixiePack Codec Pack
2010-08-31 07:19:48 0 d-----w- c:\program files\RapidSolution
2010-08-31 07:19:48 0 d-----w- c:\docume~1\alluse~1\applic~1\RapidSolution
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-11 06:36:00 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2010-07-27 17:44:44 7839944 ----a-w- c:\program files\common files\lpuninstall.exe
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-12 20:13:07 116579 ----a-w- c:\windows\hpoins11.dat
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-25 00:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ------w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ------w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 17:45:17 293376 ----a-w- c:\windows\system32\winsrv.dll
2010-06-18 17:45:17 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ------w- c:\windows\system32\iccvid.dll

============= FINISH: 0:53:55.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 shelf life

shelf life

  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:31 PM

Posted 23 September 2010 - 08:29 PM

hi mtl#4,

Your log is a few days old. If you still need help simply reply back.

How Can I Reduce My Risk to Malware?


#3 mtl#4

mtl#4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 24 September 2010 - 01:25 AM

Yup!!!!! Still need help. Didn't want to "bump" (as the instructions say) and I'm scared to use the computer. Thanks for finding me.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:31 PM

Posted 24 September 2010 - 04:14 PM

hi,

Ok so you are not getting redirected anymore then? We will get a download that you can keep. Link and directions:

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

How Can I Reduce My Risk to Malware?


#5 mtl#4

mtl#4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 25 September 2010 - 06:41 PM

Yes, I am no longer getting redirected - thanks. But I still cannot remove the filter hijack. I followed your instructions above. Found and corrected 5, but the same "O18 - Filter hijack: text/html - {74d4b3bf-3b2f-48d2-8ace-54970be380fd} - C:\WINDOWS\msvideo.dll" is still present when I re-run HijackThis

Here's the Malwarebytes' log
---------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4690

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/25/2010 7:28:23 AM
mbam-log-2010-09-25 (07-28-23).txt

Scan type: Full scan (C:\|D:\|E:\|L:\|)
Objects scanned: 521051
Time elapsed: 5 hour(s), 45 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.

Edited by mtl#4, 25 September 2010 - 06:44 PM.


#6 shelf life

shelf life

  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:31 PM

Posted 25 September 2010 - 09:08 PM

You are using HJT to try and remove the 018 item by checking the item then: close all applications and browser windows before you click "fix checked"


How Can I Reduce My Risk to Malware?


#7 mtl#4

mtl#4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 27 September 2010 - 09:08 PM

The ONLY open program is HJT. Still it will not clear out.

#8 shelf life

shelf life

  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:31 PM

Posted 28 September 2010 - 03:54 PM

Try booting into safe mode to delete the file. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list: safe mode. Navigate to the System32 directory and look for the msvideo.dll and delete it. Reboot normally.

How Can I Reduce My Risk to Malware?


#9 mtl#4

mtl#4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 28 September 2010 - 08:50 PM

Arrggh!!! Went to the directory and un-hid all files. There was NO c:/windows/msvideo.dll file. I did find one as you suggested under the system32 directory. Deleted it, rebooted it, and still HJT says it's still there.

Also -
Husband informed me today that he tried to visit some link on cnn.com and had another hijack to some myspace type page using IE. So maybe I'm not as clean as I thought...

Is it time to give up and shop?

#10 shelf life

shelf life

  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:31 PM

Posted 29 September 2010 - 04:07 PM

Lets get another download to use as a check for malware. Its called combofix. there is a guide to read first. Read the guide then apply the directions on your own machine and post the log.. Time to shop? No way. Even the worst of the worst malware can be wiped out with a reformat/reinstall of Windows.

Guide to using Combofix

Also make sure you dont have any script blocking software that may be present in your Norton 360, not sure. that could interfere with hjt being able to make the change.

How Can I Reduce My Risk to Malware?


#11 mtl#4

mtl#4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 05 October 2010 - 11:51 AM

I redid HFT and it's gone. Am I done?
**My Combofix Log:

ComboFix 10-10-04.02 - HP_Administrator 10/05/2010 9:28.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1228 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
E:\Autorun.inf
L:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-09-05 to 2010-10-05 )))))))))))))))))))))))))))))))
.

2010-09-29 01:38 . 2010-09-29 01:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-25 05:16 . 2010-09-25 05:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-09-25 05:16 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-25 05:16 . 2010-09-25 05:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-25 05:16 . 2010-09-25 05:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-25 05:16 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-22 07:16 . 2010-09-22 07:16 -------- d-----w- c:\program files\Common Files\HP
2010-09-22 07:09 . 2010-09-22 07:21 117091 ----a-w- c:\windows\hpoins11.dat
2010-09-22 07:08 . 2006-05-05 21:18 11634 ----a-w- c:\windows\hpomdl11.dat
2010-09-18 06:24 . 2010-09-18 06:24 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Amazon
2010-09-18 06:24 . 2010-09-18 06:24 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Amazon
2010-09-18 06:24 . 2010-09-18 06:24 -------- d-----w- c:\program files\Amazon
2010-09-16 15:06 . 2010-09-16 15:06 -------- d-----w- c:\documents and settings\HP_Administratr
2010-09-15 06:19 . 2010-09-15 06:19 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 05:01 . 2009-06-09 07:50 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-24 02:25 . 2010-02-06 08:33 13009967 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Tools4Movies\mencoder.exe
2010-09-23 22:59 . 2009-07-07 08:25 -------- d-----w- c:\program files\Google
2010-09-22 07:21 . 2006-08-25 07:56 96504 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-22 07:18 . 2006-08-25 07:47 -------- d-----w- c:\program files\HP
2010-09-22 06:43 . 2006-08-25 07:47 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-09-22 06:41 . 2006-08-25 07:57 -------- d-----w- c:\program files\Hewlett-Packard
2010-09-15 07:15 . 2010-01-27 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-09-15 07:11 . 2010-01-29 07:57 -------- d-----w- c:\program files\AVS4YOU
2010-09-15 07:11 . 2010-01-29 07:58 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-09-15 06:46 . 2010-02-14 21:00 -------- d-----w- c:\program files\WebEx
2010-09-15 04:12 . 2010-07-11 14:56 452104 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.12\setup.exe
2010-09-15 00:17 . 2010-02-05 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-13 01:24 . 2010-08-16 02:54 198280 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-09-11 22:28 . 2010-02-06 08:33 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Tools4Movies
2010-09-10 03:28 . 2009-06-19 01:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2010-09-01 07:44 . 2010-08-31 08:28 808350 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1462087416-425624064-3055248358-1007-0.dat
2010-09-01 07:44 . 2010-08-31 08:28 330006 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2010-08-31 08:20 . 2010-08-31 08:20 -------- d-----w- c:\program files\Microsoft Expression
2010-08-31 08:10 . 2010-02-05 06:02 -------- d-----w- c:\program files\Microsoft.NET
2010-08-31 07:58 . 2010-08-31 07:19 -------- d-----w- c:\program files\RapidSolution
2010-08-31 07:21 . 2010-08-31 07:21 -------- d-----w- c:\program files\PixiePack Codec Pack
2010-08-31 07:21 . 2010-08-31 07:21 87904 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgMyspace.dll
2010-08-31 07:21 . 2010-08-31 07:21 77664 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgSoundclick.dll
2010-08-31 07:21 . 2010-08-31 07:21 59232 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgPandora.dll
2010-08-31 07:21 . 2010-08-31 07:21 84320 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgImeem.dll
2010-08-31 07:21 . 2010-08-31 07:21 62816 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgIJigg.dll
2010-08-31 07:21 . 2010-08-31 07:21 103264 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgLastfm.dll
2010-08-31 07:21 . 2010-08-31 07:21 94560 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgGeneral.dll
2010-08-31 07:21 . 2010-08-31 07:21 114528 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgHypemachine.dll
2010-08-31 07:20 . 2010-08-31 07:20 89952 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDeezer.dll
2010-08-31 07:20 . 2010-08-31 07:20 46944 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDefault.dll
2010-08-31 07:20 . 2010-08-31 07:20 347488 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\RadioRip.dll
2010-08-31 07:20 . 2010-08-31 07:20 495616 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\EncodingBackend\lame_enc.dll
2010-08-31 07:19 . 2010-08-31 07:19 -------- d-----w- c:\documents and settings\All Users\Application Data\RapidSolution
2010-08-17 13:17 . 2004-08-10 04:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-15 20:45 . 2010-06-26 08:03 -------- d-----w- c:\program files\LastPass
2010-08-15 20:28 . 2009-06-10 08:01 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Arcsoft
2010-08-11 06:36 . 2010-08-11 06:06 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-08-11 06:09 . 2010-08-11 06:08 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Nikon
2010-08-11 06:09 . 2010-08-11 06:05 -------- d-----w- c:\program files\Common Files\Nikon
2010-08-11 06:08 . 2010-08-11 06:08 49152 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2010-08-11 06:07 . 2010-08-11 06:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Nikon
2010-08-11 06:07 . 2010-08-11 06:07 -------- d-----w- c:\program files\Nikon
2010-08-11 06:06 . 2010-08-11 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Ultima_T15
2010-08-11 06:06 . 2010-08-11 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\EnterNHelp
2010-08-11 06:05 . 2010-08-11 06:05 -------- d-----w- c:\program files\ArcSoft
2010-08-11 06:05 . 2006-08-25 07:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-02 23:01 . 2010-08-02 23:01 0 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\GUIcommon.dll
2010-07-27 17:44 . 2010-06-26 08:03 7839944 ----a-w- c:\program files\Common Files\lpuninstall.exe
2010-07-26 16:42 . 2010-07-26 16:42 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-22 15:49 . 2004-08-10 04:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-06-09 05:29 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-12 18:32 . 2010-09-17 01:15 822784 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\u5a5t32c.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-25 180269]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-28 8466432]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2010-6-26 7839944]
Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2010-6-26 7839944]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-25 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-25 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/3/2010 12:07 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/3/2010 12:07 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/3/2010 12:07 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20101004.002\IDSXpx86.sys [10/4/2010 11:55 PM 331640]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [12/10/2009 9:35 PM 91392]
R2 N360;Norton 360;c:\program files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe [2/3/2010 12:06 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/26/2010 5:52 PM 102448]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [8/25/2006 12:43 AM 468768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9fedca83d61a8;Google Update Service (gupdate1c9fedca83d61a8);c:\program files\Google\Update\GoogleUpdate.exe [7/7/2009 1:26 AM 133104]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [3/7/2010 6:32 PM 25856]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [8/25/2006 12:43 AM 82048]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 STSService;STSService;"c:\program files\SoundTaxi Media Suite\STSService.exe" --> c:\program files\SoundTaxi Media Suite\STSService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]
2010-02-17 02:02 114688 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-10-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-07 08:25]

2010-10-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-07 08:26]

2010-10-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-07 08:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
mStart Page = hxxp://www.google.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
Trusted Zone: intuit.com\ttlc
Trusted Zone: trymedia.com
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/61.12/uploader2.cab
DPF: {DABA1849-E884-4DC0-B7E6-41E49B5D7C37} - hxxps://ive-crdc.kp.org/Integrations/iSiteEmr/,DanaInfo=foncdap1.font.ca.kp.org+iSiteExt.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ive-crdc.kp.org/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\u5a5t32c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\u5a5t32c.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
AddRemove-DVD Catalyst Free - c:\program files\Tools4Movies\DVD Catalyst Free\uninst.exe



[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360 Premier Edition\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4960)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\hp\KBD\KBD.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system\hpsysdrv.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
c:\program files\Java\jre1.5.0_06\bin\jusched.exe
c:\windows\system32\wscntfy.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\DISC\DISCover.exe
c:\program files\DISC\DiscUpdMgr.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\DISC\DiscStreamHub.exe
c:\program files\Java\jre1.5.0_06\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-10-05 09:49:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-05 16:49

Pre-Run: 116,593,016,832 bytes free
Post-Run: 116,533,084,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 6161E2119F3981F059BF50E04C3983BD

Edited by mtl#4, 05 October 2010 - 12:38 PM.


#12 shelf life

shelf life

  • Malware Response Team
  • 2,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:31 PM

Posted 05 October 2010 - 06:18 PM

hi,

QUOTE
I redid HFT and it's gone. Am I done

Yes, done. You can remove combofix like this:
Start>run and type in combofix /uninstall
click ok or enter
Note the space after the X and before the /

Note that the free version of malwarebytes must be updated manually and a scan started manually.

some tips to help you remain malware free:

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

In no special order


1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. Not sure if you have the latest version? Check their version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here and do it yourself. Securing Fire Fox.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Do you really trust the source of the file?

Longer version with pictures in link below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?


#13 mtl#4

mtl#4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 06 October 2010 - 11:32 PM

THANK YOU for all your help!
-MTL#4




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users