Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT FILE


  • This topic is locked This topic is locked
18 replies to this topic

#1 mc303

mc303

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 11 December 2010 - 10:42 AM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:38:15, on 11/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\spurs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\spurs\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [PAC207_Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\spurs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280866706812
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 6341 bytes

BC AdBot (Login to Remove)

 


#2 mc303

mc303
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 12 December 2010 - 06:45 AM

So sorry, made some alterations after i posted this log, here is the latest log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:41:48, on 12/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Documents and Settings\spurs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\spurs\Desktop\HijackThis.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [PAC207_Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\spurs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280866706812
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 6663 bytes

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:30 PM

Posted 12 December 2010 - 10:31 AM

Hi

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 mc303

mc303
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 12 December 2010 - 01:57 PM

Hi Catbyte and thx:
Here is the DDS file and the "Attach file is "attached, when i try to run GMER Rootkit Scanner the PC crashes?
Please advise
Thank you



DDS (Ver_10-12-12.02) - FAT32x86
Run by spurs at 18:40:00.32 on 12/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.894.103 [GMT 0:00]

AV: Norton AntiVirus *Enabled/Outdated* {B5510F6F-87E1-47F7-A411-360BC453007C}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\PixArt\PAC207\Monitor.exe
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\spurs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\spurs\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Keyring Creator 2\keyringcreator2.exe
C:\Documents and Settings\spurs\Desktop\BLEEP\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\spurs\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [KiesTrayAgent]
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [ccRegVfy] c:\program files\common files\symantec shared\ccRegVfy.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: o2.co.uk\*.broadband
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280866706812
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\windows\system3

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-8-8 308936]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-11-2 217088]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2009-8-5 284016]
R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2002-8-19 116336]
R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\Savrtpel.sys [2002-7-25 35552]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-11-2 36640]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20020823.004\NAVENG.SYS [2010-11-6 66816]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20020823.004\NAVEX15.SYS [2010-11-6 590944]
R3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2002-7-25 235744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys --> c:\windows\system32\drivers\ousbehci.sys [?]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-8-3 1691480]
S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 63176]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2010-9-15 18120]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-8-17 24576]
S3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2010-11-6 618112]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2010-11-2 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2010-11-2 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2010-11-2 121576]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2010-9-15 95568]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2009-3-4 202016]

=============== Created Last 30 ================

2010-12-11 11:05:28 -------- d-sh--w- C:\FOUND.029
2010-12-11 10:54:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-12-11 10:54:06 -------- d-----w- c:\program files\BitDefender
2010-12-11 10:52:03 -------- d-----w- c:\program files\common files\BitDefender
2010-12-11 10:34:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-12-11 08:29:48 -------- d-sh--w- C:\FOUND.028
2010-12-11 07:47:54 -------- d-sh--w- C:\FOUND.027
2010-12-11 07:35:20 -------- d--h--w- c:\windows\msdownld.tmp
2010-12-11 07:10:59 -------- d-----w- C:\49422c2e42da786117f1
2010-12-11 07:03:23 -------- d-----w- C:\Versalsoft
2010-12-11 07:03:15 -------- d-----w- c:\program files\Versalsoft
2010-12-11 07:03:11 -------- d-----w- c:\program files\Universal
2010-12-10 19:02:18 -------- d-sh--w- C:\FOUND.026
2010-12-10 18:57:08 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-10 18:57:08 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-10 18:56:45 -------- d-----w- c:\program files\NetDragon
2010-12-10 18:56:45 -------- d-----w- c:\program files\Artweaver 0.5
2010-12-10 14:46:45 -------- d-----w- c:\windows\nview
2010-12-10 13:19:50 -------- d-sh--w- C:\FOUND.025
2010-12-08 20:01:56 -------- d-----w- c:\windows\ZVLUSB
2010-12-08 20:01:52 -------- d-----w- c:\program files\Zebra P110i
2010-12-03 10:53:36 -------- d-sh--w- C:\FOUND.024
2010-11-27 15:30:40 -------- d-sh--w- C:\FOUND.023
2010-11-25 16:04:43 -------- d-----w- C:\spoolerlogs
2010-11-25 16:01:30 -------- d-sh--w- C:\FOUND.022
2010-11-20 14:45:22 -------- d-----w- c:\docume~1\spurs\applic~1\PriceGong
2010-11-17 15:23:50 -------- d-----w- c:\docume~1\spurs\locals~1\applic~1\WinZip

==================== Find3M ====================

2010-09-18 12:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 07:53:26 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 07:53:26 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 07:53:26 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 10:37:46 14 ----a-w- c:\windows\system32\systeminfo.dll
2010-09-15 08:37:40 95568 ----a-w- c:\windows\system32\dgdersvc.exe
2010-09-15 08:37:40 763216 ----a-w- c:\windows\system32\dgderapi.dll
2010-09-15 08:37:40 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2010-09-15 08:33:32 36640 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2010-09-15 08:33:32 217088 ----a-w- c:\windows\system32\FsUsbExService.Exe
2010-09-15 08:33:32 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll

============= FINISH: 18:41:11.43 ===============

Attached Files



#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:30 PM

Posted 12 December 2010 - 01:59 PM

Hi

Please try running GMER in safe mode with just the "sections" and the "c:\" drive checked

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 mc303

mc303
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 13 December 2010 - 05:43 AM

Hi, unfortunatley it also crashes in safe mode whilst running that prog.... please advise
thank you

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:30 PM

Posted 13 December 2010 - 08:49 AM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 mc303

mc303
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 13 December 2010 - 01:52 PM

hi Catbyte, completed 50 stages, deleting files, went to black screen, gave options went reboot, went to scan disk, x2, no log files just returned to desktop, please advise.
thank you

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:30 PM

Posted 13 December 2010 - 05:07 PM

Hi

Please look for the log at C:\combofix.txt

if there is no log, please run ComboFix again, and wait for it to produce a log


please make certain your security programs are disabled

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 mc303

mc303
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 14 December 2010 - 09:20 AM

Hi, managed in safe mode

ComboFix 10-12-13.02 - spurs 14/12/2010 14:02:32.3.2 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.894.734 [GMT 0:00]
Running from: c:\documents and settings\spurs\Desktop\BLEEP\ComboFix.exe
AV: Norton AntiVirus *Disabled/Outdated* {B5510F6F-87E1-47F7-A411-360BC453007C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\PC Camer@
c:\documents and settings\All Users\Start Menu\Programs\PC Camer@ \Amcap.lnk
c:\documents and settings\All Users\Start Menu\Programs\PC Camer@ \Uninstall.lnk
c:\documents and settings\spurs\Application Data\PriceGong
c:\documents and settings\spurs\Application Data\PriceGong\Data\1.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\a.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\b.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\c.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\d.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\e.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\f.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\g.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\h.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\i.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\J.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\k.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\l.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\m.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\n.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\o.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\p.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\q.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\r.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\s.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\t.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\u.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\v.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\w.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\x.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\y.xml
c:\documents and settings\spurs\Application Data\PriceGong\Data\z.xml
c:\windows\command
c:\windows\desktop
c:\windows\Help\nvcpl.hlp-nv8666
c:\windows\system\Color
c:\windows\system32\muzapp.exe
c:\windows\system32\system32
c:\windows\system32\system32\cis-2.4.dll
c:\windows\system32\system32\issacapi_bs-2.3.dll
c:\windows\system32\system32\issacapi_pe-2.3.dll
c:\windows\system32\system32\issacapi_se-2.3.dll
c:\windows\system32\system32\MACXMLProto.dll
c:\windows\system32\system32\MaDRM.dll
c:\windows\system32\system32\MaJGUILib.dll
c:\windows\system32\system32\MaJUtilLib.dll
c:\windows\system32\system32\MAMACExtract.dll
c:\windows\system32\system32\MASetupCaller.dll
c:\windows\system32\system32\MASetupCleaner.exe
c:\windows\system32\system32\MaXMLProto.dll
c:\windows\system32\system32\MetaStore2.dll
c:\windows\system32\system32\Microsoft.Synchronization.dll
c:\windows\system32\system32\MK_Lyric.dll
c:\windows\system32\system32\MSCLib.dll
c:\windows\system32\system32\MSFLib.dll
c:\windows\system32\system32\MSLUR71.dll
c:\windows\system32\system32\msvcp60.dll
c:\windows\system32\system32\MTTELECHIP.dll
c:\windows\system32\system32\MTXSYNCICON.dll
c:\windows\system32\system32\muzaf1.dll
c:\windows\system32\system32\muzapp.dll
c:\windows\system32\system32\muzapp.exe
c:\windows\system32\system32\muzdecode.ax
c:\windows\system32\system32\muzeffect.ax
c:\windows\system32\system32\muzmp4sp.ax
c:\windows\system32\system32\muzmpgsp.ax
c:\windows\system32\system32\muzoggsp.ax
c:\windows\system32\system32\muzwmts.dll
c:\windows\system32\system32\psapi.dll
c:\windows\system32\system32\Synchronization2.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
.

2010-12-13 19:11 . 2010-12-13 19:11 -------- d-----w- C:\FOUND.031
2010-12-13 09:32 . 2010-12-13 09:32 -------- d-----w- C:\FOUND.030
2010-12-12 11:17 . 2010-12-12 11:17 -------- d-----w- c:\program files\Microsoft.NET
2010-12-11 11:05 . 2010-12-11 11:05 -------- d-----w- C:\FOUND.029
2010-12-11 10:54 . 2010-12-11 10:54 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-12-11 10:54 . 2010-12-11 10:54 -------- d-----w- c:\program files\BitDefender
2010-12-11 10:52 . 2010-12-11 10:52 -------- d-----w- c:\program files\Common Files\BitDefender
2010-12-11 10:34 . 2010-12-11 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-12-11 09:27 . 2010-12-11 09:27 -------- d-----w- c:\program files\Java
2010-12-11 08:29 . 2010-12-11 08:29 -------- d-----w- C:\FOUND.028
2010-12-11 07:47 . 2010-12-11 07:47 -------- d-----w- C:\FOUND.027
2010-12-11 07:35 . 2010-12-11 07:35 -------- d--h--w- c:\windows\msdownld.tmp
2010-12-11 07:10 . 2010-12-11 07:11 -------- d-----w- C:\49422c2e42da786117f1
2010-12-11 07:03 . 2010-12-11 07:03 -------- d-----w- C:\Versalsoft
2010-12-11 07:03 . 2010-12-11 07:03 -------- d-----w- c:\program files\Versalsoft
2010-12-11 07:03 . 2010-12-11 07:03 -------- d-----w- c:\program files\Universal
2010-12-10 19:02 . 2010-12-10 19:02 -------- d-----w- C:\FOUND.026
2010-12-10 18:57 . 2010-12-10 18:57 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-10 18:56 . 2010-12-10 18:56 -------- d-----w- c:\program files\NetDragon
2010-12-10 18:56 . 2010-12-10 18:56 -------- d-----w- c:\program files\Artweaver 0.5
2010-12-10 14:46 . 2010-12-10 14:46 -------- d-----w- c:\windows\nview
2010-12-10 13:19 . 2010-12-10 13:19 -------- d-----w- C:\FOUND.025
2010-12-08 20:01 . 2010-12-08 20:01 -------- d-----w- c:\windows\ZVLUSB
2010-12-08 20:01 . 2010-12-08 20:01 -------- d-----w- c:\program files\Zebra P110i
2010-12-03 10:53 . 2010-12-03 10:53 -------- d-----w- C:\FOUND.024
2010-11-30 07:55 . 2010-11-30 07:55 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-11-30 07:55 . 2010-11-30 07:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-11-27 15:30 . 2010-11-27 15:30 -------- d-----w- C:\FOUND.023
2010-11-25 16:04 . 2010-11-25 16:04 -------- d-----w- C:\spoolerlogs
2010-11-25 16:01 . 2010-11-25 16:01 -------- d-----w- C:\FOUND.022
2010-11-17 15:23 . 2010-11-17 15:23 -------- d-----w- c:\documents and settings\spurs\Local Settings\Application Data\WinZip
2010-11-17 15:14 . 2010-11-17 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-09-30 12:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-09-30 12:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-02 15:01 . 2010-11-02 14:55 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-09-18 12:23 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 07:53 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 07:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 07:53 . 2001-08-23 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\spurs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-12 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-8-10 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 01:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 16:24 110696 ----a-w- c:\windows\SYSTEM32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 22:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-08-24 10:38 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SupportSoft RemoteAssist"=3 (0x3)
"sprtsvc_O2"=2 (0x2)
"dgdersvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\spurs\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\trademanager\\AliIM.exe"=
"c:\\Documents and Settings\\SPURS\\My Documents\\vobsetup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"13114:TCP"= 13114:TCP:BitComet 13114 TCP
"13114:UDP"= 13114:UDP:BitComet 13114 UDP

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 FsUsbExService;FsUsbExService;c:\windows\SYSTEM32\FsUsbExService.Exe [02/11/2010 13:02 217088]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [05/08/2009 12:49 284016]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys --> c:\windows\system32\Drivers\ousbehci.sys [?]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/08/2010 10:38 92008]
S3 Ambfilt;Ambfilt;c:\windows\SYSTEM32\DRIVERS\Ambfilt.sys [03/08/2010 23:11 1691480]
S3 dgderdrv;dgderdrv;c:\windows\SYSTEM32\DRIVERS\dgderdrv.sys [15/09/2010 08:37 18120]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\SYSTEM32\FsUsbExDisk.Sys [02/11/2010 13:02 36640]
S3 HTCAND32;HTC Device Driver;c:\windows\SYSTEM32\DRIVERS\ANDROIDUSB.sys [17/08/2010 18:02 24576]
S3 PAC207;PC Camer@;c:\windows\SYSTEM32\DRIVERS\PFC027.SYS [06/11/2010 08:13 618112]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\SYSTEM32\DRIVERS\ssadbus.sys [02/11/2010 14:09 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\SYSTEM32\DRIVERS\ssadmdfl.sys [02/11/2010 14:09 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\SYSTEM32\DRIVERS\ssadmdm.sys [02/11/2010 14:09 121576]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S4 dgdersvc;Device Error Recovery Service;c:\windows\SYSTEM32\dgdersvc.exe [15/09/2010 08:37 95568]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [04/03/2009 15:52 202016]
.
Contents of the 'Scheduled Tasks' folder

2010-12-14 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2010-08-04 09:04]

2010-12-14 c:\windows\Tasks\User_Feed_Synchronization-{6BC1B3DC-4AF7-4807-8280-9EC7B794D5EA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]

2010-11-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 11:50]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-220523388-725345543-1003Core1cb6b989e65f878.job
- c:\documents and settings\spurs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-12 11:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: o2.co.uk\*.broadband
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-KiesTrayAgent - (no file)
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-14 14:10:15
ComboFix-quarantined-files.txt 2010-12-14 14:10

Pre-Run: 9,817,620,480 bytes free
Post-Run: 10,675,519,488 bytes free

- - End Of File - - 7C2882A78E058FF40B851F06117F541A

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:30 PM

Posted 14 December 2010 - 11:03 AM

Hi

Please run the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish



NEXT

Please advise how the computer is running and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 mc303

mc303
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 14 December 2010 - 12:04 PM

hi, cant run online scan, first thing that happened was:
Internet Explorer has closed this webpage to help protect your computer
A malfunctioning or malicious add-on has caused Internet Explorer to close this webpage

turned browser security to default, tried again, keeps going round in circles, check box to accept t and c, lingers for a min or so, re opens check box for t and c, several times
pleae advise
thank you



Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5312

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

14/12/2010 16:52:17
mbam-log-2010-12-14 (16-52-17).txt

Scan type: Quick scan
Objects scanned: 130792
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:30 PM

Posted 14 December 2010 - 12:39 PM

Hi

Please delete all your browsing history and cookies, flush your DNS, then try again:

Download Flush Flash Cookies by Bobbi Flekman.
Select the Windows version and save flushflash.exe to your Desktop.
Double-click flushflash.exe to run it.
Select Everything but Site settings.
Click Make it so!.
When the "Killed off all Flash cookies" window opens, click OK.
Close Flush Flash Cookies.



clear all other cookies

Delete all currently saved cookies from your computer.

In Internet Explorer,
click Tools > Internet Options and then click the Delete Cookies button on the General tab.

In Firefox,
click Tools > Clear Recent History > Set Time range to clear to Everything
Click on the arrow next to Details to expand the list of history items.
Select Cookies and make sure that other items you want to keep are not selected.
Click Clear Now to clear the cookies and close the Clear Recent History window

NEXT

Please download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should reboot your machine, if not, manually reboot to ensure a complete clean

NEXT


  • Go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between ..g /f it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 mc303

mc303
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 15 December 2010 - 05:33 AM

Hi, if i try to open a media file in windows media i crash, if i go to this website in particular http://www.livesportontv.com/football i crash, it seems to be the same thing microsoft/assembly either jscript and visual basic, ??
please advise
thank you

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:30 PM

Posted 15 December 2010 - 08:45 AM

Hi

Please try resetting IE back to default:

http://support.microsoft.com/kb/923737

Use the "FixIt" button

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users