Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect removal


  • This topic is locked This topic is locked
18 replies to this topic

#1 Lukalu456

Lukalu456

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 23 March 2011 - 07:09 PM

Google is redirecting me, and I'm not sure how to fix the problem.

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 23 March 2011 - 08:57 PM

Hello Lukalu456 and welcome to BleepingComputer. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Any underlined text in my posts indicates a clickable link.
  • If you have any questions at all, please stop and ask before proceeding.
Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Lukalu456

Lukalu456
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 26 March 2011 - 10:22 PM

Thanks so much for your help. I had trouble trying to shut off Windows Defender. When I click on it from the programs menu, a window flashes for a second and disappears. The Windows Defender also flashed like this when I tried to access it from the control panel, but it appears to be running. I can't figure out how to turn it off when I can't open it. Sorry about that.


Here's the files you requested:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by L at 19:55:25.44 on Sat 03/26/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.850 [GMT -7:00]
.
AV: Norton 360 *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Users\L\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\L\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [LSKKQ] rundll32 "c:\users\l\appdata\roaming\spoolm.dll",myspibtgg
uRun: [RAIHQQWK] rundll32 "c:\users\l\appdata\roaming\wmdrmsdkg.dll",plfvfomw
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [HLBackupScheduler] c:\program files\verizon v cast media manager\V CAST Backup Scheduler.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpqSRMon]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\l\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\l\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-9-23 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-9-23 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-10 800376]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-9-23 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110325.001\IDSvix86.sys [2011-3-25 353912]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-9-23 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys [2010-9-23 339504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-29 21504]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-9-23 126392]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\SymcPCCULaunchSvc.exe [2009-12-9 120248]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\ccSvcHst.exe [2009-12-9 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-2-8 102448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9921d820d18b0;Google Update Service (gupdate1c9921d820d18b0);c:\program files\google\update\GoogleUpdate.exe [2009-2-18 133104]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-23 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-03-25 09:25:04 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{c8e3e45c-39ce-4257-83bc-9a1e0b2d8835}\mpengine.dll
2011-03-24 18:11:56 -------- d-----w- c:\users\l\appdata\roaming\HpUpdate
2011-03-24 18:11:52 -------- d-----w- c:\windows\Hewlett-Packard
2011-03-23 21:50:48 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 21:50:48 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 21:50:48 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-11 04:51:31 -------- d-----w- c:\program files\iPod
2011-03-11 04:51:29 -------- d-----w- c:\program files\iTunes
2011-03-09 06:37:44 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 06:37:43 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 06:37:42 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 06:37:42 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 06:37:42 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 06:37:42 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-04 04:44:33 -------- d-----w- c:\program files\Bonjour
2011-03-04 03:46:28 -------- d-----w- c:\progra~2\Verizon
2011-03-04 03:46:20 -------- d-----w- c:\users\l\appdata\local\V CAST Media Manager
2011-03-04 03:45:37 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2011-03-04 03:45:36 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2011-03-04 03:45:34 -------- d-----w- c:\program files\ffdshow
2011-03-04 03:44:25 -------- d-----w- c:\program files\Verizon V CAST Media Manager
2011-03-04 03:34:00 -------- d-----w- c:\program files\HTC
2011-03-04 03:32:59 -------- d-----w- C:\Temp
.
==================== Find3M ====================
.
2011-02-03 01:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
.
============= FINISH: 19:56:41.12 ===============

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-26 20:08:07
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0
Running: 08lwyys2.exe; Driver: C:\Users\L\AppData\Local\Temp\uwdiqpog.sys


---- System - GMER 1.0.15 ----

SSDT 916F6108 ZwAlertResumeThread
SSDT 916F1068 ZwAlertThread
SSDT 9177DC10 ZwAllocateVirtualMemory
SSDT 866E5158 ZwAlpcConnectPort
SSDT 91739048 ZwAssignProcessToJobObject
SSDT 917834F0 ZwCreateMutant
SSDT 9178C150 ZwCreateSymbolicLinkObject
SSDT 9177B8D0 ZwCreateThread
SSDT 9172A048 ZwDebugActiveProcess
SSDT 9177DDA8 ZwDuplicateObject
SSDT 9177D630 ZwFreeVirtualMemory
SSDT 9170A120 ZwImpersonateAnonymousToken
SSDT 916FA108 ZwImpersonateThread
SSDT 8EA1F2B8 ZwLoadDriver
SSDT 9177D510 ZwMapViewOfSection
SSDT 9170B120 ZwOpenEvent
SSDT 9177E620 ZwOpenProcess
SSDT 90046068 ZwOpenProcessToken
SSDT 91718068 ZwOpenSection
SSDT 9177DEF8 ZwOpenThread
SSDT 9178CD00 ZwProtectVirtualMemory
SSDT 916ED120 ZwResumeThread
SSDT 916B4110 ZwSetContextThread
SSDT 9177CE38 ZwSetInformationProcess
SSDT 9171D068 ZwSetSystemInformation
SSDT 91713110 ZwSuspendProcess
SSDT 916DF120 ZwSuspendThread
SSDT 901FD110 ZwTerminateProcess
SSDT 916D1120 ZwTerminateThread
SSDT 9004B110 ZwUnmapViewOfSection
SSDT 9177D900 ZwWriteVirtualMemory
SSDT 9178C5E0 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 822B68A0 8 Bytes [08, 61, 6F, 91, 68, 10, 6F, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 822B68B4 4 Bytes [10, DC, 77, 91] {ADC AH, BL; JA 0xffffffffffffff95}
.text ntkrnlpa.exe!KeSetEvent + 13D 822B68C0 4 Bytes [58, 51, 6E, 86]
.text ntkrnlpa.exe!KeSetEvent + 191 822B6914 4 Bytes [48, 90, 73, 91] {DEC EAX; NOP ; JAE 0xffffffffffffff95}
.text ntkrnlpa.exe!KeSetEvent + 1F5 822B6978 4 Bytes [F0, 34, 78, 91]
.text ...
? C:\Users\L\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[4980] ntdll.dll!RtlEncodeSystemPointer + 873 771493A3 10 Bytes JMP 0578003A
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!CreateDialogParamW 761472A2 5 Bytes JMP 6A4CDEF8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!GetAsyncKeyState 7614863C 5 Bytes JMP 6A3E8F37 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!SetWindowsHookExW 761487AD 5 Bytes JMP 6A4C9B15 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!CallNextHookEx 76148E3B 5 Bytes JMP 6A4BD16D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!UnhookWindowsHookEx 761498DB 5 Bytes JMP 6A434666 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!EnableWindow 7614CD8B 5 Bytes JMP 6A4CDD85 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!CreateWindowExW 76151305 5 Bytes JMP 6A4CDB6C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!GetKeyState 76158CB1 5 Bytes JMP 6A4CD333 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DrawTextExW 761591CE 5 Bytes JMP 0234C510
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DrawTextW 761597D3 5 Bytes JMP 0234C34C
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!IsDialogMessageW 76160745 5 Bytes JMP 6A3F5A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!CreateDialogParamA 761617AA 5 Bytes JMP 6A5C5CB4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!IsDialogMessage 76161847 5 Bytes JMP 6A5C5550 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!CreateDialogIndirectParamA 761626F1 5 Bytes JMP 6A5C5CEB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DrawTextA 7616558D 5 Bytes JMP 0234C270
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DrawTextExA 761655C4 5 Bytes JMP 0234C428
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!CreateDialogIndirectParamW 76169A62 5 Bytes JMP 6A5C5D22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!SetKeyboardState 76170987 5 Bytes JMP 6A5C58BF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DialogBoxParamW 761710B0 5 Bytes JMP 0234B645
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DialogBoxIndirectParamW 76172EF5 5 Bytes JMP 6A5C502F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!SendInput 76172F75 5 Bytes JMP 6A5C647B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!EndDialog 7617326E 5 Bytes JMP 6A3F7EBA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!SetClipboardData 76186410 5 Bytes JMP 0234BFC3
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!SetCursorPos 76186FB2 5 Bytes JMP 6A5C64CF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DialogBoxParamA 76188152 5 Bytes JMP 6A5C4FCC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!DialogBoxIndirectParamA 7618847D 5 Bytes JMP 6A5C5092 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!MessageBoxIndirectA 7619D4D9 5 Bytes JMP 6A5C4F61 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!MessageBoxIndirectW 7619D5D3 5 Bytes JMP 6A5C4EF6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!MessageBoxExA 7619D639 5 Bytes JMP 6A5C4E94 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!MessageBoxExW 7619D65D 5 Bytes JMP 6A5C4E32 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] USER32.dll!keybd_event 7619D972 5 Bytes JMP 6A5C67FF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] GDI32.dll!ExtTextOutW 75A2872B 5 Bytes JMP 0234C6DD
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] GDI32.dll!GetGlyphIndicesW 75A2B765 5 Bytes JMP 0234CB5E
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] GDI32.dll!ExtTextOutA 75A300A5 5 Bytes JMP 0234C5F8
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] GDI32.dll!TextOutA 75A30BAB 5 Bytes JMP 0234C0D6
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] GDI32.dll!TextOutW 75A30D6D 5 Bytes JMP 0234C1A3
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] GDI32.dll!GetGlyphIndicesA 75A49DC0 5 Bytes JMP 0234CA94
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] SHELL32.dll!SHRestricted + D95 763389A8 4 Bytes [4D, 30, C9, 70]
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] SHELL32.dll!SHRestricted + D9D 763389B0 8 Bytes [57, 2F, C9, 70, 9C, 5B, C8, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] ole32.dll!OleLoadFromStream 75871E80 5 Bytes JMP 6A5C53B0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] ole32.dll!CoGetTreatAsClass + D2F 7588FAE3 7 Bytes JMP 057801A9
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] ole32.dll!CoCreateInstance 758A9F3E 5 Bytes JMP 6A4CDBC8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] ole32.dll!CoCreateInstance + 3E 758A9F7C 7 Bytes JMP 057800F3
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!closesocket 7728330C 5 Bytes JMP 0234BF35
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!recv 7728343A 5 Bytes JMP 0234BCE3
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!GetAddrInfoW 77283D12 5 Bytes JMP 0234B283
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!getaddrinfo 7728418A 5 Bytes JMP 0234B1A3
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!WSASend 77284496 5 Bytes JMP 0234BD8D
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!send 7728659B 5 Bytes JMP 0234BC3D
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!WSARecv 77288400 5 Bytes JMP 0234BE4E
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!WSAAsyncGetHostByName 77295FB9 2 Bytes JMP 0234B56A
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!WSAAsyncGetHostByName + 3 77295FBC 2 Bytes [0B, 8B]
.text C:\Program Files\Internet Explorer\iexplore.exe[4980] WS2_32.dll!gethostbyname 772962D4 5 Bytes JMP 0234B0E6
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!CreateWindowExW 76151305 5 Bytes JMP 6A4CDB6C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!DrawTextExW 761591CE 5 Bytes JMP 01B8C510
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!DrawTextW 761597D3 5 Bytes JMP 01B8C34C
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!DrawTextA 7616558D 5 Bytes JMP 01B8C270
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!DrawTextExA 761655C4 5 Bytes JMP 01B8C428
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!DialogBoxParamW 761710B0 5 Bytes JMP 01B8B645
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!DialogBoxIndirectParamW 76172EF5 5 Bytes JMP 6A5C502F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!SetClipboardData 76186410 5 Bytes JMP 01B8BFC3
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!DialogBoxParamA 76188152 5 Bytes JMP 6A5C4FCC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!DialogBoxIndirectParamA 7618847D 5 Bytes JMP 6A5C5092 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!MessageBoxIndirectA 7619D4D9 5 Bytes JMP 6A5C4F61 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!MessageBoxIndirectW 7619D5D3 5 Bytes JMP 6A5C4EF6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!MessageBoxExA 7619D639 5 Bytes JMP 6A5C4E94 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] USER32.dll!MessageBoxExW 7619D65D 5 Bytes JMP 6A5C4E32 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] GDI32.dll!ExtTextOutW 75A2872B 5 Bytes JMP 01B8C6DD
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] GDI32.dll!GetGlyphIndicesW 75A2B765 5 Bytes JMP 01B8CB5E
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] GDI32.dll!ExtTextOutA 75A300A5 5 Bytes JMP 01B8C5F8
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] GDI32.dll!TextOutA 75A30BAB 5 Bytes JMP 01B8C0D6
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] GDI32.dll!TextOutW 75A30D6D 5 Bytes JMP 01B8C1A3
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] GDI32.dll!GetGlyphIndicesA 75A49DC0 5 Bytes JMP 01B8CA94
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] ws2_32.dll!closesocket 7728330C 5 Bytes JMP 01B8BF35
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] ws2_32.dll!recv 7728343A 5 Bytes JMP 01B8BCE3
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] ws2_32.dll!GetAddrInfoW 77283D12 5 Bytes JMP 01B8B283
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] ws2_32.dll!getaddrinfo 7728418A 5 Bytes JMP 01B8B1A3
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] ws2_32.dll!WSASend 77284496 5 Bytes JMP 01B8BD8D
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] ws2_32.dll!send 7728659B 5 Bytes JMP 01B8BC3D
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] ws2_32.dll!WSARecv 77288400 5 Bytes JMP 01B8BE4E
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] ws2_32.dll!WSAAsyncGetHostByName 77295FB9 2 Bytes JMP 01B8B56A
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] ws2_32.dll!WSAAsyncGetHostByName + 3 77295FBC 2 Bytes [8F, 8A]
.text C:\Program Files\Internet Explorer\iexplore.exe[5664] ws2_32.dll!gethostbyname 772962D4 5 Bytes JMP 01B8B0E6

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 26 March 2011 - 10:37 PM

Lukalu456:

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Lukalu456

Lukalu456
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 30 March 2011 - 02:01 AM

Here is the log from combofix. It warned me that Norton 360 antispyware was still running, although I had turned off both firewall and autoprotect in the system tray, so I went into Norton settings and turned everything off. I couldn't find any further instructions on how to turn everything off. However, when I clicked OK on Combofix, it said Norton antispyware was still running, and as Combofix ran, a balloon came up that said Norton 360 was performing background operations. I'm sorry that I couldn't get it to turn off. I hope it didn't damage my computer. I really thought everything was off...



ComboFix 11-03-29.04 - L 03/29/2011 23:25:48.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1149 [GMT -7:00]
Running from: c:\users\L\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton 360 *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files\ContextTool
c:\program files\ContextTool\ContextHelper.dat
c:\program files\ContextTool\pcre3.dll
c:\program files\ContextTool\uninstall.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
.
.
2011-03-30 06:38 . 2011-03-30 06:38 -------- d-----w- c:\users\Mom\AppData\Local\temp
2011-03-30 06:38 . 2011-03-30 06:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-30 02:36 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CA49F044-6A71-45DA-A3A1-1C28888555F1}\mpengine.dll
2011-03-24 18:11 . 2011-03-24 18:14 -------- d-----w- c:\users\L\AppData\Roaming\HpUpdate
2011-03-24 18:11 . 2011-03-24 18:11 -------- d-----w- c:\windows\Hewlett-Packard
2011-03-23 21:50 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 21:50 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 21:50 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-11 04:51 . 2011-03-11 04:51 -------- d-----w- c:\program files\iPod
2011-03-11 04:51 . 2011-03-11 04:53 -------- d-----w- c:\program files\iTunes
2011-03-09 06:37 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 06:37 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 06:37 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 06:37 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 06:37 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 06:37 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-04 04:47 . 2011-03-04 04:47 -------- d-----w- c:\program files\Apple Software Update
2011-03-04 04:44 . 2011-03-04 04:44 -------- d-----w- c:\program files\Bonjour
2011-03-04 03:46 . 2011-03-04 04:25 -------- d-----w- c:\users\L\AppData\Roaming\vlc
2011-03-04 03:46 . 2011-03-04 03:46 -------- d-----w- c:\programdata\Verizon
2011-03-04 03:46 . 2011-03-04 05:40 -------- d-----w- c:\users\L\AppData\Local\V CAST Media Manager
2011-03-04 03:45 . 2008-12-18 03:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2011-03-04 03:45 . 2008-12-11 21:26 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2011-03-04 03:45 . 2011-03-04 04:24 -------- d-----w- c:\program files\ffdshow
2011-03-04 03:44 . 2011-03-24 03:43 -------- d-----w- c:\program files\Verizon V CAST Media Manager
2011-03-04 03:34 . 2011-03-04 03:34 -------- d-----w- c:\program files\HTC
2011-03-04 03:32 . 2011-03-04 03:33 -------- d-----w- C:\Temp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-20 03:46 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-03 01:11 . 2010-06-02 20:09 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-10 08:25 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-10 08:25 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-10 08:25 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-10 08:25 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-10 08:25 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-10 08:25 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-10 08:25 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-10 08:25 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-10 08:25 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-10 08:25 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-10 08:25 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-10 08:25 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-10 08:25 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-10 08:25 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-10 08:25 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-10 08:25 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-10 08:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-10 08:25 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-10 08:25 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-10 08:25 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-10 08:25 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:14 . 2011-02-10 08:25 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:12 . 2011-02-10 08:25 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-10 08:25 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-10 08:25 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47 . 2011-02-10 08:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-10 08:25 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-10 08:24 2039808 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\L\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\L\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\L\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-20 39408]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-11-07 95536]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"LSKKQ"="c:\users\L\AppData\Roaming\spoolm.dll" [2010-12-22 126464]
"RAIHQQWK"="c:\users\L\AppData\Roaming\wmdrmsdkg.dll" [2010-12-22 126464]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-22 133656]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1316136]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-11-07 54576]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
.
c:\users\Mom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\L\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\L\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9921d820d18b0;Google Update Service (gupdate1c9921d820d18b0);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 133104]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110309.001\BHDrvx86.sys [2011-02-25 800376]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110325.002\IDSvix86.sys [2011-03-14 353912]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0403000.005\SYMTDIV.SYS [2010-05-06 339504]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe [2010-02-26 126392]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [2010-12-11 120248]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [2009-08-24 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 23:06]
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 23:06]
.
2011-03-10 c:\windows\Tasks\HPCeeScheduleForL.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-05-14 21:23]
.
2011-03-30 c:\windows\Tasks\User_Feed_Synchronization-{D8861A73-896E-4482-9410-6C28EA475B66}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
2011-03-30 c:\windows\Tasks\User_Feed_Synchronization-{FED060B4-5F47-4528-B7DB-97CD42208455}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-*{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
HKCU-Run-HLBackupScheduler - c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
HKLM-Run-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
HKLM-Run-hpqSRMon - (no file)
AddRemove-ContextTool - c:\program files\ContextTool\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-29 23:39
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-03-29 23:50:33
ComboFix-quarantined-files.txt 2011-03-30 06:50
.
Pre-Run: 159,999,041,536 bytes free
Post-Run: 159,997,403,136 bytes free
.
- - End Of File - - 52A7941FFB52B3DD3B6D6F85FD843F2F

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 30 March 2011 - 01:40 PM

Lukalu456:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://www.bleepingcomputer.com/forums/topic386700.html
Collect::
c:\users\L\AppData\Roaming\spoolm.dll
c:\users\L\AppData\Roaming\wmdrmsdkg.dll
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LSKKQ"=-
"RAIHQQWK"=-

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Lukalu456

Lukalu456
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 31 March 2011 - 12:32 AM

I'm concerned about doing this when I can't adequately turn off Norton 360 antispyware. Do you know how I can get it turned off? I've tried the previous instructions you posted on how to turn off Norton 360, but they only address the firewall and the antivirus autoprotect. Those instructions don't tell me how to turn off these Norton "background operations." I turned off all the settings, and yet it still ran...? Will running Combofix damage my computer if Norton 360 antispyware is running?

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 31 March 2011 - 11:10 AM

You were able to sufficiently disable Norton 360 last time. If you are still not comfortable though, you can run my last instructions from the Safe Mode which will take Norton totally out of play.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 Lukalu456

Lukalu456
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 31 March 2011 - 04:42 PM

Hello again. I ran Combofix in safe mode, which meant I had no ability to turn off Norton 360 (in safe mode it would only allow me to either run it or not run it), and then after the reboot the computer came up not in safe mode, so Combofix ran with Norton and all my security programs enabled. I can't seem to reliably get Norton to turn off, and maybe I should just uninstall it in the future.
I also don't have enough money right now to buy Malwarebytes' Anti-Malware. It will be a few days before my student aid comes in and I can afford it. Is it all right to wait until then?



Anyway, here is the Combofix.txt log:

ComboFix 11-03-29.04 - L 03/31/2011 11:17:15.2.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1536 [GMT -7:00]
Running from: c:\users\L\Desktop\ComboFix.exe
Command switches used :: c:\users\L\Desktop\CFScript.txt
AV: Norton 360 *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton 360 *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
file zipped: c:\users\L\AppData\Roaming\spoolm.dll
file zipped: c:\users\L\AppData\Roaming\wmdrmsdkg.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\L\AppData\Roaming\spoolm.dll
c:\users\L\AppData\Roaming\wmdrmsdkg.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))
.
.
2011-03-31 18:25 . 2011-03-31 21:16 -------- d-----w- c:\users\L\AppData\Local\temp
2011-03-31 18:25 . 2011-03-31 18:25 -------- d-----w- c:\users\Mom\AppData\Local\temp
2011-03-30 02:36 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CA49F044-6A71-45DA-A3A1-1C28888555F1}\mpengine.dll
2011-03-24 18:11 . 2011-03-24 18:14 -------- d-----w- c:\users\L\AppData\Roaming\HpUpdate
2011-03-24 18:11 . 2011-03-24 18:11 -------- d-----w- c:\windows\Hewlett-Packard
2011-03-23 21:50 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 21:50 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 21:50 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-11 04:51 . 2011-03-11 04:51 -------- d-----w- c:\program files\iPod
2011-03-11 04:51 . 2011-03-11 04:53 -------- d-----w- c:\program files\iTunes
2011-03-09 06:37 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 06:37 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 06:37 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 06:37 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 06:37 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 06:37 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-04 04:47 . 2011-03-04 04:47 -------- d-----w- c:\program files\Apple Software Update
2011-03-04 04:44 . 2011-03-04 04:44 -------- d-----w- c:\program files\Bonjour
2011-03-04 03:46 . 2011-03-04 04:25 -------- d-----w- c:\users\L\AppData\Roaming\vlc
2011-03-04 03:46 . 2011-03-04 03:46 -------- d-----w- c:\programdata\Verizon
2011-03-04 03:46 . 2011-03-04 05:40 -------- d-----w- c:\users\L\AppData\Local\V CAST Media Manager
2011-03-04 03:45 . 2008-12-18 03:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2011-03-04 03:45 . 2008-12-11 21:26 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2011-03-04 03:45 . 2011-03-04 04:24 -------- d-----w- c:\program files\ffdshow
2011-03-04 03:44 . 2011-03-24 03:43 -------- d-----w- c:\program files\Verizon V CAST Media Manager
2011-03-04 03:34 . 2011-03-04 03:34 -------- d-----w- c:\program files\HTC
2011-03-04 03:32 . 2011-03-04 03:33 -------- d-----w- C:\Temp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-20 03:46 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-03 01:11 . 2010-06-02 20:09 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-10 08:25 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-10 08:25 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-10 08:25 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-10 08:25 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-10 08:25 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-10 08:25 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-10 08:25 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-10 08:25 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-10 08:25 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-10 08:25 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-10 08:25 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-10 08:25 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-10 08:25 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-10 08:25 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-10 08:25 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-10 08:25 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-10 08:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-10 08:25 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-10 08:25 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-10 08:25 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-10 08:25 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:14 . 2011-02-10 08:25 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:12 . 2011-02-10 08:25 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-10 08:25 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-10 08:25 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47 . 2011-02-10 08:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-10 08:25 292352 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\L\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\L\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\L\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-20 39408]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-11-07 95536]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-22 133656]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1316136]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-11-07 54576]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
.
c:\users\Mom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\L\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\L\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9921d820d18b0;Google Update Service (gupdate1c9921d820d18b0);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 133104]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]
R3 CFcatchme;CFcatchme;c:\users\L\AppData\Local\Temp\CFcatchme.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110309.001\BHDrvx86.sys [2011-02-25 800376]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110330.001\IDSvix86.sys [2011-03-14 353912]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0403000.005\SYMTDIV.SYS [2010-05-06 339504]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe [2010-02-26 126392]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [2010-12-11 120248]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [2009-08-24 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 23:06]
.
2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-18 23:06]
.
2011-03-10 c:\windows\Tasks\HPCeeScheduleForL.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-05-14 21:23]
.
2011-03-31 c:\windows\Tasks\User_Feed_Synchronization-{D8861A73-896E-4482-9410-6C28EA475B66}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
2011-03-31 c:\windows\Tasks\User_Feed_Synchronization-{FED060B4-5F47-4528-B7DB-97CD42208455}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5844)
c:\users\L\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\system32\DllHost.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-03-31 14:24:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-31 21:23
ComboFix2.txt 2011-03-30 06:50
.
Pre-Run: 159,792,009,216 bytes free
Post-Run: 159,769,366,528 bytes free
.
- - End Of File - - 090AB26CF1ED42968E63E90F20B16B9F
Upload was successful

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 31 March 2011 - 08:05 PM

Lukalu456:

You don't need to purchase Malwarebytes - there is a free and paid or PRO version. The free version will do what we need it do do. They both use the same installer, but if you purchase the PRO version you are provided a key that unlocks the extra features.

Please include the following in your next post:
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 Lukalu456

Lukalu456
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 April 2011 - 02:12 AM

Well, I was able to download Malwarebytes' Anti-Malware this time, since the link took me to a different site than last time, and this time there was a free version. I ran Malwarebytes' Anti-Malware and about one hour in, it stopped and gave me a message: "Malwarebytes' Anti-Malware has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available." The only option was to click a button that said "Close program." I did this and then I immediately launched Malwarebytes' Anti-Malware again. It ran for 1 hour and 2 minutes this time, and it checked 188139 objects. Then it gave me the same message and forced me to close it again. That's when I saw it would do this every time, so I decided to let you know!
Thanks once again for all your help. BTW my Norton 360 firewall and autoprotect were turned off while I ran Malwarebytes' Anti-Malware, if it matters.

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 01 April 2011 - 09:27 AM

Hello,

Please try running it from the Safe Mode.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 Lukalu456

Lukalu456
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 05 April 2011 - 10:20 PM

Ok, that worked better. Here is the log from safe mode:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6232

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19019

4/5/2011 5:35:17 AM
mbam-log-2011-04-05 (05-35-17).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Objects scanned: 348299
Time elapsed: 49 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\00272174 (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\00273174 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
c:\Qoobox\quarantine\C\Users\L\AppData\Roaming\spoolm.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\Users\L\AppData\Roaming\wmdrmsdkg.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\programdata\00272174\00272174.glu (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\00272174\pc00272174cnf (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\programdata\00272174\pc00272174ins (Rogue.Multiple) -> Quarantined and deleted successfully.

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 06 April 2011 - 10:37 AM

Lukalu456:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to this page.
  • Scroll down to where it says "Java Platform, Standard Edition."
  • Click the "Download JRE" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Please include the following in your next post:
  • How is your computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 Lukalu456

Lukalu456
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 06 April 2011 - 07:36 PM

Hi, I'm sorry but I ran ESET Online Scanner, and at the end, it didn't have a Details tab. It had a short summary saying it found no threats, and a "finish" button. I thought if I clicked the finish button, maybe the details tab would come up, but instead it just closed. I'm not sure how to get the log for it, but it took a very long time to run. I started it at 9 am and I had to leave at noon to work, and it was still running then. I looked for the log that the FAQ says it's supposed to have, but didnt' find anything. Should I run it again, or run it differently somehow?

My browser seems to be redirecting less. I need to spend some time trying it out repeatedly and make sure it's not redirecting. I just tried 3 searches and it didn't redirect, and before, it would have redirected 2 out of 3. Thanks, I think this is helping!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users