InterviewSolution
Saved Bookmarks
InterviewSolution
| 1. |
Solve : Virus is not letting execute any program? |
|
Answer» My system is ATTACKED by some malware. its automatically opening all porn websites and not letting me to run any virus program. i have followed the thread on the cool website and run as you guys said. i am pasting the logs below. please advise me what should i do next.
Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Driver:: lich File:: C:\WINDOWS\system32\lich.exe 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeI have runned the combofix. here is the log. THanks a bunch. ComboFix 09-07-04.04 - OM 07/04/2009 23:48.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1169 [GMT -5:00] Running from: c:\documents and settings\OM\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\OM\Desktop\CFScript.txt AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} * Created a new restore point FILE :: "c:\windows\system32\lich.exe" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\-1124205267 c:\windows\Installer\105b0428.msp c:\windows\Installer\105b0496.msp c:\windows\Installer\3f1184.msi c:\windows\Installer\55e09e.msp c:\windows\Installer\acc93ef.msi c:\windows\system32\drivers\4289843a.sys c:\windows\system32\prsgrc.dll c:\windows\system32\ssprs.dll c:\windows\system32\wbem\proquota.exe F:\AUTORUN.INF c:\windows\system32\proquota.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6to4 -------\Legacy_lich -------\Legacy_pcmstub -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} -------\Service_4289843a -------\Service_6to4 -------\Service_lich ((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 ))))))))))))))))))))))))))))))) . 2010-07-15 02:42 . 2009-06-04 22:31--------d-----w-c:\documents and settings\OM\Application Data\dvdcss 2010-07-15 02:42 . 2010-07-15 02:42--------d-----w-c:\documents and settings\OM\Application Data\vlc 2010-07-15 02:41 . 2010-07-15 02:41--------d-----w-c:\program files\VideoLAN 2010-07-13 21:48 . 2009-04-05 00:3373784----a-w-c:\documents and settings\OM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-03 21:19 . 2009-07-03 21:19--------d-----w-c:\program files\Trend Micro 2009-07-03 20:59 . 2009-07-03 20:59152576----a-w-c:\documents and settings\OM\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-07-03 20:34 . 2009-07-03 20:34--------d-----w-c:\documents and settings\OM\Application Data\Malwarebytes 2009-07-03 20:34 . 2009-06-17 16:2738160----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-03 20:34 . 2009-07-03 20:34--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2009-07-03 20:34 . 2009-07-03 20:34--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes 2009-07-03 20:34 . 2009-06-17 16:2719096----a-w-c:\windows\system32\drivers\mbam.sys 2009-07-03 16:14 . 2009-07-03 21:39117760----a-w-c:\documents and settings\OM\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-07-03 16:14 . 2009-07-03 16:14--------d-----w-c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-07-03 16:13 . 2009-07-03 16:13--------d-----w-c:\program files\SUPERAntiSpyware 2009-07-03 16:13 . 2009-07-03 16:13--------d-----w-c:\documents and settings\OM\Application Data\SUPERAntiSpyware.com 2009-07-03 16:13 . 2009-07-03 16:13--------d-----w-C:\MSId8962.tmp 2009-07-03 16:13 . 2009-07-03 16:13--------d-----w-c:\program files\Common Files\Wise Installation Wizard 2009-07-03 16:02 . 2009-07-03 16:02--------d-----w-c:\program files\CCleaner 2009-07-03 04:12 . 2009-07-03 23:39--------d-----w-c:\documents and settings\OM\Application Data\Lavasoft 2009-07-02 19:15 . 2009-07-02 19:154656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP7.sys 2009-07-02 19:12 . 2009-07-02 19:124656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP6.sys 2009-07-02 19:12 . 2009-07-02 19:124656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP5.sys 2009-07-02 19:11 . 2009-07-02 19:114656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP4.sys 2009-07-02 18:27 . 2009-07-02 18:274656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP3.sys 2009-07-02 18:27 . 2009-07-02 18:274656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP2.sys 2009-07-02 18:26 . 2009-07-02 18:264656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.sys 2009-07-02 18:26 . 2009-07-02 18:264656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.sys 2009-07-02 18:26 . 2009-07-03 03:12--------d-----w-c:\documents and settings\All Users\Application Data\12080624 2009-07-02 18:26 . 2009-07-02 18:26--------d-sh--w-c:\windows\System Volume Information 2009-06-29 03:13 . 2009-06-29 03:13--------d-----w-c:\program files\MediaMelon 2009-06-22 02:45 . 2009-06-22 02:45--------d-----w-c:\program files\Common Files\xing shared 2009-06-09 03:53 . 2009-06-09 03:53--------d-----w-c:\documents and settings\All Users\Application Data\McAfee 2009-06-05 13:30 . 2009-05-21 16:33410984----a-w-c:\windows\system32\deploytk.dll 2009-06-05 13:29 . 2009-06-05 13:29152576----a-w-c:\documents and settings\OM\Application Data\Sun\Java\jre1.6.0_13\lzma.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-15 03:11 . 2007-07-13 04:5086327----a-w-c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-07-05 04:32 . 2008-06-17 01:01--------d-----w-c:\documents and settings\OM\Application Data\HPAppData 2009-07-04 04:40 . 2009-04-03 14:36--------d-----w-c:\documents and settings\All Users\Application Data\Google Updater 2009-07-03 21:03 . 2008-04-23 00:50--------d-----w-c:\program files\Java 2009-07-03 16:07 . 2009-03-31 00:50--------d-----w-c:\documents and settings\OM\Application Data\Azureus 2009-07-03 13:05 . 2008-06-19 03:4511952----a-w-c:\windows\system32\avgrsstx.dll 2009-07-03 13:05 . 2008-06-19 03:45327688----a-w-c:\windows\system32\drivers\avgldx86.sys 2009-07-03 13:05 . 2007-03-03 08:0127784----a-w-c:\windows\system32\drivers\avgmfx86.sys 2009-07-03 13:05 . 2008-06-19 03:45108552----a-w-c:\windows\system32\drivers\avgtdix.sys 2009-07-03 02:52 . 2008-06-19 03:45--------d-----w-c:\documents and settings\All Users\Application Data\avg8 2009-07-02 18:55 . 2009-04-11 11:22--------d-----w-c:\documents and settings\OM\Application Data\Amazon 2009-07-02 18:55 . 2009-04-11 11:21--------d-----w-c:\program files\Amazon 2009-07-02 18:27 . 2009-07-02 18:27327---h--w-c:\windows\Fonts\mlog 2009-07-02 18:25 . 2007-01-16 18:01--------d-----w-c:\documents and settings\OM\Application Data\AdobeUM 2009-06-30 00:58 . 2009-04-17 16:59--------d-----w-c:\documents and settings\OM\Application Data\U3 2009-06-22 02:45 . 2008-07-17 01:21--------d-----w-c:\program files\Common Files\Real 2009-06-20 01:19 . 2009-02-03 04:21--------d-----w-c:\program files\Google 2009-06-03 04:41 . 2009-06-03 04:41--------d-----w-c:\documents and settings\OM\Application Data\ATI 2009-06-03 03:14 . 2009-06-03 03:14708608----a-w-c:\windows\system32\Resecure60.dll 2009-06-03 03:14 . 2009-06-03 03:146536----a-w-c:\windows\system32\WinGPDrv.dat 2009-06-03 03:14 . 2009-06-03 03:146533----a-w-c:\windows\system32\NGWinDrv.dat 2009-06-03 03:14 . 2009-06-03 03:14458752----a-w-c:\windows\system32\LiveUpdate.dll 2009-06-03 03:14 . 2009-06-03 03:141290240----a-w-c:\windows\system32\NGWinSys.dll 2009-06-03 03:14 . 2004-08-04 12:001025----a-w-c:\windows\system32\y1vz87p.dll 2009-06-03 03:14 . 2004-08-04 12:001024----a-w-c:\windows\system32\grcauth2.dll 2009-06-03 03:14 . 2004-08-04 12:001024----a-w-c:\windows\system32\grcauth1.dll 2009-06-03 03:14 . 2004-08-04 12:001024----a-w-c:\windows\system32\clauth2.dll 2009-06-03 03:14 . 2004-08-04 12:001024----a-w-c:\windows\system32\clauth1.dll 2009-06-03 03:12 . 2009-06-03 03:12--------d-----w-c:\program files\Common Files\RAM Common 2009-06-03 03:11 . 2009-06-03 03:11--------d-----w-c:\program files\VectorDraw 2009-06-03 03:11 . 2009-06-03 03:11--------d-----w-c:\program files\Common Files\Bentley 2009-06-03 03:09 . 2009-06-03 03:0910134----a-r-c:\documents and settings\OM\Application Data\Microsoft\Installer\{D4A33E08-4FE7-40C4-BF5E-5853C56ADD7C}\ARPPRODUCTICON.exe 2009-06-03 03:09 . 2009-03-31 01:57--------d-----w-c:\program files\Common Files\Bentley Shared 2009-06-01 15:56 . 2008-07-20 03:46--------d-----w-c:\documents and settings\Guest\Application Data\HPAppData 2009-05-31 12:26 . 2009-05-31 12:2673784----a-w-c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-10 03:04 . 2009-02-06 01:22--------d-----w-c:\documents and settings\OM\Application Data\ZoomBrowser EX 2009-05-10 03:03 . 2009-02-06 01:14--------d-----w-c:\documents and settings\All Users\Application Data\ZoomBrowser 2009-05-07 15:32 . 2004-08-04 12:00345600----a-w-c:\windows\system32\localspl.dll 2009-05-01 18:30 . 2009-05-01 18:303366912----a-w-c:\windows\system32\GPhotos.scr 2009-04-17 12:26 . 2004-08-04 12:001847168----a-w-c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-04 12:00585216----a-w-c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-13 3660848] "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-24 3558136] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-03 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-03 1948440] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-22 198160] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2009-2-14 253952] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon] 2008-12-22 17:05356352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-07-03 13:0511952----a-w-c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Themes"=2 (0x2) "TapiSrv"=3 (0x3) "Symantec AntiVirus"=2 (0x2) "SNDSrvc"=3 (0x3) "SavRoam"=3 (0x3) "HPSLPSVC"=2 (0x2) "hpqddsvc"=2 (0x2) "helpsvc"=2 (0x2) "FastUserSwitchingCompatibility"=3 (0x3) "ERSvc"=2 (0x2) "DefWatch"=2 (0x2) "ccSetMgr"=2 (0x2) "ccPwdSvc"=3 (0x3) "ccEvtMgr"=2 (0x2) "BITS"=2 (0x2) "avg8emc"=2 (0x2) "Ati HotKey Poller"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\MediaMelon\\bin\\wrapper.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "11:TCP"= 11:TCP:INTERNET "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/18/2008 10:45 PM 327688] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/18/2008 10:45 PM 108552] R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968] R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2009 8:05 AM 906520] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 9:06 AM 298776] R2 MediaMelon Client;MediaMelon Client 1.0;c:\program files\MediaMelon\bin\wrapper.exe [4/16/2009 3:30 PM 217088] S2 gupdate1c98fbdcfb083d4;Google Update Service (gupdate1c98fbdcfb083d4);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2009 5:36 PM 133104] S3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [7/2/2009 2:09 PM 1252474] S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408] S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 4:48 AM 169192] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPServiceREG_MULTI_SZ HPSLPSVC hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-07-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34] 2009-07-05 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 14:36] 2009-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-15 22:35] 2009-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-15 22:35] . - - - - ORPHANS REMOVED - - - - HKCU-Run-SpeedItUpEX - c:\program files\Speeditup Free\SpeedItUp.exe HKCU-Run-SmartVoip - c:\program files\SmartVoip.com\SmartVoip\SmartVoip.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-04 23:55 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(888) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2836) c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL c:\windows\system32\msls31.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\drivers\CDAC11BA.EXE c:\program files\Java\jre6\bin\jqs.exe c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe c:\windows\system32\java.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\windows\system32\msiexec.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe . ************************************************************************** . Completion time: 2009-07-05 23:59 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-05 04:59 Pre-Run: 3,585,925,120 bytes free Post-Run: 4,511,961,088 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [OPERATING systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows Server 2003, Enterprise" /noexecute=optout /fastdetect multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 306--- E O F ---2009-06-11 08:03 Download OTM by OldTimer to your desktop. Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator. * Save it to your Desktop. * Double-click OTM.exe to run it. * Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy) Code: [Select]:Processes explorer.exe :services :reg :files c:\documents and settings\All Users\Application Data\Symantec :Commands [purity] [emptytemp] [start explorer] * Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. * Click the red Moveit! button. * Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTM Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. ---------- Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop. Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it) * XP users Double click on dds to run it. * If your antivirus or firewall try to block DDS then please allow it to run. * When finished DDS will open two (2) logs. 1) DDS.txt 2) Attach.txt * Save both logs to your desktop. * Please copy and paste the entire contents of both logs in your next reply. Note: DDS will instruct you to post the Attach.txt log as an attachment. Please just post it as you would any other log by copy and pasting it into the reply. ---------- Also let me know how the computer is running now. .hI evilfantasy, THANK FOR YOUR HELP. I ran programs as you told me. when i ran OTM by Oldtimer, after clicking on "Move It" there is a message in the green box "it killed all" and screen went blank. I can see only desktop background. then I waited for 30 mins and restarted the system forcefully. It ran fine. then I ran DDS program. the logs are as follows. DDS.txt DDS (Ver_09-06-26.01) - NTFSx86 Run by OM at 8:54:36.78 on Sun 07/05/2009 Internet Explorer: 8.0.6001.18372 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1324 [GMT -5:00] AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\WINDOWS\system32\svchost.exe -k HPService C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe C:\Program Files\MediaMelon\bin\wrapper.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\java.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\stsystra.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\WLTRAY.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe C:\Documents and Settings\OM\Desktop\dds.com ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.23.0\gears.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se\CameraMonitor.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.23.0\gears.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/45.11/uploader2.cab DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {cafeefac-0016-0000-0014-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: avgrsstarter - avgrsstx.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-18 327688] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-3-3 27784] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-18 108552] R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968] R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944] R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-3 906520] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 298776] R2 MediaMelon Client;MediaMelon Client 1.0;c:\program files\mediamelon\bin\wrapper.exe [2009-4-16 217088] R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080613.003\naveng.sys [2008-6-14 89936] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080613.003\navex15.sys [2008-6-14 856336] S2 gupdate1c98fbdcfb083d4;Google Update Service (gupdate1c98fbdcfb083d4);c:\program files\google\update\GoogleUpdate.exe [2009-2-15 133104] S3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [2009-7-2 1252474] S3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408] S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096] S4 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160] S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808] S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192] S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864] =============== Created Last 30 ================ 2009-07-05 08:10--d-----C:\_OTM 2009-07-04 23:58-cd-----c:\windows\system32\dllcache\cache 2009-07-04 23:5050,176ac------c:\windows\system32\dllcache\proquota.exe 2009-07-04 23:5050,176a-------c:\windows\system32\proquota.exe 2009-07-04 23:46a-dshr--C:\cmdcons 2009-07-04 23:44161,792a-------c:\windows\SWREG.exe 2009-07-04 23:44155,136a-------c:\windows\PEV.exe 2009-07-04 23:4498,816a-------c:\windows\sed.exe 2009-07-04 23:44--ds----C:\ComboFix 2009-07-03 16:19--d-----c:\program files\Trend Micro 2009-07-03 15:34--d-----c:\docume~1\om\applic~1\Malwarebytes 2009-07-03 15:3438,160a-------c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-03 15:3419,096a-------c:\windows\system32\drivers\mbam.sys 2009-07-03 15:34--d-----c:\program files\Malwarebytes' Anti-Malware 2009-07-03 15:34--d-----c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-07-03 11:14--d-----c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-07-03 11:13--d-----c:\program files\SUPERAntiSpyware 2009-07-03 11:13--d-----c:\docume~1\om\applic~1\SUPERAntiSpyware.com 2009-07-03 11:13--d-----C:\MSId8962.tmp 2009-07-03 11:13--d-----c:\program files\common files\Wise Installation Wizard 2009-07-03 11:02--d-----c:\program files\CCleaner 2009-07-02 13:26--d-----c:\docume~1\alluse~1\applic~1\12080624 2009-07-02 13:26--dsh---c:\windows\System Volume Information 2009-06-28 22:13--d-----c:\program files\MediaMelon 2009-06-21 21:45--d-----c:\program files\common files\xing shared 2009-06-14 20:120a-------c:\windows\mtstack16.INI ==================== Find3M ==================== 2009-07-03 08:05327,688a-------c:\windows\system32\drivers\avgldx86.sys 2009-07-03 08:0511,952a-------c:\windows\system32\avgrsstx.dll 2009-07-03 08:05108,552a-------c:\windows\system32\drivers\avgtdix.sys 2009-07-02 13:27327----h---c:\windows\fonts\mlog 2009-06-02 22:141,290,240a-------c:\windows\system32\NGWinSys.dll 2009-06-02 22:14708,608a-------c:\windows\system32\Resecure60.dll 2009-06-02 22:14458,752a-------c:\windows\system32\LiveUpdate.dll 2009-06-02 22:146,536a-------c:\windows\system32\WinGPDrv.dat 2009-06-02 22:146,533a-------c:\windows\system32\NGWinDrv.dat 2009-05-21 11:33410,984a-------c:\windows\system32\deploytk.dll 2009-05-07 10:32345,600a-------c:\windows\system32\localspl.dll 2009-05-01 13:303,366,912a-------c:\windows\system32\GPhotos.scr 2009-04-17 07:261,847,168a-------c:\windows\system32\win32k.sys 2009-04-15 09:51585,216a-------c:\windows\system32\rpcrt4.dll 2009-03-14 19:0860,744a-------c:\documents and settings\om\g2mdlhlpx.exe 2008-02-22 20:0032a----r--c:\documents and settings\all users\hash.dat ============= FINISH: 8:54:54.70 =============== Attach.txt UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-06-26.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 7/12/2007 11:53:14 PM System Uptime: 7/5/2009 8:41:08 AM (0 hours ago) Motherboard: Dell Inc. | | 0XD720 Processor: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz | Microprocessor | 1995/166mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 24 GiB total, 4.19 GiB free. D: is CDROM () E: is FIXED (NTFS) - 10 GiB total, 5.547 GiB free. F: is FIXED (NTFS) - 78 GiB total, 11.013 GiB free. ==== Disabled Device Manager Items ============= Class GUID: Description: BCM2045 Device ID: USB\VID_413C&PID_8126\5&2CD8A58F&0&2 Manufacturer: Name: BCM2045 PNP Device ID: USB\VID_413C&PID_8126\5&2CD8A58F&0&2 Service: Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318} Description: Officejet J6400 series Device ID: ROOT\MULTIFUNCTION\0000 Manufacturer: HP Name: Officejet J6400 series PNP Device ID: ROOT\MULTIFUNCTION\0000 Service: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318} Description: Officejet J6400 series Device ID: ROOT\PRINTER\0000 Manufacturer: HP Name: Officejet J6400 series PNP Device ID: ROOT\PRINTER\0000 Service: Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A} Description: Nokia N75 Device ID: ROOT\WPD\0000 Manufacturer: Nokia Name: Nokia N75 PNP Device ID: ROOT\WPD\0000 Service: WUDFRd ==== System Restore Points =================== RP451: 7/4/2009 11:50:21 PM - ComboFix created restore point RP452: 7/5/2009 8:29:04 AM - System Checkpoint ==== Installed Programs ====================== 32 Bit HP CIO Components Installer 4Media HD Video Converter 6400_Help Adobe Acrobat 6.0 Professional Adobe AIR Adobe Flash Player 10 ActiveX Adobe Flash Player Plugin Aide PDF to DXF Converter 9.5 AirXonix version 1.41 Any Video Converter 2.7.1 Ap PDF to IMAGE Apple Mobile Device Support Apple Software Update ATI - Software Uninstall Utility ATI Catalyst Control Center ATI Display Driver AutoCAD 2004 Autodesk Express Viewer AVG 8.5 Bentley IEG License Service Bentley MicroStation (V 08.05.01.25) - 1 Bonjour bpd_scan BPDSoftware BPDSoftware_Ini Broadcom 440x 10/100 Integrated Controller BufferChm Canon Camera Access Library Canon Camera Support Core Library Canon RAW Image Task for ZoomBrowser EX Canon Utilities CameraWindow Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX Canon Utilities EOS Utility Canon Utilities MyCamera Canon Utilities RemoteCapture Task for ZoomBrowser EX Canon Utilities ZoomBrowser EX Canon ZoomBrowser EX Memory Card Utility Cards_Calendar_OrderGift_DoMorePlugout CCleaner (remove only) Conexant HDA D110 MDC V.92 Modem Creative WebCam NX Ultra Driver (1.01.03.0112) Critical Update for Windows Media Player 11 (KB959772) CustomerResearchQFolder Dell Wireless WLAN Card Destination Component DeviceDiscovery DeviceManagementQFolder DivX Web Player DocProc DocProcQFolder eSupportQFolder Fax Free DWG Viewer 6.2 Google Earth Google Gears Google Update Helper Google Updater GoToMeeting 4.0.0.320 GPBaseService High Definition Audio Driver Package - KB888111 HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) HP Customer Participation Program 10.0 HP Imaging Device Functions 10.0 HP Officejet J6400 Series HP Photosmart Essential 2.5 HP Photosmart Essential 3.0 HP Smart Web Printing HP Solution Center 10.0 HP Update HPPhotoSmartPhotobookWebPack1 HPProductAssistant HPSSupply ImageMixer 3 SE iTunes J6400 Java(TM) 6 Update 14 LiveUpdate 2.0 (Symantec Corporation) Malwarebytes' Anti-Malware MarketResearch MediaMelon Client MetaFrame Presentation Server Web Client for Win32 Microsoft .NET Framework 2.0 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Office Professional Edition 2003 Microsoft User-Mode Driver Framework Feature Pack 1.5 Microsoft Visual C++ 2005 Redistributable MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) NetDeviceManager Nokia Connectivity Cable Driver OCR Software by I.R.I.S. 10.0 PC Connectivity Solution Picasa 3 ProductContext PSSWCORE QuickSet QuickTime RealPlayer RedistSysFiles SafeCast Shared Components Scan Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB936782) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950759) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956390) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Shop for HP Supplies SigmaTel Audio SmartWebPrintingOC SolutionCenter Sound Blaster ADVANCED MB Drivers STAAD.Pro V8i Status SUPERAntiSpyware Free Edition Symantec AntiVirus Synaptics Pointing Device Driver Toolbox TrayApp UnloadSupport Update for Windows Internet Explorer 8 (KB961813) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) VBA (2627.01) Veoh Web Player Beta VeohTV BETA VideoLAN VLC media player 0.8.6b VideoToolkit01 Vuze WebFldrs XP WebReg Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1) Windows Driver Package - Nokia Modem (02/15/2007 3.1) Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04) Windows Genuine Advantage Notifications (KB905474) Windows Internet Explorer 8 Release Candidate 1 Windows Media Format 11 runtime Windows Media Player 11 Windows XP Service Pack 3 WinRAR archiver WinStorm30 Yahoo! Messenger Yahoo! Search Protection ==== End Of File =========================== Thanks, SreeGo to Add or Remove Programs and uninstall:
Download the Norton Removal Tool (SymNRT) to your desktop. Once downloaded please close ALL open browsers, also save any work because this may require a restart.
---------- Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: DDS:: TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeHI, I ran the combofix. Here is the log. Thanks. ComboFix 09-07-05.01 - OM 07/05/2009 19:38.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1467 [GMT -5:00] Running from: c:\documents and settings\OM\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\OM\Desktop\CFScript.txt AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\messenger\msmsgs.exe . ((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 ))))))))))))))))))))))))))))))) . 2010-07-15 02:42 . 2009-06-04 22:31--------d-----w-c:\documents and settings\OM\Application Data\dvdcss 2010-07-15 02:42 . 2010-07-15 02:42--------d-----w-c:\documents and settings\OM\Application Data\vlc 2010-07-15 02:41 . 2010-07-15 02:41--------d-----w-c:\program files\VideoLAN 2010-07-13 21:48 . 2009-04-05 00:3373784----a-w-c:\documents and settings\OM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-05 13:10 . 2009-07-05 13:10--------d-----w-C:\_OTM 2009-07-05 04:50 . 2008-04-14 00:1250176-c--a-w-c:\windows\system32\dllcache\proquota.exe 2009-07-05 04:50 . 2008-04-14 00:1250176----a-w-c:\windows\system32\proquota.exe 2009-07-03 21:19 . 2009-07-03 21:19--------d-----w-c:\program files\Trend Micro 2009-07-03 20:59 . 2009-07-03 20:59152576----a-w-c:\documents and settings\OM\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-07-03 20:34 . 2009-07-03 20:34--------d-----w-c:\documents and settings\OM\Application Data\Malwarebytes 2009-07-03 20:34 . 2009-06-17 16:2738160----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-03 20:34 . 2009-07-03 20:34--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2009-07-03 20:34 . 2009-07-03 20:34--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes 2009-07-03 20:34 . 2009-06-17 16:2719096----a-w-c:\windows\system32\drivers\mbam.sys 2009-07-03 16:14 . 2009-07-03 21:39117760----a-w-c:\documents and settings\OM\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-07-03 16:14 . 2009-07-03 16:14--------d-----w-c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-07-03 16:13 . 2009-07-03 16:13--------d-----w-c:\program files\SUPERAntiSpyware 2009-07-03 16:13 . 2009-07-03 16:13--------d-----w-c:\documents and settings\OM\Application Data\SUPERAntiSpyware.com 2009-07-03 16:13 . 2009-07-03 16:13--------d-----w-C:\MSId8962.tmp 2009-07-03 16:13 . 2009-07-03 16:13--------d-----w-c:\program files\Common Files\Wise Installation Wizard 2009-07-03 16:02 . 2009-07-03 16:02--------d-----w-c:\program files\CCleaner 2009-07-03 04:12 . 2009-07-03 23:39--------d-----w-c:\documents and settings\OM\Application Data\Lavasoft 2009-07-02 19:15 . 2009-07-02 19:154656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP7.sys 2009-07-02 19:12 . 2009-07-02 19:124656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP6.sys 2009-07-02 19:12 . 2009-07-02 19:124656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP5.sys 2009-07-02 19:11 . 2009-07-02 19:114656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP4.sys 2009-07-02 18:27 . 2009-07-02 18:274656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP3.sys 2009-07-02 18:27 . 2009-07-02 18:274656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP2.sys 2009-07-02 18:26 . 2009-07-02 18:264656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.sys 2009-07-02 18:26 . 2009-07-02 18:264656----a-w-c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.sys 2009-07-02 18:26 . 2009-07-03 03:12--------d-----w-c:\documents and settings\All Users\Application Data\12080624 2009-07-02 18:26 . 2009-07-02 18:26--------d-sh--w-c:\windows\System Volume Information 2009-06-29 03:13 . 2009-06-29 03:13--------d-----w-c:\program files\MediaMelon 2009-06-22 02:45 . 2009-06-22 02:45--------d-----w-c:\program files\Common Files\xing shared 2009-06-09 03:53 . 2009-06-09 03:53--------d-----w-c:\documents and settings\All Users\Application Data\McAfee . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-15 03:11 . 2007-07-13 04:5086327----a-w-c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-07-06 00:35 . 2008-06-17 01:01--------d-----w-c:\documents and settings\OM\Application Data\HPAppData 2009-07-06 00:25 . 2007-03-27 11:27--------d-----w-c:\program files\Common Files\Symantec Shared 2009-07-06 00:25 . 2007-03-27 11:27--------d-----w-c:\program files\Symantec 2009-07-06 00:25 . 2007-03-27 11:27--------d-----w-c:\documents and settings\All Users\Application Data\Symantec 2009-07-05 13:02 . 2009-04-03 14:36--------d-----w-c:\documents and settings\All Users\Application Data\Google Updater 2009-07-03 21:03 . 2008-04-23 00:50--------d-----w-c:\program files\Java 2009-07-03 16:07 . 2009-03-31 00:50--------d-----w-c:\documents and settings\OM\Application Data\Azureus 2009-07-03 13:05 . 2008-06-19 03:4511952----a-w-c:\windows\system32\avgrsstx.dll 2009-07-03 13:05 . 2008-06-19 03:45327688----a-w-c:\windows\system32\drivers\avgldx86.sys 2009-07-03 13:05 . 2007-03-03 08:0127784----a-w-c:\windows\system32\drivers\avgmfx86.sys 2009-07-03 13:05 . 2008-06-19 03:45108552----a-w-c:\windows\system32\drivers\avgtdix.sys 2009-07-03 02:52 . 2008-06-19 03:45--------d-----w-c:\documents and settings\All Users\Application Data\avg8 2009-07-02 18:55 . 2009-04-11 11:22--------d-----w-c:\documents and settings\OM\Application Data\Amazon 2009-07-02 18:55 . 2009-04-11 11:21--------d-----w-c:\program files\Amazon 2009-07-02 18:27 . 2009-07-02 18:27327---h--w-c:\windows\Fonts\mlog 2009-07-02 18:25 . 2007-01-16 18:01--------d-----w-c:\documents and settings\OM\Application Data\AdobeUM 2009-06-30 00:58 . 2009-04-17 16:59--------d-----w-c:\documents and settings\OM\Application Data\U3 2009-06-22 02:45 . 2008-07-17 01:21--------d-----w-c:\program files\Common Files\Real 2009-06-20 01:19 . 2009-02-03 04:21--------d-----w-c:\program files\Google 2009-06-05 13:29 . 2009-06-05 13:29152576----a-w-c:\documents and settings\OM\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-06-03 04:41 . 2009-06-03 04:41--------d-----w-c:\documents and settings\OM\Application Data\ATI 2009-06-03 03:14 . 2009-06-03 03:14708608----a-w-c:\windows\system32\Resecure60.dll 2009-06-03 03:14 . 2009-06-03 03:146536----a-w-c:\windows\system32\WinGPDrv.dat 2009-06-03 03:14 . 2009-06-03 03:146533----a-w-c:\windows\system32\NGWinDrv.dat 2009-06-03 03:14 . 2009-06-03 03:14458752----a-w-c:\windows\system32\LiveUpdate.dll 2009-06-03 03:14 . 2009-06-03 03:141290240----a-w-c:\windows\system32\NGWinSys.dll 2009-06-03 03:14 . 2004-08-04 12:001025----a-w-c:\windows\system32\y1vz87p.dll 2009-06-03 03:14 . 2004-08-04 12:001024----a-w-c:\windows\system32\grcauth2.dll 2009-06-03 03:14 . 2004-08-04 12:001024----a-w-c:\windows\system32\grcauth1.dll 2009-06-03 03:14 . 2004-08-04 12:001024----a-w-c:\windows\system32\clauth2.dll 2009-06-03 03:14 . 2004-08-04 12:001024----a-w-c:\windows\system32\clauth1.dll 2009-06-03 03:12 . 2009-06-03 03:12--------d-----w-c:\program files\Common Files\RAM Common 2009-06-03 03:11 . 2009-06-03 03:11--------d-----w-c:\program files\VectorDraw 2009-06-03 03:11 . 2009-06-03 03:11--------d-----w-c:\program files\Common Files\Bentley 2009-06-03 03:09 . 2009-06-03 03:0910134----a-r-c:\documents and settings\OM\Application Data\Microsoft\Installer\{D4A33E08-4FE7-40C4-BF5E-5853C56ADD7C}\ARPPRODUCTICON.exe 2009-06-03 03:09 . 2009-03-31 01:57--------d-----w-c:\program files\Common Files\Bentley Shared 2009-06-01 15:56 . 2008-07-20 03:46--------d-----w-c:\documents and settings\Guest\Application Data\HPAppData 2009-05-31 12:26 . 2009-05-31 12:2673784----a-w-c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-21 16:33 . 2009-06-05 13:30410984----a-w-c:\windows\system32\deploytk.dll 2009-05-10 03:04 . 2009-02-06 01:22--------d-----w-c:\documents and settings\OM\Application Data\ZoomBrowser EX 2009-05-10 03:03 . 2009-02-06 01:14--------d-----w-c:\documents and settings\All Users\Application Data\ZoomBrowser 2009-05-07 15:32 . 2004-08-04 12:00345600----a-w-c:\windows\system32\localspl.dll 2009-05-01 18:30 . 2009-05-01 18:303366912----a-w-c:\windows\system32\GPhotos.scr 2009-04-17 12:26 . 2004-08-04 12:001847168----a-w-c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-04 12:00585216----a-w-c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((( [emailprotected]_04.55.54 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-06 00:43 . 2009-07-06 00:4316384 c:\windows\Temp\Perflib_Perfdata_fc.dat - 2004-08-04 12:00 . 2009-07-03 03:4258998 c:\windows\system32\perfc009.dat + 2004-08-04 12:00 . 2009-07-05 04:5858998 c:\windows\system32\perfc009.dat + 2004-08-04 12:00 . 2009-07-05 04:58392864 c:\windows\system32\perfh009.dat - 2004-08-04 12:00 . 2009-07-03 03:42392864 c:\windows\system32\perfh009.dat + 2007-01-16 16:51 . 2009-07-05 18:133817984 c:\windows\Installer\1073be.msi - 2007-01-16 16:51 . 2009-07-03 23:383817984 c:\windows\Installer\1073be.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704] "Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-13 3660848] "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-24 3558136] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-03 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-03 1948440] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-22 198160] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2009-2-14 253952] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon] 2008-12-22 17:05356352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-07-03 13:0511952----a-w-c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Themes"=2 (0x2) "TapiSrv"=3 (0x3) "Symantec AntiVirus"=2 (0x2) "SNDSrvc"=3 (0x3) "SavRoam"=3 (0x3) "HPSLPSVC"=2 (0x2) "hpqddsvc"=2 (0x2) "helpsvc"=2 (0x2) "FastUserSwitchingCompatibility"=3 (0x3) "ERSvc"=2 (0x2) "DefWatch"=2 (0x2) "ccSetMgr"=2 (0x2) "ccPwdSvc"=3 (0x3) "ccEvtMgr"=2 (0x2) "BITS"=2 (0x2) "avg8emc"=2 (0x2) "Ati HotKey Poller"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\MediaMelon\\bin\\wrapper.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "11:TCP"= 11:TCP:INTERNET "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/18/2008 10:45 PM 327688] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/18/2008 10:45 PM 108552] R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968] R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2009 8:05 AM 906520] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 9:06 AM 298776] R2 MediaMelon Client;MediaMelon Client 1.0;c:\program files\MediaMelon\bin\wrapper.exe [4/16/2009 3:30 PM 217088] S2 gupdate1c98fbdcfb083d4;Google Update Service (gupdate1c98fbdcfb083d4);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2009 5:36 PM 133104] S3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [7/2/2009 2:09 PM 1252474] S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPServiceREG_MULTI_SZ HPSLPSVC hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-07-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34] 2009-07-06 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 14:36] 2009-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-15 22:35] 2009-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-15 22:35] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-05 19:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(892) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3104) c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL c:\windows\system32\msls31.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\drivers\CDAC11BA.EXE c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\java.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\windows\system32\msiexec.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe . ************************************************************************** . Completion time: 2009-07-06 19:47 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-06 00:47 ComboFix2.txt 2009-07-05 04:59 Pre-Run: 4,735,184,896 bytes free Post-Run: 4,738,347,008 bytes free 284--- E O F ---2009-06-11 08:03 How is the computer running now?
. The above procedure will:
---------- 1. Double click OTM to launch it. Vista users right click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) 5. Once complete exit out of OTM. HI, My computer is running Normal now. Thank you very much. Do I need to do anything else? Thanks a million, SreeFinal suggestions. Use the Secunia Software Inspector to check for out of date software.
---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. |
|