please help! anti virus suite hijacker

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

please help! anti virus suite hijacker

Post by lynx5653 on Mon 26 Jul 2010, 3:21 am

I have downloaded malwarebytes and removed infections, however can only run ie explorer in safe mode, everything freezes up, cannot download programs and unable to install any windows updates. Here is copy of OTL scan log:



OTL logfile created on: 7/25/2010 11:56:05 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = D:\Documents and Settings\Administrator\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 723.00 Mb Available Physical Memory | 71.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): D:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 1.00 Gb Total Space | 0.90 Gb Free Space | 90.16% Space Free | Partition Type: NTFS
Drive D: | 79.42 Gb Total Space | 71.14 Gb Free Space | 89.57% Space Free | Partition Type: NTFS
Drive E: | 12.70 Gb Total Space | 0.78 Gb Free Space | 6.11% Space Free | Partition Type: FAT32
Drive F: | 0.18 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BRIMSTON-DE2D31
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/25 11:53:09 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009/03/18 18:50:30 | 004,363,504 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2008/09/10 13:01:28 | 000,611,664 | ---- | M] (Lavasoft) -- D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/07/25 11:53:09 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/13 20:11:56 | 001,819,997 | ---- | M] () -- D:\WINDOWS\system32\htmlmod.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- D:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- D:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- D:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/10 06:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Stopped] -- D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/09/10 13:01:28 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2006/01/06 15:07:26 | 000,077,824 | ---- | M] (HP) [On_Demand | Stopped] -- D:\WINDOWS\system32\hphipm11.exe -- (Pml Driver HPH11)


========== Driver Services (SafeList) ==========

DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2007/06/12 11:39:38 | 000,508,416 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\PFC027.SYS -- (PAC207)
DRV - [2007/01/24 15:44:06 | 000,290,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/02/08 16:44:00 | 003,846,016 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2006/01/06 15:07:27 | 000,050,276 | ---- | M] (Hewlett-Packard) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\hphs2k11.sys -- (Dot4Storage HPH11) Storage Class Driver for IEEE-1284.4 (HPH11)
DRV - [2006/01/06 15:07:27 | 000,018,928 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\hphius11.sys -- (Dot4Usb HPH11)
DRV - [2006/01/06 15:07:27 | 000,016,112 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\hphipr11.sys -- (Dot4Print HPH11)
DRV - [2006/01/06 15:07:26 | 000,050,896 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\hphid411.sys -- (Dot4 HPH11)
DRV - [2005/09/28 17:00:22 | 000,376,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/09/27 23:46:00 | 001,345,536 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/09/03 01:58:06 | 000,007,552 | ---- | M] (Sirius, Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\SiriusUSB.sys -- (PortlUSB)
DRV - [2005/08/22 16:07:00 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/08/22 15:06:14 | 000,231,424 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\HSFHWATI.sys -- (HSFHWATI)
DRV - [2005/08/22 15:06:10 | 000,718,464 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/08/01 19:00:00 | 000,349,312 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
DRV - [2005/08/01 18:58:00 | 000,038,016 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)
DRV - [2005/07/13 11:08:20 | 000,033,890 | ---- | M] (Service & Quality Technology.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\Capt905c.sys -- (SQTECH905C)
DRV - [2005/02/23 15:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - D:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (Adblock Pro) - {F385C231-605B-4d8f-ACA9-DBFF765BBE17} - D:\Program Files\Adblock Pro\AdblockPro.dll (Adblock Pro Team)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O4 - HKLM..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb01.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPHmon04] D:\WINDOWS\system32\hphmon04.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD04] D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe File not found
O4 - HKLM..\Run: [Microsoft Works Portfolio] D:\Program Files\Microsoft Works\WksSb.exe (Microsoft® Corporation)
O4 - HKLM..\Run: [Microsoft Works Update Detection] D:\Program Files\Microsoft Works\WkDetect.exe (Microsoft® Corporation)
O4 - HKLM..\Run: [SoundMan] D:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [WorksFUD] D:\Program Files\Microsoft Works\wkfud.exe (Microsoft® Corporation)
O4 - HKLM..\Run: [YMailAdvisor] D:\Program Files\Yahoo!\Common\YMailAdvisor.exe (Yahoo! Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Yahoo! Search Protection - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - D:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O9 - Extra Button: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - D:\Program Files\Adblock Pro\AdblockPro.dll (Adblock Pro Team)
O9 - Extra 'Tools' menuitem : Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - D:\Program Files\Adblock Pro\AdblockPro.dll (Adblock Pro Team)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [You must be registered and logged in to see this link.] (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} D:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} [You must be registered and logged in to see this link.] (HP Download Manager)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} [You must be registered and logged in to see this link.] (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 8.8.8.8 199.45.28.3 208.93.13.2
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - D:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\dhcpvga: DllName - dhcpvga.dll - D:\WINDOWS\System32\dhcpvga.dll ()
O21 - SSODL: Txtitdde - {C06CBC2B-A080-4A36-92BE-5FA438C6D029} - D:\WINDOWS\system32\sqlepchm.dll ()
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/29 00:43:15 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 22:07:38 | 000,000,000 | -HS- | M] () - E:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 14:01:14 | 000,000,053 | -HS- | M] () - E:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - D:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - D:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - D:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: aawservice - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
SafeBootMin: AppMgmt - D:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: aawservice - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
SafeBootNet: AppMgmt - D:\WINDOWS\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error.
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 8.0
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 8.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error.
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error.
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Visual Basic scripting Support
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - d:\WINDOWS\system32\Rundll32.exe d:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - Reg Error: Value error.
ActiveX: {AA218328-0EA8-4D70-8972-E987A9190FF4} - Reg Error: Value error.
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - D:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - D:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - D:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - D:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - D:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - D:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - D:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - D:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - D:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - D:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - D:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - D:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.

========== Files/Folders - Created Within 30 Days ==========

[2010/07/25 11:52:54 | 000,574,976 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/25 11:34:32 | 000,000,000 | ---D | C] -- D:\WINDOWS\LastGood
[2010/07/25 11:11:11 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Sun
[2010/07/25 11:11:10 | 000,000,000 | ---D | C] -- D:\Program Files\Common Files\Java
[2010/07/25 11:10:43 | 000,423,656 | ---- | C] (Oracle) -- D:\WINDOWS\System32\deployJava1.dll
[2010/07/25 11:10:43 | 000,153,376 | ---- | C] (Oracle) -- D:\WINDOWS\System32\javaws.exe
[2010/07/25 11:10:43 | 000,145,184 | ---- | C] (Oracle) -- D:\WINDOWS\System32\javaw.exe
[2010/07/25 11:10:43 | 000,145,184 | ---- | C] (Oracle) -- D:\WINDOWS\System32\java.exe
[2010/07/25 11:10:43 | 000,073,728 | ---- | C] (Oracle) -- D:\WINDOWS\System32\javacpl.cpl
[2010/07/25 11:00:25 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Application Data\Sun
[2010/07/24 12:26:05 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/07/24 12:25:55 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/24 12:25:54 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2010/07/24 12:25:54 | 000,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2010/07/24 12:25:23 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- D:\Documents and Settings\Administrator\My Documents\mbam-setup-1.46.exe
[2010/07/24 12:22:35 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Application Data\Macromedia
[2010/07/24 12:22:29 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Local Settings\Application Data\Yahoo
[2010/07/24 12:22:15 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
[2010/07/24 11:44:17 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Application Data\Adobe
[2010/07/24 11:42:42 | 000,000,000 | --SD | C] -- D:\Documents and Settings\Administrator\Application Data\Microsoft
[2010/07/24 11:42:42 | 000,000,000 | RH-D | C] -- D:\Documents and Settings\Administrator\SendTo
[2010/07/24 11:42:42 | 000,000,000 | RH-D | C] -- D:\Documents and Settings\Administrator\Application Data
[2010/07/24 11:42:42 | 000,000,000 | R--D | C] -- D:\Documents and Settings\Administrator\Start Menu
[2010/07/24 11:42:42 | 000,000,000 | -HSD | C] -- D:\Documents and Settings\Administrator\Cookies
[2010/07/24 11:42:42 | 000,000,000 | -H-D | C] -- D:\Documents and Settings\Administrator\Templates
[2010/07/24 11:42:42 | 000,000,000 | -H-D | C] -- D:\Documents and Settings\Administrator\Recent
[2010/07/24 11:42:42 | 000,000,000 | -H-D | C] -- D:\Documents and Settings\Administrator\PrintHood
[2010/07/24 11:42:42 | 000,000,000 | -H-D | C] -- D:\Documents and Settings\Administrator\NetHood
[2010/07/24 11:42:42 | 000,000,000 | -H-D | C] -- D:\Documents and Settings\Administrator\Local Settings
[2010/07/24 11:42:42 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\My Documents
[2010/07/24 11:42:42 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2010/07/24 11:42:42 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Favorites
[2010/07/24 11:42:42 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Desktop
[2010/07/14 20:10:01 | 000,000,000 | ---D | C] -- D:\Program Files\Ubisoft
[2010/07/10 19:09:14 | 000,006,784 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\serscan.sys
[2010/07/10 19:09:12 | 000,037,376 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\kousd.dll
[2010/07/10 19:09:12 | 000,037,376 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\kousd.dll
[2010/07/10 19:09:10 | 000,071,680 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\fnfilter.dll
[2010/07/10 19:09:10 | 000,071,680 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\fnfilter.dll
[4 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/25 11:57:14 | 000,786,432 | -H-- | M] () -- D:\Documents and Settings\Administrator\ntuser.dat
[2010/07/25 11:53:09 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/25 11:47:38 | 000,470,194 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/25 11:47:38 | 000,400,946 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2010/07/25 11:47:38 | 000,061,568 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2010/07/25 11:43:25 | 000,013,646 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2010/07/25 11:43:08 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2010/07/25 11:42:05 | 000,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2010/07/25 11:30:56 | 000,000,178 | -HS- | M] () -- D:\Documents and Settings\Administrator\ntuser.ini
[2010/07/25 11:30:53 | 002,656,656 | -H-- | M] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/07/25 11:10:26 | 000,423,656 | ---- | M] (Oracle) -- D:\WINDOWS\System32\deployJava1.dll
[2010/07/25 11:10:26 | 000,153,376 | ---- | M] (Oracle) -- D:\WINDOWS\System32\javaws.exe
[2010/07/25 11:10:26 | 000,145,184 | ---- | M] (Oracle) -- D:\WINDOWS\System32\javaw.exe
[2010/07/25 11:10:26 | 000,145,184 | ---- | M] (Oracle) -- D:\WINDOWS\System32\java.exe
[2010/07/25 11:10:26 | 000,073,728 | ---- | M] (Oracle) -- D:\WINDOWS\System32\javacpl.cpl
[2010/07/25 09:40:50 | 000,000,696 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/24 21:02:24 | 000,001,857 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\MSN Installer.lnk
[2010/07/24 21:02:01 | 000,004,566 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2010/07/24 15:03:54 | 000,262,144 | ---- | M] () -- D:\Documents and Settings\All Users\ntuser.dat
[2010/07/24 14:25:23 | 000,000,716 | ---- | M] () -- D:\WINDOWS\win.ini
[2010/07/24 14:25:23 | 000,000,243 | ---- | M] () -- D:\WINDOWS\SYSTEM.INI
[2010/07/24 12:25:32 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- D:\Documents and Settings\Administrator\My Documents\mbam-setup-1.46.exe
[2010/07/15 07:16:37 | 000,250,288 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/30 21:53:28 | 000,001,729 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[4 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/25 09:40:50 | 000,000,696 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/24 21:02:24 | 000,001,857 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\MSN Installer.lnk
[2010/07/24 15:03:53 | 000,262,144 | ---- | C] () -- D:\Documents and Settings\All Users\ntuser.dat
[2010/07/24 15:03:53 | 000,001,024 | -H-- | C] () -- D:\Documents and Settings\All Users\ntuser.dat.LOG
[2010/07/24 11:42:44 | 000,000,178 | -HS- | C] () -- D:\Documents and Settings\Administrator\ntuser.ini
[2010/07/24 11:42:42 | 000,786,432 | -H-- | C] () -- D:\Documents and Settings\Administrator\ntuser.dat
[2010/07/24 11:42:42 | 000,245,760 | -H-- | C] () -- D:\Documents and Settings\Administrator\NTUSER.DAT.LOG
[2010/06/30 21:52:10 | 000,001,729 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/10/27 07:25:41 | 000,000,034 | ---- | C] () -- D:\WINDOWS\hpfsched.ini
[2009/10/27 07:24:11 | 000,069,632 | ---- | C] () -- D:\WINDOWS\System32\hpodinet.dll
[2009/10/25 22:19:34 | 000,001,385 | ---- | C] () -- D:\WINDOWS\QfnOnl.ini
[2009/10/25 22:19:34 | 000,000,133 | ---- | C] () -- D:\WINDOWS\QBWCD.INI
[2009/10/25 22:19:28 | 000,000,362 | ---- | C] () -- D:\WINDOWS\QDQICK.INI
[2009/10/25 22:19:28 | 000,000,021 | ---- | C] () -- D:\WINDOWS\QFNOA.INI
[2009/10/25 22:19:27 | 000,000,038 | ---- | C] () -- D:\WINDOWS\ACCWIZ.INI
[2009/02/25 17:01:28 | 000,000,754 | ---- | C] () -- D:\WINDOWS\WORDPAD.INI
[2009/02/21 13:02:38 | 000,000,710 | ---- | C] () -- D:\WINDOWS\wininit.ini
[2009/01/27 18:57:33 | 000,000,000 | ---- | C] () -- D:\WINDOWS\FoneSync.INI
[2008/10/30 12:33:34 | 000,135,168 | ---- | C] () -- D:\WINDOWS\System32\RtlCPAPI.dll
[2008/10/05 22:25:31 | 000,000,408 | ---- | C] () -- D:\WINDOWS\System32\Remover.ini
[2007/06/12 11:08:10 | 000,000,518 | ---- | C] () -- D:\WINDOWS\System32\SP207.ini
[2004/08/04 08:00:00 | 001,819,997 | ---- | C] () -- D:\WINDOWS\System32\htmlmod.dll
[2004/08/04 08:00:00 | 001,282,048 | ---- | C] () -- D:\WINDOWS\System32\logadans.dll
[2004/08/04 08:00:00 | 001,073,152 | ---- | C] () -- D:\WINDOWS\System32\sqlepchm.dll
[2004/08/04 08:00:00 | 000,884,836 | ---- | C] () -- D:\WINDOWS\System32\dhcpvga.dll
[2004/08/04 08:00:00 | 000,366,669 | ---- | C] () -- D:\WINDOWS\System32\olertf.dll
[2004/08/04 08:00:00 | 000,331,299 | ---- | C] () -- D:\WINDOWS\System32\odbcmfc.dll
[2004/08/04 08:00:00 | 000,155,518 | ---- | C] () -- D:\WINDOWS\System32\dlgildev32.dll
[2004/08/04 08:00:00 | 000,119,756 | ---- | C] () -- D:\WINDOWS\System32\seroknet.dll
[1997/07/11 01:00:00 | 000,031,232 | ---- | C] () -- D:\WINDOWS\System32\XLREC.DLL
[1997/07/11 01:00:00 | 000,025,600 | ---- | C] () -- D:\WINDOWS\System32\RECNCL.DLL
[1997/07/11 01:00:00 | 000,022,016 | ---- | C] () -- D:\WINDOWS\System32\DOCOBJ.DLL

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/10/16 16:38:34 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- D:\WINDOWS\system32\dxtmsft.dll
[2008/10/16 16:38:34 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- D:\WINDOWS\system32\dxtrans.dll
[1 D:\WINDOWS\system32\*.tmp files -> D:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[1 D:\WINDOWS\system32\*.tmp files -> D:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/10/28 18:29:21 | 000,094,208 | ---- | M] () -- D:\WINDOWS\system32\config\default.sav
[2008/10/28 18:29:21 | 000,634,880 | ---- | M] () -- D:\WINDOWS\system32\config\software.sav
[2008/10/28 18:29:21 | 000,884,736 | ---- | M] () -- D:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2004/08/04 08:00:00 | 000,009,029 | ---- | M] () -- D:\WINDOWS\system32\ansi.sys
[2004/08/04 08:00:00 | 000,027,097 | ---- | M] () -- D:\WINDOWS\system32\country.sys
[2004/08/04 08:00:00 | 000,004,768 | ---- | M] () -- D:\WINDOWS\system32\himem.sys
[2004/08/04 08:00:00 | 000,042,809 | ---- | M] () -- D:\WINDOWS\system32\key01.sys
[2004/08/04 08:00:00 | 000,042,537 | ---- | M] () -- D:\WINDOWS\system32\keyboard.sys
[2004/08/04 08:00:00 | 000,027,866 | ---- | M] () -- D:\WINDOWS\system32\ntdos.sys
[2004/08/04 08:00:00 | 000,029,146 | ---- | M] () -- D:\WINDOWS\system32\ntdos404.sys
[2004/08/04 08:00:00 | 000,029,370 | ---- | M] () -- D:\WINDOWS\system32\ntdos411.sys
[2004/08/04 08:00:00 | 000,029,274 | ---- | M] () -- D:\WINDOWS\system32\ntdos412.sys
[2004/08/04 08:00:00 | 000,029,146 | ---- | M] () -- D:\WINDOWS\system32\ntdos804.sys
[2004/08/04 08:00:00 | 000,033,840 | ---- | M] () -- D:\WINDOWS\system32\ntio.sys
[2004/08/04 08:00:00 | 000,034,560 | ---- | M] () -- D:\WINDOWS\system32\ntio404.sys
[2004/08/04 08:00:00 | 000,035,648 | ---- | M] () -- D:\WINDOWS\system32\ntio411.sys
[2004/08/04 08:00:00 | 000,035,424 | ---- | M] () -- D:\WINDOWS\system32\ntio412.sys
[2004/08/04 08:00:00 | 000,034,560 | ---- | M] () -- D:\WINDOWS\system32\ntio804.sys
[2008/04/13 14:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\watchdog.sys
[2008/09/15 08:12:56 | 001,846,400 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\win32k.sys
[1 D:\WINDOWS\system32\*.tmp files -> D:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 20:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 20:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 20:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 20:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 20:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 20:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 20:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\adv11nt5.dll
[2005/09/27 22:51:00 | 000,040,960 | ---- | M] (ATI Technologies Inc.) -- D:\WINDOWS\system32\drivers\ati2erec.dll
[2008/04/13 20:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 20:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 20:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 20:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 20:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 20:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008/04/13 20:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 20:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- D:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2010/07/25 11:19:42 | 000,006,709 | ---- | M] () -- D:\JavaRa.log
[2010/07/25 11:42:59 | 1610,612,736 | -HS- | M] () -- D:\pagefile.sys

< %PROGRAMFILES%\*. >
[2009/01/25 16:38:44 | 000,000,000 | ---D | M] -- D:\Program Files\Abrosoft
[2009/06/20 07:33:18 | 000,000,000 | ---D | M] -- D:\Program Files\Adblock Pro
[2010/06/30 21:51:50 | 000,000,000 | ---D | M] -- D:\Program Files\Adobe
[2010/01/15 08:56:27 | 000,000,000 | ---D | M] -- D:\Program Files\Apple Software Update
[2008/12/28 16:33:55 | 000,000,000 | ---D | M] -- D:\Program Files\ArcSoft
[2008/10/30 14:25:09 | 000,000,000 | ---D | M] -- D:\Program Files\ATI Technologies
[2008/10/29 14:53:59 | 000,000,000 | ---D | M] -- D:\Program Files\Broadcom
[2010/07/24 14:30:26 | 000,000,000 | ---D | M] -- D:\Program Files\CA Yahoo! Anti-Spy
[2010/07/25 11:11:10 | 000,000,000 | ---D | M] -- D:\Program Files\Common Files
[2008/10/29 00:39:43 | 000,000,000 | ---D | M] -- D:\Program Files\ComPlus Applications
[2008/10/29 20:38:44 | 000,000,000 | ---D | M] -- D:\Program Files\CONEXANT
[2009/05/27 18:25:31 | 000,000,000 | ---D | M] -- D:\Program Files\FoneSync
[2009/08/23 23:37:18 | 000,000,000 | ---D | M] -- D:\Program Files\GAMES
[2009/02/21 12:55:14 | 000,000,000 | ---D | M] -- D:\Program Files\Hewlett-Packard
[2008/10/30 14:33:43 | 000,000,000 | ---D | M] -- D:\Program Files\HP
[2009/02/21 13:23:23 | 000,000,000 | ---D | M] -- D:\Program Files\hp deskjet 990c series
[2009/10/27 07:24:29 | 000,000,000 | ---D | M] -- D:\Program Files\HP Photosmart 11
[2009/06/05 20:38:55 | 000,000,000 | -H-D | M] -- D:\Program Files\InstallShield Installation Information
[2009/01/28 19:49:01 | 000,000,000 | ---D | M] -- D:\Program Files\Intel
[2010/07/24 15:28:49 | 000,000,000 | ---D | M] -- D:\Program Files\Internet Explorer
[2009/11/06 07:20:46 | 000,000,000 | ---D | M] -- D:\Program Files\Java
[2008/12/15 18:07:09 | 000,000,000 | ---D | M] -- D:\Program Files\Lavasoft
[2010/07/25 09:40:50 | 000,000,000 | ---D | M] -- D:\Program Files\Malwarebytes' Anti-Malware
[2008/11/20 19:07:26 | 000,000,000 | ---D | M] -- D:\Program Files\Messenger
[2009/01/24 21:04:17 | 000,000,000 | ---D | M] -- D:\Program Files\microsoft frontpage
[2009/03/21 07:14:00 | 000,000,000 | ---D | M] -- D:\Program Files\Microsoft Office
[2010/07/12 19:41:52 | 000,000,000 | ---D | M] -- D:\Program Files\Microsoft Picture It! PhotoPub
[2009/01/25 13:40:37 | 000,000,000 | ---D | M] -- D:\Program Files\Microsoft Works
[2009/01/25 13:35:42 | 000,000,000 | ---D | M] -- D:\Program Files\Microsoft Works Suite 2001
[2008/11/20 19:04:09 | 000,000,000 | ---D | M] -- D:\Program Files\Movie Maker
[2010/07/24 21:02:27 | 000,000,000 | ---D | M] -- D:\Program Files\MSN
[2008/10/29 00:38:52 | 000,000,000 | ---D | M] -- D:\Program Files\MSN Gaming Zone
[2009/03/18 20:31:34 | 000,000,000 | ---D | M] -- D:\Program Files\MyDSC2
[2008/11/20 19:02:29 | 000,000,000 | ---D | M] -- D:\Program Files\NetMeeting
[2008/11/05 19:05:05 | 000,000,000 | ---D | M] -- D:\Program Files\NOS
[2010/07/24 21:01:56 | 000,000,000 | ---D | M] -- D:\Program Files\Online Services
[2008/11/20 19:02:24 | 000,000,000 | ---D | M] -- D:\Program Files\Outlook Express
[2008/10/05 22:25:26 | 000,000,000 | ---D | M] -- D:\Program Files\PC Camer@
[2008/12/11 11:50:02 | 000,000,000 | ---D | M] -- D:\Program Files\PortalPlayer
[2010/01/15 08:57:14 | 000,000,000 | ---D | M] -- D:\Program Files\QuickTime
[2009/01/12 21:55:12 | 000,000,000 | ---D | M] -- D:\Program Files\Realtek AC97
[2009/10/16 07:40:39 | 000,000,000 | ---D | M] -- D:\Program Files\Realtime-Spy
[2008/12/11 11:52:51 | 000,000,000 | ---D | M] -- D:\Program Files\Sirius
[2008/12/11 11:49:19 | 000,000,000 | ---D | M] -- D:\Program Files\sirius_studio_installer
[2009/01/23 11:22:41 | 000,000,000 | ---D | M] -- D:\Program Files\TIVistadriver
[2009/01/31 08:03:12 | 000,000,000 | ---D | M] -- D:\Program Files\TurboTax
[2010/07/14 20:10:37 | 000,000,000 | ---D | M] -- D:\Program Files\Ubisoft
[2008/10/29 00:49:24 | 000,000,000 | -H-D | M] -- D:\Program Files\Uninstall Information
[2009/01/05 10:58:42 | 000,000,000 | ---D | M] -- D:\Program Files\Wal-Mart
[2009/01/12 21:55:16 | 000,000,000 | ---D | M] -- D:\Program Files\Windows Media Player
[2008/11/20 19:02:24 | 000,000,000 | ---D | M] -- D:\Program Files\Windows NT
[2008/10/29 00:41:55 | 000,000,000 | -H-D | M] -- D:\Program Files\WindowsUpdate
[2008/10/29 00:43:24 | 000,000,000 | ---D | M] -- D:\Program Files\xerox
[2010/07/24 15:03:53 | 000,000,000 | ---D | M] -- D:\Program Files\Yahoo!
[2009/07/11 21:22:14 | 000,000,000 | ---D | M] -- D:\Program Files\Yahoo! Companion

< %appdata%\*.* >
[2008/10/28 18:31:23 | 000,000,062 | -HS- | M] () -- D:\Documents and Settings\Administrator\Application Data\desktop.ini


< MD5 for: AGP440.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/11/20 18:55:28 | 023,852,652 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/11/20 18:55:28 | 023,852,652 | ---- | M] () .cab file -- D:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- D:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- D:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- D:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/11/20 18:55:28 | 023,852,652 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/11/20 18:55:28 | 023,852,652 | ---- | M] () .cab file -- D:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- D:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- D:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- D:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2008/11/20 18:55:28 | 023,852,652 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/11/20 18:55:28 | 023,852,652 | ---- | M] () .cab file -- D:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/04 08:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- D:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- D:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- D:\WINDOWS\system32\dllcache\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- D:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- D:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- D:\WINDOWS\system32\eventlog.dll
[2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- D:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- D:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- D:\WINDOWS\system32\netlogon.dll
[2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- D:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- D:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- D:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- D:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2008/11/20 18:55:28 | 023,852,652 | ---- | M] () .cab file -- D:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2008/11/20 18:55:28 | 023,852,652 | ---- | M] () .cab file -- D:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2004/08/03 23:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- D:\WINDOWS\$NtServicePackUninstall$\usbstor.sys
[2008/04/13 14:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- D:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 14:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- D:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2009-01-13 21:21:57
< End of report >




lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Crush on Mon 26 Jul 2010, 4:04 am

Welcome to GeekPolice Forums! I'm Crush but, you can call me Chris too and I will be helping you with your Malware issues.

A few things to keep in mind as we progress:

1. We are all volunteer staff here so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

4. Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer. Do not run any tools unless specifically asked to by a member of one of these usergroups

5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous.

6. Please keep responding until I give you the "All Clear". Absence of symptoms does not mean that everything is clear.

7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

8. If you have any questions or issues please stop and ask! We are all here to help.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.


If you follow these instructions, everything should go smoothly .

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

To do this click , then click Preferences. Make sure Always notify me of replies is set to Yes


With that out of the way:

Please boot into Normal Mode and follow the instructions below:

First, I will need the logs from MBAM. You can navigate to the Logs tab of the program to retrieve them.
======

Next, Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  • Please post its log in your next reply.
  • After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.
=======

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.



Things I need in your reply

MBAM Log
RKill Log
Combofix Log

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by lynx5653 on Mon 26 Jul 2010, 5:26 am

Hi Chris,

Thank you for your help !
MBAM LOG:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]
Database version: 4344
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13
7/24/2010 12:33:17 PM
mbam-log-2010-07-24 (12-33-17).txt
Scan type: Quick scan
Objects scanned: 131094
Time elapsed: 4 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
D:\Documents and Settings\brimstone\Local Settings\Application Data\Windows Server\bblvsa.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcpffuic (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
D:\Documents and Settings\brimstone\Local Settings\Application Data\ubehsjtgy\yydonrttssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
D:\RECYCLER\S-1-5-21-1547161642-1123561945-725345543-1004\Dd31.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
D:\Documents and Settings\brimstone\Local Settings\Application Data\Windows Server\bblvsa.dll (Trojan.Agent) -> Delete on reboot.

Rkill log:

Processes terminated by Rkill or while it was running:

\\?\D:\WINDOWS\system32\WBEM\WMIADP.EXE

rkill completed on 07/25/2010 at 13:28:21.

Combofix Log:

ComboFix 10-07-24.03 - brimstone 07/25/2010 14:06:06.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.681 [GMT -4:00]
Running from: F:\commy.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\brimstone\Local Settings\Application Data\Windows Server
d:\documents and settings\brimstone\Local Settings\Application Data\Windows Server\flags.ini
d:\documents and settings\brimstone\Local Settings\Application Data\Windows Server\uses32.dat
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-25 17:29 . 2010-07-25 17:29 -------- d-----w- d:\windows\LastGood
2010-07-25 15:11 . 2010-07-25 15:11 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcp71.dll
2010-07-25 15:11 . 2010-07-25 15:11 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\jmc.dll
2010-07-25 15:11 . 2010-07-25 15:11 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcr71.dll
2010-07-25 15:11 . 2010-07-25 15:11 -------- d-----w- d:\program files\Common Files\Java
2010-07-25 15:11 . 2010-07-25 15:11 61440 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-sse.dll
2010-07-25 15:11 . 2010-07-25 15:11 12800 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-d3d.dll
2010-07-25 15:10 . 2010-07-25 15:10 423656 ----a-w- d:\windows\system32\deployJava1.dll
2010-07-25 01:02 . 2010-07-25 01:11 -------- d-----w- d:\documents and settings\brimstone\Application Data\MSNInstaller
2010-07-24 19:03 . 2010-07-24 19:03 862872 ------w- d:\documents and settings\brimstone\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-07-24 18:14 . 2010-07-24 18:14 -------- d-----w- d:\windows\system32\wbem\Repository
2010-07-24 16:26 . 2010-07-24 16:26 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-24 16:25 . 2010-04-29 19:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 16:25 . 2010-07-25 13:40 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-07-24 16:25 . 2010-04-29 19:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-07-24 16:22 . 2010-07-24 16:22 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2010-07-24 16:22 . 2010-07-24 16:22 -------- dc----w- d:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-24 14:45 . 2010-07-24 16:33 -------- d-----w- d:\documents and settings\brimstone\Local Settings\Application Data\ubehsjtgy
2010-07-15 00:10 . 2010-07-15 00:10 -------- d-----w- d:\program files\Ubisoft
2010-07-10 23:09 . 2001-08-17 17:53 6784 -c--a-w- d:\windows\system32\dllcache\serscan.sys
2010-07-10 23:09 . 2001-08-17 17:53 6784 ----a-w- d:\windows\system32\drivers\serscan.sys
2010-07-10 23:09 . 2001-08-18 02:36 37376 -c--a-w- d:\windows\system32\dllcache\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 37376 ----a-w- d:\windows\system32\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 -c--a-w- d:\windows\system32\dllcache\fnfilter.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 ----a-w- d:\windows\system32\fnfilter.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 19:03 . 2008-11-09 14:05 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo!
2010-07-24 19:03 . 2008-10-05 16:42 -------- d-----w- d:\program files\Yahoo!
2010-07-24 18:38 . 2009-01-23 12:13 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-24 18:30 . 2009-01-26 13:29 -------- d-----w- d:\program files\CA Yahoo! Anti-Spy
2010-07-24 15:02 . 2008-10-30 00:27 70928 -c--a-w- d:\documents and settings\brimstone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 23:41 . 2009-01-25 17:43 -------- d-----w- d:\program files\Microsoft Picture It! PhotoPub
2010-07-01 01:53 . 2008-11-05 03:23 -------- d-----w- d:\program files\Common Files\Adobe
2010-06-25 00:59 . 2010-06-25 00:59 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcp71.dll
2010-06-25 00:59 . 2010-06-25 00:59 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\jmc.dll
2010-06-25 00:59 . 2010-06-25 00:59 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcr71.dll
2009-02-13 15:50 . 2009-02-03 15:41 2447 ----a-w- d:\program files\TurboTax 2008.lnk
2009-01-25 20:38 . 2009-01-25 20:38 746 ----a-w- d:\program files\Abrosoft FantaMorph 4.lnk
2009-01-25 17:59 . 2009-01-25 17:59 1569 ----a-w- d:\program files\Microsoft Picture It! Publishing 2001.lnk
2009-01-13 00:47 . 2009-01-13 00:47 653 ----a-w- d:\program files\Destroy-It 2000.LNK
2008-12-28 20:34 . 2008-12-28 20:34 1794 ----a-w- d:\program files\Common Files\Photo Impression 6.lnk
2008-12-11 15:49 . 2008-12-11 15:48 70447405 ----a-w- d:\program files\sirius_studio_installer.zip
2008-02-09 18:47 . 2008-02-09 18:47 2680089 ----a-w- d:\program files\MySiriusStudioManual.pdf
2008-02-09 18:47 . 2008-02-09 18:47 68735086 ----a-w- d:\program files\SiriusStudioSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Sqlbot]
@="{2962D51A-0EC3-4EB3-8660-CA643E187C01}"
[HKEY_CLASSES_ROOT\CLSID\{2962D51A-0EC3-4EB3-8660-CA643E187C01}]
2008-04-14 00:11 1819997 ----a-w- d:\windows\system32\htmlmod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YMailAdvisor"="d:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"WorksFUD"="d:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Microsoft Works Update Detection"="d:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Microsoft Works Portfolio"="d:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb01.exe" [2000-08-07 192512]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HPHmon04"="d:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Txtitdde"= {C06CBC2B-A080-4A36-92BE-5FA438C6D029} - d:\windows\system32\sqlepchm.dll [2008-04-14 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dhcpvga]
2008-04-14 00:11 884836 ----a-w- d:\windows\system32\dhcpvga.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 HSFHWATI;HSFHWATI;d:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 3:06 PM 231424]
S3 PAC207;PC Camer@;d:\windows\system32\drivers\PFC027.SYS [6/12/2007 11:39 AM 508416]
S3 PortlUSB;PortlUSB;d:\windows\system32\drivers\SiriusUSB.sys [12/11/2008 11:50 AM 7552]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Block This Image (ABP) - d:\program files\Adblock Pro\blockimg.html
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKCU-Run-Search Protection - d:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-bcpffuic - d:\documents and settings\brimstone\Local Settings\Application Data\ubehsjtgy\yydonrttssd.exe
HKLM-Run-HPHUPD04 - d:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-25 14:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
d:\windows\system32\Ati2evxx.dll
d:\windows\system32\dhcpvga.dll
.
Completion time: 2010-07-25 14:14:26
ComboFix-quarantined-files.txt 2010-07-25 18:14

Pre-Run: 76,157,198,336 bytes free
Post-Run: 76,159,860,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0945A95B98EE070A31C0183C2E9BBF39

Please note I can only get on internet in safe mode on infected machine. I can only run programs in regular mode. Presently, I am in regular mode so I could run above programs. I downloaded these programs to cd on another machine so as not to reboot into safe mode to get online. Browser does not work in regulr mode.
Best Regards, David






lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Crush on Mon 26 Jul 2010, 5:34 am

Hi David,

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    uInternet Settings,ProxyOverride =
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by lynx5653 on Mon 26 Jul 2010, 6:36 am

Chris,

Combofix log txt 2:

ComboFix 10-07-24.03 - brimstone 07/25/2010 15:16:29.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.635 [GMT -4:00]
Running from: F:\commy.exe
Command switches used :: d:\documents and settings\brimstone\Desktop\CFscript.txt
.

((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-25 17:29 . 2010-07-25 17:29 -------- d-----w- d:\windows\LastGood
2010-07-25 15:11 . 2010-07-25 15:11 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcp71.dll
2010-07-25 15:11 . 2010-07-25 15:11 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\jmc.dll
2010-07-25 15:11 . 2010-07-25 15:11 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcr71.dll
2010-07-25 15:11 . 2010-07-25 15:11 -------- d-----w- d:\program files\Common Files\Java
2010-07-25 15:11 . 2010-07-25 15:11 61440 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-sse.dll
2010-07-25 15:11 . 2010-07-25 15:11 12800 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-d3d.dll
2010-07-25 15:10 . 2010-07-25 15:10 423656 ----a-w- d:\windows\system32\deployJava1.dll
2010-07-25 01:02 . 2010-07-25 01:11 -------- d-----w- d:\documents and settings\brimstone\Application Data\MSNInstaller
2010-07-24 19:03 . 2010-07-24 19:03 862872 ------w- d:\documents and settings\brimstone\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-07-24 18:14 . 2010-07-24 18:14 -------- d-----w- d:\windows\system32\wbem\Repository
2010-07-24 16:26 . 2010-07-24 16:26 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-24 16:25 . 2010-04-29 19:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 16:25 . 2010-07-25 13:40 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-07-24 16:25 . 2010-04-29 19:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-07-24 16:22 . 2010-07-24 16:22 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2010-07-24 16:22 . 2010-07-24 16:22 -------- dc----w- d:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-24 14:45 . 2010-07-24 16:33 -------- d-----w- d:\documents and settings\brimstone\Local Settings\Application Data\ubehsjtgy
2010-07-15 00:10 . 2010-07-15 00:10 -------- d-----w- d:\program files\Ubisoft
2010-07-10 23:09 . 2001-08-17 17:53 6784 -c--a-w- d:\windows\system32\dllcache\serscan.sys
2010-07-10 23:09 . 2001-08-17 17:53 6784 ----a-w- d:\windows\system32\drivers\serscan.sys
2010-07-10 23:09 . 2001-08-18 02:36 37376 -c--a-w- d:\windows\system32\dllcache\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 37376 ----a-w- d:\windows\system32\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 -c--a-w- d:\windows\system32\dllcache\fnfilter.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 ----a-w- d:\windows\system32\fnfilter.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 19:03 . 2008-11-09 14:05 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo!
2010-07-24 19:03 . 2008-10-05 16:42 -------- d-----w- d:\program files\Yahoo!
2010-07-24 18:38 . 2009-01-23 12:13 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-24 18:30 . 2009-01-26 13:29 -------- d-----w- d:\program files\CA Yahoo! Anti-Spy
2010-07-24 15:02 . 2008-10-30 00:27 70928 -c--a-w- d:\documents and settings\brimstone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 23:41 . 2009-01-25 17:43 -------- d-----w- d:\program files\Microsoft Picture It! PhotoPub
2010-07-01 01:53 . 2008-11-05 03:23 -------- d-----w- d:\program files\Common Files\Adobe
2010-06-25 00:59 . 2010-06-25 00:59 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcp71.dll
2010-06-25 00:59 . 2010-06-25 00:59 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\jmc.dll
2010-06-25 00:59 . 2010-06-25 00:59 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcr71.dll
2009-02-13 15:50 . 2009-02-03 15:41 2447 ----a-w- d:\program files\TurboTax 2008.lnk
2009-01-25 20:38 . 2009-01-25 20:38 746 ----a-w- d:\program files\Abrosoft FantaMorph 4.lnk
2009-01-25 17:59 . 2009-01-25 17:59 1569 ----a-w- d:\program files\Microsoft Picture It! Publishing 2001.lnk
2009-01-13 00:47 . 2009-01-13 00:47 653 ----a-w- d:\program files\Destroy-It 2000.LNK
2008-12-28 20:34 . 2008-12-28 20:34 1794 ----a-w- d:\program files\Common Files\Photo Impression 6.lnk
2008-12-11 15:49 . 2008-12-11 15:48 70447405 ----a-w- d:\program files\sirius_studio_installer.zip
2008-02-09 18:47 . 2008-02-09 18:47 2680089 ----a-w- d:\program files\MySiriusStudioManual.pdf
2008-02-09 18:47 . 2008-02-09 18:47 68735086 ----a-w- d:\program files\SiriusStudioSetup.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2008-04-14 00:11 801547 d:\windows\system32\faxetsys\rtfovdev.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Sqlbot]
@="{2962D51A-0EC3-4EB3-8660-CA643E187C01}"
[HKEY_CLASSES_ROOT\CLSID\{2962D51A-0EC3-4EB3-8660-CA643E187C01}]
2008-04-14 00:11 1819997 ----a-w- d:\windows\system32\htmlmod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YMailAdvisor"="d:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"WorksFUD"="d:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Microsoft Works Update Detection"="d:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Microsoft Works Portfolio"="d:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb01.exe" [2000-08-07 192512]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HPHmon04"="d:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Txtitdde"= {C06CBC2B-A080-4A36-92BE-5FA438C6D029} - d:\windows\system32\sqlepchm.dll [2008-04-14 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dhcpvga]
2008-04-14 00:11 884836 ----a-w- d:\windows\system32\dhcpvga.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 HSFHWATI;HSFHWATI;d:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 3:06 PM 231424]
S3 PAC207;PC Camer@;d:\windows\system32\drivers\PFC027.SYS [6/12/2007 11:39 AM 508416]
S3 PortlUSB;PortlUSB;d:\windows\system32\drivers\SiriusUSB.sys [12/11/2008 11:50 AM 7552]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Block This Image (ABP) - d:\program files\Adblock Pro\blockimg.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-25 15:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
d:\windows\system32\Ati2evxx.dll
d:\windows\system32\dhcpvga.dll

- - - - - - - > 'explorer.exe'(2596)
d:\windows\system32\htmlmod.dll
d:\windows\system32\sqlepchm.dll
d:\windows\system32\logadans.dll
.
Completion time: 2010-07-25 15:31:07
ComboFix-quarantined-files.txt 2010-07-25 19:30
ComboFix2.txt 2010-07-25 18:14

Pre-Run: 76,183,289,856 bytes free
Post-Run: 76,159,823,872 bytes free

- - End Of File - - 466B6645A4EDF0C288CB2C3C1816DB34

thanks, David

lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Crush on Mon 26 Jul 2010, 7:00 am

Hi,

Is combofix running from an external drive? It needs to be on the same drive as your OS, not an external for the script to work.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by lynx5653 on Mon 26 Jul 2010, 12:01 pm

I did not realize it was running from the cd...here is the log file after installing on hard drive ...note my hard drive is D.ComboFix 10-07-24.03 - brimstone 07/25/2010 20:40:56.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.635 [GMT -4:00]
Running from: d:\program files\commy.exe
Command switches used :: d:\documents and settings\brimstone\Desktop\CFscript.txt
.

((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.

2010-07-26 00:29 . 2010-07-25 17:57 3744048 ----a-r- d:\program files\commy.exe
2010-07-25 17:29 . 2010-07-25 17:29 -------- d-----w- d:\windows\LastGood
2010-07-25 15:11 . 2010-07-25 15:11 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcp71.dll
2010-07-25 15:11 . 2010-07-25 15:11 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\jmc.dll
2010-07-25 15:11 . 2010-07-25 15:11 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcr71.dll
2010-07-25 15:11 . 2010-07-25 15:11 -------- d-----w- d:\program files\Common Files\Java
2010-07-25 15:11 . 2010-07-25 15:11 61440 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-sse.dll
2010-07-25 15:11 . 2010-07-25 15:11 12800 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-d3d.dll
2010-07-25 15:10 . 2010-07-25 15:10 423656 ----a-w- d:\windows\system32\deployJava1.dll
2010-07-25 01:02 . 2010-07-25 01:11 -------- d-----w- d:\documents and settings\brimstone\Application Data\MSNInstaller
2010-07-24 19:03 . 2010-07-24 19:03 862872 ------w- d:\documents and settings\brimstone\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-07-24 18:14 . 2010-07-24 18:14 -------- d-----w- d:\windows\system32\wbem\Repository
2010-07-24 16:26 . 2010-07-24 16:26 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-24 16:25 . 2010-04-29 19:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 16:25 . 2010-07-25 13:40 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-07-24 16:25 . 2010-04-29 19:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-07-24 16:22 . 2010-07-24 16:22 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2010-07-24 16:22 . 2010-07-24 16:22 -------- dc----w- d:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-24 14:45 . 2010-07-24 16:33 -------- d-----w- d:\documents and settings\brimstone\Local Settings\Application Data\ubehsjtgy
2010-07-15 00:10 . 2010-07-15 00:10 -------- d-----w- d:\program files\Ubisoft
2010-07-10 23:09 . 2001-08-17 17:53 6784 -c--a-w- d:\windows\system32\dllcache\serscan.sys
2010-07-10 23:09 . 2001-08-17 17:53 6784 ----a-w- d:\windows\system32\drivers\serscan.sys
2010-07-10 23:09 . 2001-08-18 02:36 37376 -c--a-w- d:\windows\system32\dllcache\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 37376 ----a-w- d:\windows\system32\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 -c--a-w- d:\windows\system32\dllcache\fnfilter.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 ----a-w- d:\windows\system32\fnfilter.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 00:27 . 2009-01-26 13:29 -------- d-----w- d:\program files\CA Yahoo! Anti-Spy
2010-07-24 19:03 . 2008-11-09 14:05 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo!
2010-07-24 19:03 . 2008-10-05 16:42 -------- d-----w- d:\program files\Yahoo!
2010-07-24 18:38 . 2009-01-23 12:13 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-24 15:02 . 2008-10-30 00:27 70928 -c--a-w- d:\documents and settings\brimstone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 23:41 . 2009-01-25 17:43 -------- d-----w- d:\program files\Microsoft Picture It! PhotoPub
2010-07-01 01:53 . 2008-11-05 03:23 -------- d-----w- d:\program files\Common Files\Adobe
2010-06-25 00:59 . 2010-06-25 00:59 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcp71.dll
2010-06-25 00:59 . 2010-06-25 00:59 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\jmc.dll
2010-06-25 00:59 . 2010-06-25 00:59 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcr71.dll
2009-02-13 15:50 . 2009-02-03 15:41 2447 ----a-w- d:\program files\TurboTax 2008.lnk
2009-01-25 20:38 . 2009-01-25 20:38 746 ----a-w- d:\program files\Abrosoft FantaMorph 4.lnk
2009-01-25 17:59 . 2009-01-25 17:59 1569 ----a-w- d:\program files\Microsoft Picture It! Publishing 2001.lnk
2009-01-13 00:47 . 2009-01-13 00:47 653 ----a-w- d:\program files\Destroy-It 2000.LNK
2008-12-28 20:34 . 2008-12-28 20:34 1794 ----a-w- d:\program files\Common Files\Photo Impression 6.lnk
2008-12-11 15:49 . 2008-12-11 15:48 70447405 ----a-w- d:\program files\sirius_studio_installer.zip
2008-02-09 18:47 . 2008-02-09 18:47 2680089 ----a-w- d:\program files\MySiriusStudioManual.pdf
2008-02-09 18:47 . 2008-02-09 18:47 68735086 ----a-w- d:\program files\SiriusStudioSetup.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2008-04-14 00:11 907116 d:\windows\system32\faxetsys\rtfovdev.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Sqlbot]
@="{2962D51A-0EC3-4EB3-8660-CA643E187C01}"
[HKEY_CLASSES_ROOT\CLSID\{2962D51A-0EC3-4EB3-8660-CA643E187C01}]
2008-04-14 00:11 1819997 ----a-w- d:\windows\system32\htmlmod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YMailAdvisor"="d:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"WorksFUD"="d:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Microsoft Works Update Detection"="d:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Microsoft Works Portfolio"="d:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb01.exe" [2000-08-07 192512]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HPHmon04"="d:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Txtitdde"= {C06CBC2B-A080-4A36-92BE-5FA438C6D029} - d:\windows\system32\sqlepchm.dll [2008-04-14 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dhcpvga]
2008-04-14 00:11 884836 ----a-w- d:\windows\system32\dhcpvga.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 HSFHWATI;HSFHWATI;d:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 3:06 PM 231424]
S3 PAC207;PC Camer@;d:\windows\system32\drivers\PFC027.SYS [6/12/2007 11:39 AM 508416]
S3 PortlUSB;PortlUSB;d:\windows\system32\drivers\SiriusUSB.sys [12/11/2008 11:50 AM 7552]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Block This Image (ABP) - d:\program files\Adblock Pro\blockimg.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-25 20:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
d:\windows\system32\Ati2evxx.dll
d:\windows\system32\dhcpvga.dll

- - - - - - - > 'explorer.exe'(3360)
d:\windows\system32\htmlmod.dll
d:\windows\system32\sqlepchm.dll
d:\windows\system32\logadans.dll
.
Completion time: 2010-07-25 20:53:31
ComboFix-quarantined-files.txt 2010-07-26 00:53
ComboFix2.txt 2010-07-25 19:31
ComboFix3.txt 2010-07-25 18:14

Pre-Run: 76,171,694,080 bytes free
Post-Run: 76,148,207,616 bytes free

- - End Of File - - 3B8198761832C12D5D6E0D785DEA6215



lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Crush on Mon 26 Jul 2010, 3:47 pm

Hi Lynx,

Sorry the be a pain but, it needs to be running from the desktop . Once it's there, please carry out the instructions in post 4.

Save the cfscript.txt to the desktop, and drag it into combofix's window.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by lynx5653 on Mon 26 Jul 2010, 10:40 pm

Chris, I cannot copy and paste from your instructions as I cannot get online on infected computer. I just typed the instructions in notepad and dragged it to commy.exe now on desktop. Hope this is ok. thanks!

ComboFix 10-07-24.06 - brimstone 07/26/2010 7:22.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.600 [GMT -4:00]
Running from: d:\documents and settings\brimstone\Desktop\commy.exe
Command switches used :: d:\documents and settings\brimstone\Desktop\CFscript.txt
.

((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.

2010-07-26 11:14 . 2010-07-26 11:18 -------- d-----w- D:\commy
2010-07-25 18:00 . 2008-05-03 11:55 2560 ------w- d:\windows\system32\xpsp4res.dll
2010-07-25 18:00 . 2008-04-21 12:08 215552 -c----w- d:\windows\system32\dllcache\wordpad.exe
2010-07-25 17:29 . 2010-07-25 17:29 -------- d-----w- d:\windows\LastGood
2010-07-25 15:11 . 2010-07-25 15:11 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcp71.dll
2010-07-25 15:11 . 2010-07-25 15:11 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\jmc.dll
2010-07-25 15:11 . 2010-07-25 15:11 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcr71.dll
2010-07-25 15:11 . 2010-07-25 15:11 -------- d-----w- d:\program files\Common Files\Java
2010-07-25 15:11 . 2010-07-25 15:11 61440 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-sse.dll
2010-07-25 15:11 . 2010-07-25 15:11 12800 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-d3d.dll
2010-07-25 15:10 . 2010-07-25 15:10 423656 ----a-w- d:\windows\system32\deployJava1.dll
2010-07-25 01:02 . 2010-07-25 01:11 -------- d-----w- d:\documents and settings\brimstone\Application Data\MSNInstaller
2010-07-24 19:03 . 2010-07-24 19:03 862872 ------w- d:\documents and settings\brimstone\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-07-24 18:14 . 2010-07-24 18:14 -------- d-----w- d:\windows\system32\wbem\Repository
2010-07-24 16:26 . 2010-07-24 16:26 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-24 16:25 . 2010-04-29 19:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 16:25 . 2010-07-25 13:40 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-07-24 16:25 . 2010-04-29 19:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-07-24 16:22 . 2010-07-24 16:22 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2010-07-24 16:22 . 2010-07-24 16:22 -------- dc----w- d:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-24 14:45 . 2010-07-24 16:33 -------- d-----w- d:\documents and settings\brimstone\Local Settings\Application Data\ubehsjtgy
2010-07-15 00:10 . 2010-07-15 00:10 -------- d-----w- d:\program files\Ubisoft
2010-07-10 23:09 . 2001-08-17 17:53 6784 -c--a-w- d:\windows\system32\dllcache\serscan.sys
2010-07-10 23:09 . 2001-08-17 17:53 6784 ----a-w- d:\windows\system32\drivers\serscan.sys
2010-07-10 23:09 . 2001-08-18 02:36 37376 -c--a-w- d:\windows\system32\dllcache\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 37376 ----a-w- d:\windows\system32\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 -c--a-w- d:\windows\system32\dllcache\fnfilter.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 ----a-w- d:\windows\system32\fnfilter.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 00:27 . 2009-01-26 13:29 -------- d-----w- d:\program files\CA Yahoo! Anti-Spy
2010-07-24 19:03 . 2008-11-09 14:05 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo!
2010-07-24 19:03 . 2008-10-05 16:42 -------- d-----w- d:\program files\Yahoo!
2010-07-24 18:38 . 2009-01-23 12:13 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-24 15:02 . 2008-10-30 00:27 70928 -c--a-w- d:\documents and settings\brimstone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 23:41 . 2009-01-25 17:43 -------- d-----w- d:\program files\Microsoft Picture It! PhotoPub
2010-07-01 01:53 . 2008-11-05 03:23 -------- d-----w- d:\program files\Common Files\Adobe
2010-06-25 00:59 . 2010-06-25 00:59 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcp71.dll
2010-06-25 00:59 . 2010-06-25 00:59 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\jmc.dll
2010-06-25 00:59 . 2010-06-25 00:59 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcr71.dll
2009-02-13 15:50 . 2009-02-03 15:41 2447 ----a-w- d:\program files\TurboTax 2008.lnk
2009-01-25 17:59 . 2009-01-25 17:59 1569 ----a-w- d:\program files\Microsoft Picture It! Publishing 2001.lnk
2009-01-13 00:47 . 2009-01-13 00:47 653 ----a-w- d:\program files\Destroy-It 2000.LNK
2008-12-28 20:34 . 2008-12-28 20:34 1794 ----a-w- d:\program files\Common Files\Photo Impression 6.lnk
2008-12-11 15:49 . 2008-12-11 15:48 70447405 ----a-w- d:\program files\sirius_studio_installer.zip
2008-02-09 18:47 . 2008-02-09 18:47 2680089 ----a-w- d:\program files\MySiriusStudioManual.pdf
2008-02-09 18:47 . 2008-02-09 18:47 68735086 ----a-w- d:\program files\SiriusStudioSetup.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-05 08:00 . 2008-07-08 13:02 17272 d:\windows\system32\spmsg.dll
- 2008-11-05 08:00 . 2007-11-30 12:39 17272 d:\windows\system32\spmsg.dll
+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 d:\windows\system32\dllcache\cabview.dll
+ 2004-08-04 12:00 . 2010-01-13 14:01 86016 d:\windows\system32\cabview.dll
+ 2004-08-04 12:00 . 2009-08-13 15:16 512000 d:\windows\system32\jscript.dll
- 2004-08-04 12:00 . 2008-05-09 10:53 512000 d:\windows\system32\jscript.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 979193 d:\windows\system32\faxetsys\rtfovdev.dll
+ 2004-08-04 12:00 . 2009-12-31 16:50 353792 d:\windows\system32\drivers\srv.sys
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 d:\windows\system32\dllcache\wintrust.dll
- 2008-10-29 04:40 . 2004-08-04 12:00 153088 d:\windows\system32\dllcache\triedit.dll
+ 2008-10-29 04:40 . 2009-06-21 21:44 153088 d:\windows\system32\dllcache\triedit.dll
+ 2008-11-05 08:59 . 2009-12-31 16:50 353792 d:\windows\system32\dllcache\srv.sys
- 2008-05-09 10:53 . 2008-05-09 10:53 512000 d:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53 . 2009-08-13 15:16 512000 d:\windows\system32\dllcache\jscript.dll
+ 2010-07-25 17:56 . 2009-08-13 13:55 1748992 d:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2004-08-04 12:00 . 2010-02-05 18:27 1291776 d:\windows\system32\quartz.dll
+ 2004-08-04 12:00 . 2010-02-17 13:10 2189952 d:\windows\system32\ntoskrnl.exe
+ 2004-08-03 22:59 . 2010-02-16 13:25 2066816 d:\windows\system32\ntkrnlpa.exe
+ 2008-05-07 05:12 . 2010-02-05 18:27 1291776 d:\windows\system32\dllcache\quartz.dll
+ 2008-11-05 11:35 . 2010-02-17 13:10 2189952 d:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2024448 d:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2066816 d:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-11-05 11:35 . 2010-02-16 14:08 2146304 d:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-11-05 11:35 . 2010-02-17 13:10 2189952 d:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2024448 d:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2066816 d:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-11-05 11:35 . 2010-02-16 14:08 2146304 d:\windows\Driver Cache\i386\ntkrnlmp.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Sqlbot]
@="{2962D51A-0EC3-4EB3-8660-CA643E187C01}"
[HKEY_CLASSES_ROOT\CLSID\{2962D51A-0EC3-4EB3-8660-CA643E187C01}]
2008-04-14 00:11 1819997 ----a-w- d:\windows\system32\htmlmod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YMailAdvisor"="d:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"WorksFUD"="d:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Microsoft Works Update Detection"="d:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Microsoft Works Portfolio"="d:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb01.exe" [2000-08-07 192512]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HPHmon04"="d:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Txtitdde"= {C06CBC2B-A080-4A36-92BE-5FA438C6D029} - d:\windows\system32\sqlepchm.dll [2008-04-14 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dhcpvga]
2008-04-14 00:11 884836 ----a-w- d:\windows\system32\dhcpvga.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 HSFHWATI;HSFHWATI;d:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 3:06 PM 231424]
S3 PAC207;PC Camer@;d:\windows\system32\drivers\PFC027.SYS [6/12/2007 11:39 AM 508416]
S3 PortlUSB;PortlUSB;d:\windows\system32\drivers\SiriusUSB.sys [12/11/2008 11:50 AM 7552]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Block This Image (ABP) - d:\program files\Adblock Pro\blockimg.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-26 07:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
d:\windows\system32\Ati2evxx.dll
d:\windows\system32\dhcpvga.dll

- - - - - - - > 'explorer.exe'(3152)
d:\windows\system32\htmlmod.dll
d:\windows\system32\sqlepchm.dll
d:\windows\system32\logadans.dll
d:\windows\system32\faxetsys\wowigbat\usbaxmat.dll
.
Completion time: 2010-07-26 07:33:45
ComboFix-quarantined-files.txt 2010-07-26 11:33
ComboFix2.txt 2010-07-26 00:53
ComboFix3.txt 2010-07-25 19:31
ComboFix4.txt 2010-07-25 18:14

Pre-Run: 76,067,663,872 bytes free
Post-Run: 76,039,938,048 bytes free

- - End Of File - - 842633D2A8409872CE8C6293039253EA




lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Crush on Tue 27 Jul 2010, 4:11 am

Hmmm. It stood up to that. Let's try this:

Remove the Proxy setting in Internet explorer and/or in FireFox.

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"

Click the apply button and restart that computer in normal mode.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by lynx5653 on Tue 27 Jul 2010, 9:07 am

Chris, before rebooting, I was able to access internet using my shortcuts on desktop. After rebooting, I am able to access google, but no shortcuts work and ie opens duplicate and triplicate pages when I try to access internet through google. Also, it is extremely slow almost to the point where the machine seems frozen. btw, what do you reccommend for virus protection that is not resource hungry and would you recommend firefox instead of explorer? Thanks, David

lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Crush on Tue 27 Jul 2010, 3:00 pm

I'll give you some AV recommendations after we're done here annd yes, Firefox is a more secure browser in my opinion.

Were you able to remove the set proxy?


Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by lynx5653 on Tue 27 Jul 2010, 3:22 pm

the only thing checked in proxy settings was auto detect.

lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Crush on Tue 27 Jul 2010, 5:02 pm

Ok. Can I see a new combofix log please?

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by lynx5653 on Tue 27 Jul 2010, 10:36 pm

ComboFix 10-07-24.06 - brimstone 07/27/2010 7:23.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.587 [GMT -4:00]
Running from: d:\documents and settings\brimstone\Desktop\commy.exe
.

((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.

2010-07-27 04:37 . 2010-07-27 04:37 -------- d-----w- d:\documents and settings\brimstone\Local Settings\Application Data\Mozilla
2010-07-26 11:14 . 2010-07-26 11:18 -------- d-----w- D:\commy
2010-07-25 18:00 . 2008-05-03 11:55 2560 ------w- d:\windows\system32\xpsp4res.dll
2010-07-25 18:00 . 2008-04-21 12:08 215552 -c----w- d:\windows\system32\dllcache\wordpad.exe
2010-07-25 15:11 . 2010-07-25 15:11 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcp71.dll
2010-07-25 15:11 . 2010-07-25 15:11 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\jmc.dll
2010-07-25 15:11 . 2010-07-25 15:11 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcr71.dll
2010-07-25 15:11 . 2010-07-25 15:11 -------- d-----w- d:\program files\Common Files\Java
2010-07-25 15:11 . 2010-07-25 15:11 61440 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-sse.dll
2010-07-25 15:11 . 2010-07-25 15:11 12800 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-d3d.dll
2010-07-25 15:10 . 2010-07-25 15:10 423656 ----a-w- d:\windows\system32\deployJava1.dll
2010-07-25 01:02 . 2010-07-25 01:11 -------- d-----w- d:\documents and settings\brimstone\Application Data\MSNInstaller
2010-07-24 19:03 . 2010-07-24 19:03 862872 ------w- d:\documents and settings\brimstone\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-07-24 18:14 . 2010-07-24 18:14 -------- d-----w- d:\windows\system32\wbem\Repository
2010-07-24 16:26 . 2010-07-24 16:26 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-24 16:25 . 2010-04-29 19:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 16:25 . 2010-07-25 13:40 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-07-24 16:25 . 2010-04-29 19:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-07-24 16:22 . 2010-07-24 16:22 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2010-07-24 16:22 . 2010-07-24 16:22 -------- dc----w- d:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-24 14:45 . 2010-07-24 16:33 -------- d-----w- d:\documents and settings\brimstone\Local Settings\Application Data\ubehsjtgy
2010-07-15 00:10 . 2010-07-15 00:10 -------- d-----w- d:\program files\Ubisoft
2010-07-10 23:09 . 2001-08-17 17:53 6784 -c--a-w- d:\windows\system32\dllcache\serscan.sys
2010-07-10 23:09 . 2001-08-17 17:53 6784 ----a-w- d:\windows\system32\drivers\serscan.sys
2010-07-10 23:09 . 2001-08-18 02:36 37376 -c--a-w- d:\windows\system32\dllcache\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 37376 ----a-w- d:\windows\system32\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 -c--a-w- d:\windows\system32\dllcache\fnfilter.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 ----a-w- d:\windows\system32\fnfilter.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 00:27 . 2009-01-26 13:29 -------- d-----w- d:\program files\CA Yahoo! Anti-Spy
2010-07-24 19:03 . 2008-11-09 14:05 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo!
2010-07-24 19:03 . 2008-10-05 16:42 -------- d-----w- d:\program files\Yahoo!
2010-07-24 18:38 . 2009-01-23 12:13 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-24 15:02 . 2008-10-30 00:27 70928 -c--a-w- d:\documents and settings\brimstone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 23:41 . 2009-01-25 17:43 -------- d-----w- d:\program files\Microsoft Picture It! PhotoPub
2010-07-01 01:53 . 2008-11-05 03:23 -------- d-----w- d:\program files\Common Files\Adobe
2010-06-25 00:59 . 2010-06-25 00:59 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcp71.dll
2010-06-25 00:59 . 2010-06-25 00:59 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\jmc.dll
2010-06-25 00:59 . 2010-06-25 00:59 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcr71.dll
2009-02-13 15:50 . 2009-02-03 15:41 2447 ----a-w- d:\program files\TurboTax 2008.lnk
2009-01-25 17:59 . 2009-01-25 17:59 1569 ----a-w- d:\program files\Microsoft Picture It! Publishing 2001.lnk
2009-01-13 00:47 . 2009-01-13 00:47 653 ----a-w- d:\program files\Destroy-It 2000.LNK
2008-12-28 20:34 . 2008-12-28 20:34 1794 ----a-w- d:\program files\Common Files\Photo Impression 6.lnk
2008-12-11 15:49 . 2008-12-11 15:48 70447405 ----a-w- d:\program files\sirius_studio_installer.zip
2008-02-09 18:47 . 2008-02-09 18:47 2680089 ----a-w- d:\program files\MySiriusStudioManual.pdf
2008-02-09 18:47 . 2008-02-09 18:47 68735086 ----a-w- d:\program files\SiriusStudioSetup.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-26 22:00 . 2010-07-26 22:00 16384 d:\windows\Temp\Perflib_Perfdata_ad8.dat
+ 2010-07-26 21:56 . 2010-07-26 21:56 16384 d:\windows\Temp\Perflib_Perfdata_13c.dat
- 2008-11-05 08:00 . 2007-11-30 12:39 17272 d:\windows\system32\spmsg.dll
+ 2008-11-05 08:00 . 2008-07-08 13:02 17272 d:\windows\system32\spmsg.dll
- 2004-08-04 12:00 . 2010-07-25 17:31 61970 d:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-07-26 22:00 61970 d:\windows\system32\perfc009.dat
+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 d:\windows\system32\dllcache\cabview.dll
+ 2004-08-04 12:00 . 2010-01-13 14:01 86016 d:\windows\system32\cabview.dll
+ 2004-08-04 12:00 . 2009-12-24 06:59 177664 d:\windows\system32\wintrust.dll
- 2004-08-04 12:00 . 2010-07-25 17:31 401514 d:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-07-26 22:00 401514 d:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2009-08-13 15:16 512000 d:\windows\system32\jscript.dll
- 2004-08-04 12:00 . 2008-05-09 10:53 512000 d:\windows\system32\jscript.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 866735 d:\windows\system32\faxetsys\rtfovdev.dll
+ 2004-08-04 12:00 . 2009-12-31 16:50 353792 d:\windows\system32\drivers\srv.sys
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 d:\windows\system32\dllcache\wintrust.dll
- 2008-10-29 04:40 . 2004-08-04 12:00 153088 d:\windows\system32\dllcache\triedit.dll
+ 2008-10-29 04:40 . 2009-06-21 21:44 153088 d:\windows\system32\dllcache\triedit.dll
+ 2008-11-05 08:59 . 2009-12-31 16:50 353792 d:\windows\system32\dllcache\srv.sys
- 2008-05-09 10:53 . 2008-05-09 10:53 512000 d:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53 . 2009-08-13 15:16 512000 d:\windows\system32\dllcache\jscript.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 155673 d:\windows\system32\dlgildev32.dll
+ 2010-07-25 17:56 . 2009-08-13 13:55 1748992 d:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2004-08-04 12:00 . 2010-02-05 18:27 1291776 d:\windows\system32\quartz.dll
+ 2004-08-04 12:00 . 2010-02-17 13:10 2189952 d:\windows\system32\ntoskrnl.exe
+ 2004-08-03 22:59 . 2010-02-16 13:25 2066816 d:\windows\system32\ntkrnlpa.exe
+ 2008-05-07 05:12 . 2010-02-05 18:27 1291776 d:\windows\system32\dllcache\quartz.dll
+ 2008-11-05 11:35 . 2010-02-17 13:10 2189952 d:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2024448 d:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2066816 d:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-11-05 11:35 . 2010-02-16 14:08 2146304 d:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-11-05 11:35 . 2010-02-17 13:10 2189952 d:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2024448 d:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2066816 d:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-11-05 11:35 . 2010-02-16 14:08 2146304 d:\windows\Driver Cache\i386\ntkrnlmp.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Sqlbot]
@="{2962D51A-0EC3-4EB3-8660-CA643E187C01}"
[HKEY_CLASSES_ROOT\CLSID\{2962D51A-0EC3-4EB3-8660-CA643E187C01}]
2008-04-14 00:11 1819997 ----a-w- d:\windows\system32\htmlmod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YMailAdvisor"="d:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"WorksFUD"="d:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Microsoft Works Update Detection"="d:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Microsoft Works Portfolio"="d:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb01.exe" [2000-08-07 192512]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HPHmon04"="d:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Txtitdde"= {C06CBC2B-A080-4A36-92BE-5FA438C6D029} - d:\windows\system32\sqlepchm.dll [2008-04-14 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dhcpvga]
2008-04-14 00:11 884836 ----a-w- d:\windows\system32\dhcpvga.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 HSFHWATI;HSFHWATI;d:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 3:06 PM 231424]
S3 PAC207;PC Camer@;d:\windows\system32\drivers\PFC027.SYS [6/12/2007 11:39 AM 508416]
S3 PortlUSB;PortlUSB;d:\windows\system32\drivers\SiriusUSB.sys [12/11/2008 11:50 AM 7552]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Block This Image (ABP) - d:\program files\Adblock Pro\blockimg.html
FF - ProfilePath - d:\documents and settings\brimstone\Application Data\Mozilla\Firefox\Profiles\srjhhpuh.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5643
FF - prefs.js: network.proxy.type - 0
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-27 07:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
d:\windows\system32\Ati2evxx.dll
d:\windows\system32\dhcpvga.dll

- - - - - - - > 'explorer.exe'(232)
d:\windows\system32\htmlmod.dll
d:\windows\system32\sqlepchm.dll
d:\windows\system32\logadans.dll
d:\windows\system32\faxetsys\wowigbat\usbaxmat.dll
.
Completion time: 2010-07-27 07:33:19
ComboFix-quarantined-files.txt 2010-07-27 11:33
ComboFix2.txt 2010-07-26 11:33
ComboFix3.txt 2010-07-26 00:53
ComboFix4.txt 2010-07-25 19:31
ComboFix5.txt 2010-07-27 11:22

Pre-Run: 76,033,695,744 bytes free
Post-Run: 76,011,966,464 bytes free

- - End Of File - - 5C2965E510ED4E103FA6F6C7ECD1A646

lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by lynx5653 on Tue 27 Jul 2010, 10:44 pm

I was able to send last report from infected laptop,so things are getting better, just not the same yet. is ubehsjfgy the only bad file or are there more?

lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Crush on Wed 28 Jul 2010, 4:07 am

Just these to remove now

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Folder::
    d:\documents and settings\brimstone\Local Settings\Application Data\ubehsjtgy

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    uInternet Settings,ProxyOverride =
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by lynx5653 on Wed 28 Jul 2010, 12:50 pm

ComboFix 10-07-24.06 - brimstone 07/27/2010 21:21:46.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.670 [GMT -4:00]
Running from: d:\documents and settings\brimstone\Desktop\commy.exe
Command switches used :: d:\documents and settings\brimstone\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\brimstone\Local Settings\Application Data\ubehsjtgy

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-27 11:21 . 2010-07-27 11:33 -------- d-----w- D:\commy13248c
2010-07-27 04:37 . 2010-07-27 04:37 -------- d-----w- d:\documents and settings\brimstone\Local Settings\Application Data\Mozilla
2010-07-26 11:14 . 2010-07-26 11:18 -------- d-----w- D:\commy
2010-07-25 18:00 . 2008-05-03 11:55 2560 ------w- d:\windows\system32\xpsp4res.dll
2010-07-25 18:00 . 2008-04-21 12:08 215552 -c----w- d:\windows\system32\dllcache\wordpad.exe
2010-07-25 15:11 . 2010-07-25 15:11 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcp71.dll
2010-07-25 15:11 . 2010-07-25 15:11 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\jmc.dll
2010-07-25 15:11 . 2010-07-25 15:11 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcr71.dll
2010-07-25 15:11 . 2010-07-25 15:11 -------- d-----w- d:\program files\Common Files\Java
2010-07-25 15:11 . 2010-07-25 15:11 61440 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-sse.dll
2010-07-25 15:11 . 2010-07-25 15:11 12800 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-d3d.dll
2010-07-25 15:10 . 2010-07-25 15:10 423656 ----a-w- d:\windows\system32\deployJava1.dll
2010-07-25 01:02 . 2010-07-25 01:11 -------- d-----w- d:\documents and settings\brimstone\Application Data\MSNInstaller
2010-07-24 19:03 . 2010-07-24 19:03 862872 ------w- d:\documents and settings\brimstone\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-07-24 18:14 . 2010-07-24 18:14 -------- d-----w- d:\windows\system32\wbem\Repository
2010-07-24 16:26 . 2010-07-24 16:26 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-24 16:25 . 2010-04-29 19:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 16:25 . 2010-07-25 13:40 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-07-24 16:25 . 2010-04-29 19:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-07-24 16:22 . 2010-07-24 16:22 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2010-07-24 16:22 . 2010-07-24 16:22 -------- dc----w- d:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-15 00:10 . 2010-07-15 00:10 -------- d-----w- d:\program files\Ubisoft
2010-07-10 23:09 . 2001-08-17 17:53 6784 -c--a-w- d:\windows\system32\dllcache\serscan.sys
2010-07-10 23:09 . 2001-08-17 17:53 6784 ----a-w- d:\windows\system32\drivers\serscan.sys
2010-07-10 23:09 . 2001-08-18 02:36 37376 -c--a-w- d:\windows\system32\dllcache\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 37376 ----a-w- d:\windows\system32\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 -c--a-w- d:\windows\system32\dllcache\fnfilter.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 ----a-w- d:\windows\system32\fnfilter.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 00:27 . 2009-01-26 13:29 -------- d-----w- d:\program files\CA Yahoo! Anti-Spy
2010-07-24 19:03 . 2008-11-09 14:05 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo!
2010-07-24 19:03 . 2008-10-05 16:42 -------- d-----w- d:\program files\Yahoo!
2010-07-24 18:38 . 2009-01-23 12:13 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-24 15:02 . 2008-10-30 00:27 70928 -c--a-w- d:\documents and settings\brimstone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 23:41 . 2009-01-25 17:43 -------- d-----w- d:\program files\Microsoft Picture It! PhotoPub
2010-07-01 01:53 . 2008-11-05 03:23 -------- d-----w- d:\program files\Common Files\Adobe
2010-06-25 00:59 . 2010-06-25 00:59 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcp71.dll
2010-06-25 00:59 . 2010-06-25 00:59 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\jmc.dll
2010-06-25 00:59 . 2010-06-25 00:59 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcr71.dll
2009-02-13 15:50 . 2009-02-03 15:41 2447 ----a-w- d:\program files\TurboTax 2008.lnk
2009-01-25 17:59 . 2009-01-25 17:59 1569 ----a-w- d:\program files\Microsoft Picture It! Publishing 2001.lnk
2009-01-13 00:47 . 2009-01-13 00:47 653 ----a-w- d:\program files\Destroy-It 2000.LNK
2008-12-28 20:34 . 2008-12-28 20:34 1794 ----a-w- d:\program files\Common Files\Photo Impression 6.lnk
2008-12-11 15:49 . 2008-12-11 15:48 70447405 ----a-w- d:\program files\sirius_studio_installer.zip
2008-02-09 18:47 . 2008-02-09 18:47 2680089 ----a-w- d:\program files\MySiriusStudioManual.pdf
2008-02-09 18:47 . 2008-02-09 18:47 68735086 ----a-w- d:\program files\SiriusStudioSetup.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 00:23 . 2010-07-28 00:23 16384 d:\windows\Temp\Perflib_Perfdata_1c4.dat
- 2008-11-05 08:00 . 2007-11-30 12:39 17272 d:\windows\system32\spmsg.dll
+ 2008-11-05 08:00 . 2008-07-08 13:02 17272 d:\windows\system32\spmsg.dll
+ 2004-08-04 12:00 . 2010-07-28 00:28 61970 d:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-07-25 17:31 61970 d:\windows\system32\perfc009.dat
+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 d:\windows\system32\dllcache\cabview.dll
+ 2004-08-04 12:00 . 2010-01-13 14:01 86016 d:\windows\system32\cabview.dll
+ 2004-08-04 12:00 . 2009-12-24 06:59 177664 d:\windows\system32\wintrust.dll
+ 2004-08-04 12:00 . 2010-07-28 00:28 401514 d:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-07-25 17:31 401514 d:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2008-05-09 10:53 512000 d:\windows\system32\jscript.dll
+ 2004-08-04 12:00 . 2009-08-13 15:16 512000 d:\windows\system32\jscript.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 884401 d:\windows\system32\faxetsys\rtfovdev.dll
+ 2004-08-04 12:00 . 2009-12-31 16:50 353792 d:\windows\system32\drivers\srv.sys
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 d:\windows\system32\dllcache\wintrust.dll
+ 2008-10-29 04:40 . 2009-06-21 21:44 153088 d:\windows\system32\dllcache\triedit.dll
- 2008-10-29 04:40 . 2004-08-04 12:00 153088 d:\windows\system32\dllcache\triedit.dll
+ 2008-11-05 08:59 . 2009-12-31 16:50 353792 d:\windows\system32\dllcache\srv.sys
+ 2008-05-09 10:53 . 2009-08-13 15:16 512000 d:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2008-05-09 10:53 512000 d:\windows\system32\dllcache\jscript.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 155673 d:\windows\system32\dlgildev32.dll
+ 2010-07-25 17:56 . 2009-08-13 13:55 1748992 d:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2004-08-04 12:00 . 2010-02-05 18:27 1291776 d:\windows\system32\quartz.dll
+ 2004-08-04 12:00 . 2010-02-17 13:10 2189952 d:\windows\system32\ntoskrnl.exe
+ 2004-08-03 22:59 . 2010-02-16 13:25 2066816 d:\windows\system32\ntkrnlpa.exe
+ 2008-05-07 05:12 . 2010-02-05 18:27 1291776 d:\windows\system32\dllcache\quartz.dll
+ 2008-11-05 11:35 . 2010-02-17 13:10 2189952 d:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2024448 d:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2066816 d:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-11-05 11:35 . 2010-02-16 14:08 2146304 d:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-11-05 11:35 . 2010-02-17 13:10 2189952 d:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2024448 d:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2066816 d:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-11-05 11:35 . 2010-02-16 14:08 2146304 d:\windows\Driver Cache\i386\ntkrnlmp.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Sqlbot]
@="{2962D51A-0EC3-4EB3-8660-CA643E187C01}"
[HKEY_CLASSES_ROOT\CLSID\{2962D51A-0EC3-4EB3-8660-CA643E187C01}]
2008-04-14 00:11 1819997 ----a-w- d:\windows\system32\htmlmod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YMailAdvisor"="d:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"WorksFUD"="d:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Microsoft Works Update Detection"="d:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Microsoft Works Portfolio"="d:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb01.exe" [2000-08-07 192512]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HPHmon04"="d:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Txtitdde"= {C06CBC2B-A080-4A36-92BE-5FA438C6D029} - d:\windows\system32\sqlepchm.dll [2008-04-14 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dhcpvga]
2008-04-14 00:11 884836 ----a-w- d:\windows\system32\dhcpvga.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 HSFHWATI;HSFHWATI;d:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 3:06 PM 231424]
S3 PAC207;PC Camer@;d:\windows\system32\drivers\PFC027.SYS [6/12/2007 11:39 AM 508416]
S3 PortlUSB;PortlUSB;d:\windows\system32\drivers\SiriusUSB.sys [12/11/2008 11:50 AM 7552]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Block This Image (ABP) - d:\program files\Adblock Pro\blockimg.html
FF - ProfilePath - d:\documents and settings\brimstone\Application Data\Mozilla\Firefox\Profiles\srjhhpuh.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5643
FF - prefs.js: network.proxy.type - 0
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-27 21:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
d:\windows\system32\Ati2evxx.dll
d:\windows\system32\dhcpvga.dll

- - - - - - - > 'explorer.exe'(3736)
d:\windows\system32\htmlmod.dll
d:\windows\system32\sqlepchm.dll
d:\windows\system32\logadans.dll
d:\windows\system32\faxetsys\wowigbat\usbaxmat.dll
.
Completion time: 2010-07-27 21:36:20
ComboFix-quarantined-files.txt 2010-07-28 01:36
ComboFix2.txt 2010-07-27 11:33
ComboFix3.txt 2010-07-26 11:33
ComboFix4.txt 2010-07-26 00:53
ComboFix5.txt 2010-07-28 01:20

Pre-Run: 75,929,092,096 bytes free
Post-Run: 75,895,721,984 bytes free

- - End Of File - - CC03613A7E515C3420AF1E2AA6D3CC56
looks like it removed file.

now anti virus software,what do you recommend,not system hungry.
Laptop seems to be working much better thanks to you and all your help.
thanks,
David

lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Crush on Wed 28 Jul 2010, 2:31 pm

Hi,

Sorry. I missed these

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Firefox::
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 5643
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by lynx5653 on Wed 28 Jul 2010, 10:56 pm

ComboFix 10-07-24.06 - brimstone 07/28/2010 7:37.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.683 [GMT -4:00]
Running from: d:\documents and settings\brimstone\Desktop\commy.exe
Command switches used :: d:\documents and settings\brimstone\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-27 11:21 . 2010-07-27 11:33 -------- d-----w- D:\commy13248c
2010-07-27 04:37 . 2010-07-27 04:37 -------- d-----w- d:\documents and settings\brimstone\Local Settings\Application Data\Mozilla
2010-07-26 11:14 . 2010-07-26 11:18 -------- d-----w- D:\commy
2010-07-25 18:00 . 2008-05-03 11:55 2560 ------w- d:\windows\system32\xpsp4res.dll
2010-07-25 18:00 . 2008-04-21 12:08 215552 -c----w- d:\windows\system32\dllcache\wordpad.exe
2010-07-25 15:11 . 2010-07-25 15:11 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcp71.dll
2010-07-25 15:11 . 2010-07-25 15:11 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\jmc.dll
2010-07-25 15:11 . 2010-07-25 15:11 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcr71.dll
2010-07-25 15:11 . 2010-07-25 15:11 -------- d-----w- d:\program files\Common Files\Java
2010-07-25 15:11 . 2010-07-25 15:11 61440 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-sse.dll
2010-07-25 15:11 . 2010-07-25 15:11 12800 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-d3d.dll
2010-07-25 15:10 . 2010-07-25 15:10 423656 ----a-w- d:\windows\system32\deployJava1.dll
2010-07-25 01:02 . 2010-07-25 01:11 -------- d-----w- d:\documents and settings\brimstone\Application Data\MSNInstaller
2010-07-24 19:03 . 2010-07-24 19:03 862872 ------w- d:\documents and settings\brimstone\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-07-24 18:14 . 2010-07-24 18:14 -------- d-----w- d:\windows\system32\wbem\Repository
2010-07-24 16:26 . 2010-07-24 16:26 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-24 16:25 . 2010-04-29 19:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 16:25 . 2010-07-25 13:40 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-07-24 16:25 . 2010-04-29 19:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-07-24 16:22 . 2010-07-24 16:22 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2010-07-24 16:22 . 2010-07-24 16:22 -------- dc----w- d:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-15 00:10 . 2010-07-15 00:10 -------- d-----w- d:\program files\Ubisoft
2010-07-10 23:09 . 2001-08-17 17:53 6784 -c--a-w- d:\windows\system32\dllcache\serscan.sys
2010-07-10 23:09 . 2001-08-17 17:53 6784 ----a-w- d:\windows\system32\drivers\serscan.sys
2010-07-10 23:09 . 2001-08-18 02:36 37376 -c--a-w- d:\windows\system32\dllcache\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 37376 ----a-w- d:\windows\system32\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 -c--a-w- d:\windows\system32\dllcache\fnfilter.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 ----a-w- d:\windows\system32\fnfilter.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 00:27 . 2009-01-26 13:29 -------- d-----w- d:\program files\CA Yahoo! Anti-Spy
2010-07-24 19:03 . 2008-11-09 14:05 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo!
2010-07-24 19:03 . 2008-10-05 16:42 -------- d-----w- d:\program files\Yahoo!
2010-07-24 18:38 . 2009-01-23 12:13 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-24 15:02 . 2008-10-30 00:27 70928 -c--a-w- d:\documents and settings\brimstone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 23:41 . 2009-01-25 17:43 -------- d-----w- d:\program files\Microsoft Picture It! PhotoPub
2010-07-01 01:53 . 2008-11-05 03:23 -------- d-----w- d:\program files\Common Files\Adobe
2010-06-25 00:59 . 2010-06-25 00:59 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcp71.dll
2010-06-25 00:59 . 2010-06-25 00:59 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\jmc.dll
2010-06-25 00:59 . 2010-06-25 00:59 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcr71.dll
2009-02-13 15:50 . 2009-02-03 15:41 2447 ----a-w- d:\program files\TurboTax 2008.lnk
2009-01-25 17:59 . 2009-01-25 17:59 1569 ----a-w- d:\program files\Microsoft Picture It! Publishing 2001.lnk
2009-01-13 00:47 . 2009-01-13 00:47 653 ----a-w- d:\program files\Destroy-It 2000.LNK
2008-12-28 20:34 . 2008-12-28 20:34 1794 ----a-w- d:\program files\Common Files\Photo Impression 6.lnk
2008-12-11 15:49 . 2008-12-11 15:48 70447405 ----a-w- d:\program files\sirius_studio_installer.zip
2008-02-09 18:47 . 2008-02-09 18:47 2680089 ----a-w- d:\program files\MySiriusStudioManual.pdf
2008-02-09 18:47 . 2008-02-09 18:47 68735086 ----a-w- d:\program files\SiriusStudioSetup.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 1601-01-01 00:00 . 1601-01-01 00:00 0 d:\windows\Temp\Perflib_Perfdata_d84.dat
+ 2010-07-28 11:28 . 2010-07-28 11:28 16384 d:\windows\Temp\Perflib_Perfdata_16c.dat
+ 2008-11-05 08:00 . 2008-07-08 13:02 17272 d:\windows\system32\spmsg.dll
- 2008-11-05 08:00 . 2007-11-30 12:39 17272 d:\windows\system32\spmsg.dll
+ 2004-08-04 12:00 . 2010-07-28 11:33 61970 d:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-07-25 17:31 61970 d:\windows\system32\perfc009.dat
+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 d:\windows\system32\dllcache\cabview.dll
+ 2004-08-04 12:00 . 2010-01-13 14:01 86016 d:\windows\system32\cabview.dll
+ 2004-08-04 12:00 . 2009-12-24 06:59 177664 d:\windows\system32\wintrust.dll
+ 2004-08-04 12:00 . 2010-07-28 11:33 401514 d:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-07-25 17:31 401514 d:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2009-08-13 15:16 512000 d:\windows\system32\jscript.dll
- 2004-08-04 12:00 . 2008-05-09 10:53 512000 d:\windows\system32\jscript.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 902183 d:\windows\system32\faxetsys\rtfovdev.dll
+ 2004-08-04 12:00 . 2009-12-31 16:50 353792 d:\windows\system32\drivers\srv.sys
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 d:\windows\system32\dllcache\wintrust.dll
- 2008-10-29 04:40 . 2004-08-04 12:00 153088 d:\windows\system32\dllcache\triedit.dll
+ 2008-10-29 04:40 . 2009-06-21 21:44 153088 d:\windows\system32\dllcache\triedit.dll
+ 2008-11-05 08:59 . 2009-12-31 16:50 353792 d:\windows\system32\dllcache\srv.sys
+ 2008-05-09 10:53 . 2009-08-13 15:16 512000 d:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2008-05-09 10:53 512000 d:\windows\system32\dllcache\jscript.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 155673 d:\windows\system32\dlgildev32.dll
+ 2010-07-25 17:56 . 2009-08-13 13:55 1748992 d:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2004-08-04 12:00 . 2010-02-05 18:27 1291776 d:\windows\system32\quartz.dll
+ 2004-08-04 12:00 . 2010-02-17 13:10 2189952 d:\windows\system32\ntoskrnl.exe
+ 2004-08-03 22:59 . 2010-02-16 13:25 2066816 d:\windows\system32\ntkrnlpa.exe
+ 2008-05-07 05:12 . 2010-02-05 18:27 1291776 d:\windows\system32\dllcache\quartz.dll
+ 2008-11-05 11:35 . 2010-02-17 13:10 2189952 d:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2024448 d:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2066816 d:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-11-05 11:35 . 2010-02-16 14:08 2146304 d:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-11-05 11:35 . 2010-02-17 13:10 2189952 d:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2024448 d:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2066816 d:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-11-05 11:35 . 2010-02-16 14:08 2146304 d:\windows\Driver Cache\i386\ntkrnlmp.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Sqlbot]
@="{2962D51A-0EC3-4EB3-8660-CA643E187C01}"
[HKEY_CLASSES_ROOT\CLSID\{2962D51A-0EC3-4EB3-8660-CA643E187C01}]
2008-04-14 00:11 1819997 ----a-w- d:\windows\system32\htmlmod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YMailAdvisor"="d:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"WorksFUD"="d:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Microsoft Works Update Detection"="d:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Microsoft Works Portfolio"="d:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb01.exe" [2000-08-07 192512]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HPHmon04"="d:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Txtitdde"= {C06CBC2B-A080-4A36-92BE-5FA438C6D029} - d:\windows\system32\sqlepchm.dll [2008-04-14 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dhcpvga]
2008-04-14 00:11 884836 ----a-w- d:\windows\system32\dhcpvga.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 HSFHWATI;HSFHWATI;d:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 3:06 PM 231424]
S3 PAC207;PC Camer@;d:\windows\system32\drivers\PFC027.SYS [6/12/2007 11:39 AM 508416]
S3 PortlUSB;PortlUSB;d:\windows\system32\drivers\SiriusUSB.sys [12/11/2008 11:50 AM 7552]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Block This Image (ABP) - d:\program files\Adblock Pro\blockimg.html
FF - ProfilePath - d:\documents and settings\brimstone\Application Data\Mozilla\Firefox\Profiles\srjhhpuh.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5643
FF - prefs.js: network.proxy.type - 0
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-28 07:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
d:\windows\system32\Ati2evxx.dll
d:\windows\system32\dhcpvga.dll

- - - - - - - > 'explorer.exe'(4052)
d:\windows\system32\htmlmod.dll
d:\windows\system32\sqlepchm.dll
d:\windows\system32\logadans.dll
d:\windows\system32\faxetsys\wowigbat\usbaxmat.dll
.
Completion time: 2010-07-28 07:49:35
ComboFix-quarantined-files.txt 2010-07-28 11:49
ComboFix2.txt 2010-07-28 01:36
ComboFix3.txt 2010-07-27 11:33
ComboFix4.txt 2010-07-26 11:33
ComboFix5.txt 2010-07-28 11:36

Pre-Run: 75,965,403,136 bytes free
Post-Run: 75,931,947,008 bytes free

- - End Of File - - 6CDF2D3E6FBE6E4CB18778CF69A85858

lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Crush on Thu 29 Jul 2010, 4:28 am

Hi,

I made a boo boo. There was an error in my script

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Firefox::
    FF - ProfilePath - d:\documents and settings\brimstone\Application Data\Mozilla\Firefox\Profiles\srjhhpuh.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 5643
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by lynx5653 on Thu 29 Jul 2010, 9:26 am

ComboFix 10-07-27.05 - brimstone 07/28/2010 18:11:03.8.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.599 [GMT -4:00]
Running from: d:\documents and settings\brimstone\Desktop\commy.exe
Command switches used :: d:\documents and settings\brimstone\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-28 22:10 . 2010-07-28 22:10 27591840 ----a-w- d:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-07-27 11:21 . 2010-07-27 11:33 -------- d-----w- D:\commy13248c
2010-07-27 04:37 . 2010-07-27 04:37 -------- d-----w- d:\documents and settings\brimstone\Local Settings\Application Data\Mozilla
2010-07-26 11:14 . 2010-07-26 11:18 -------- d-----w- D:\commy
2010-07-25 18:00 . 2008-05-03 11:55 2560 ------w- d:\windows\system32\xpsp4res.dll
2010-07-25 18:00 . 2008-04-21 12:08 215552 -c----w- d:\windows\system32\dllcache\wordpad.exe
2010-07-25 15:11 . 2010-07-25 15:11 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcp71.dll
2010-07-25 15:11 . 2010-07-25 15:11 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\jmc.dll
2010-07-25 15:11 . 2010-07-25 15:11 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcr71.dll
2010-07-25 15:11 . 2010-07-25 15:11 -------- d-----w- d:\program files\Common Files\Java
2010-07-25 15:11 . 2010-07-25 15:11 61440 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-sse.dll
2010-07-25 15:11 . 2010-07-25 15:11 12800 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-d3d.dll
2010-07-25 15:10 . 2010-07-25 15:10 423656 ----a-w- d:\windows\system32\deployJava1.dll
2010-07-25 01:02 . 2010-07-25 01:11 -------- d-----w- d:\documents and settings\brimstone\Application Data\MSNInstaller
2010-07-24 19:03 . 2010-07-24 19:03 862872 ------w- d:\documents and settings\brimstone\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-07-24 18:14 . 2010-07-24 18:14 -------- d-----w- d:\windows\system32\wbem\Repository
2010-07-24 16:26 . 2010-07-24 16:26 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-24 16:25 . 2010-04-29 19:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 16:25 . 2010-07-25 13:40 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-07-24 16:25 . 2010-04-29 19:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-07-24 16:22 . 2010-07-24 16:22 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2010-07-24 16:22 . 2010-07-24 16:22 -------- dc----w- d:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-15 00:10 . 2010-07-15 00:10 -------- d-----w- d:\program files\Ubisoft
2010-07-10 23:09 . 2001-08-17 17:53 6784 -c--a-w- d:\windows\system32\dllcache\serscan.sys
2010-07-10 23:09 . 2001-08-17 17:53 6784 ----a-w- d:\windows\system32\drivers\serscan.sys
2010-07-10 23:09 . 2001-08-18 02:36 37376 -c--a-w- d:\windows\system32\dllcache\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 37376 ----a-w- d:\windows\system32\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 -c--a-w- d:\windows\system32\dllcache\fnfilter.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 ----a-w- d:\windows\system32\fnfilter.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 00:27 . 2009-01-26 13:29 -------- d-----w- d:\program files\CA Yahoo! Anti-Spy
2010-07-24 19:03 . 2008-11-09 14:05 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo!
2010-07-24 19:03 . 2008-10-05 16:42 -------- d-----w- d:\program files\Yahoo!
2010-07-24 18:38 . 2009-01-23 12:13 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-24 15:02 . 2008-10-30 00:27 70928 -c--a-w- d:\documents and settings\brimstone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 23:41 . 2009-01-25 17:43 -------- d-----w- d:\program files\Microsoft Picture It! PhotoPub
2010-07-01 01:53 . 2008-11-05 03:23 -------- d-----w- d:\program files\Common Files\Adobe
2010-06-25 00:59 . 2010-06-25 00:59 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcp71.dll
2010-06-25 00:59 . 2010-06-25 00:59 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\jmc.dll
2010-06-25 00:59 . 2010-06-25 00:59 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcr71.dll
2009-02-13 15:50 . 2009-02-03 15:41 2447 ----a-w- d:\program files\TurboTax 2008.lnk
2009-01-25 17:59 . 2009-01-25 17:59 1569 ----a-w- d:\program files\Microsoft Picture It! Publishing 2001.lnk
2009-01-13 00:47 . 2009-01-13 00:47 653 ----a-w- d:\program files\Destroy-It 2000.LNK
2008-12-28 20:34 . 2008-12-28 20:34 1794 ----a-w- d:\program files\Common Files\Photo Impression 6.lnk
2008-12-11 15:49 . 2008-12-11 15:48 70447405 ----a-w- d:\program files\sirius_studio_installer.zip
2008-02-09 18:47 . 2008-02-09 18:47 2680089 ----a-w- d:\program files\MySiriusStudioManual.pdf
2008-02-09 18:47 . 2008-02-09 18:47 68735086 ----a-w- d:\program files\SiriusStudioSetup.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 22:00 . 2010-07-28 22:00 16384 d:\windows\Temp\Perflib_Perfdata_af4.dat
+ 2010-07-28 21:59 . 2010-07-28 21:59 16384 d:\windows\Temp\Perflib_Perfdata_14c.dat
- 2008-11-05 08:00 . 2007-11-30 12:39 17272 d:\windows\system32\spmsg.dll
+ 2008-11-05 08:00 . 2008-07-08 13:02 17272 d:\windows\system32\spmsg.dll
- 2004-08-04 12:00 . 2010-07-25 17:31 61970 d:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-07-28 22:04 61970 d:\windows\system32\perfc009.dat
+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 d:\windows\system32\dllcache\cabview.dll
+ 2004-08-04 12:00 . 2010-01-13 14:01 86016 d:\windows\system32\cabview.dll
+ 2004-08-04 12:00 . 2009-12-24 06:59 177664 d:\windows\system32\wintrust.dll
- 2004-08-04 12:00 . 2010-07-25 17:31 401514 d:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-07-28 22:04 401514 d:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2009-08-13 15:16 512000 d:\windows\system32\jscript.dll
- 2004-08-04 12:00 . 2008-05-09 10:53 512000 d:\windows\system32\jscript.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 925335 d:\windows\system32\faxetsys\rtfovdev.dll
+ 2004-08-04 12:00 . 2009-12-31 16:50 353792 d:\windows\system32\drivers\srv.sys
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 d:\windows\system32\dllcache\wintrust.dll
- 2008-10-29 04:40 . 2004-08-04 12:00 153088 d:\windows\system32\dllcache\triedit.dll
+ 2008-10-29 04:40 . 2009-06-21 21:44 153088 d:\windows\system32\dllcache\triedit.dll
+ 2008-11-05 08:59 . 2009-12-31 16:50 353792 d:\windows\system32\dllcache\srv.sys
- 2008-05-09 10:53 . 2008-05-09 10:53 512000 d:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53 . 2009-08-13 15:16 512000 d:\windows\system32\dllcache\jscript.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 155673 d:\windows\system32\dlgildev32.dll
+ 2010-07-25 17:56 . 2009-08-13 13:55 1748992 d:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2004-08-04 12:00 . 2010-02-05 18:27 1291776 d:\windows\system32\quartz.dll
+ 2004-08-04 12:00 . 2010-02-17 13:10 2189952 d:\windows\system32\ntoskrnl.exe
+ 2004-08-03 22:59 . 2010-02-16 13:25 2066816 d:\windows\system32\ntkrnlpa.exe
+ 2008-05-07 05:12 . 2010-02-05 18:27 1291776 d:\windows\system32\dllcache\quartz.dll
+ 2008-11-05 11:35 . 2010-02-17 13:10 2189952 d:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2024448 d:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2066816 d:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-11-05 11:35 . 2010-02-16 14:08 2146304 d:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-11-05 11:35 . 2010-02-17 13:10 2189952 d:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2024448 d:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2066816 d:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-11-05 11:35 . 2010-02-16 14:08 2146304 d:\windows\Driver Cache\i386\ntkrnlmp.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Sqlbot]
@="{2962D51A-0EC3-4EB3-8660-CA643E187C01}"
[HKEY_CLASSES_ROOT\CLSID\{2962D51A-0EC3-4EB3-8660-CA643E187C01}]
2008-04-14 00:11 1819997 ----a-w- d:\windows\system32\htmlmod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YMailAdvisor"="d:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"WorksFUD"="d:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Microsoft Works Update Detection"="d:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Microsoft Works Portfolio"="d:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb01.exe" [2000-08-07 192512]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HPHmon04"="d:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Txtitdde"= {C06CBC2B-A080-4A36-92BE-5FA438C6D029} - d:\windows\system32\sqlepchm.dll [2008-04-14 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dhcpvga]
2008-04-14 00:11 884836 ----a-w- d:\windows\system32\dhcpvga.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 HSFHWATI;HSFHWATI;d:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 3:06 PM 231424]
S3 PAC207;PC Camer@;d:\windows\system32\drivers\PFC027.SYS [6/12/2007 11:39 AM 508416]
S3 PortlUSB;PortlUSB;d:\windows\system32\drivers\SiriusUSB.sys [12/11/2008 11:50 AM 7552]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Block This Image (ABP) - d:\program files\Adblock Pro\blockimg.html
FF - ProfilePath - d:\documents and settings\brimstone\Application Data\Mozilla\Firefox\Profiles\srjhhpuh.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-28 18:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
d:\windows\system32\Ati2evxx.dll
d:\windows\system32\dhcpvga.dll

- - - - - - - > 'explorer.exe'(3348)
d:\windows\system32\htmlmod.dll
d:\windows\system32\sqlepchm.dll
d:\windows\system32\logadans.dll
d:\windows\system32\faxetsys\wowigbat\usbaxmat.dll
.
Completion time: 2010-07-28 18:21:48
ComboFix-quarantined-files.txt 2010-07-28 22:21
ComboFix2.txt 2010-07-28 11:49
ComboFix3.txt 2010-07-28 01:36
ComboFix4.txt 2010-07-27 11:33
ComboFix5.txt 2010-07-28 22:08

Pre-Run: 75,863,572,480 bytes free
Post-Run: 75,858,255,872 bytes free

- - End Of File - - 406AF43F3E3C00B6B395DFF24774B733

lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Crush on Thu 29 Jul 2010, 11:33 am

Hi,

This should clean up the remaining infections.

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    [You must be registered and logged in to see this link.]
    Collect::
    d:\windows\system32\dhcpvga.dll
    d:\windows\system32\logadans.dll
    d:\windows\system32\sqlepchm.dll
    d:\windows\system32\faxetsys\wowigbat\usbaxmat.dll
    d:\windows\system32\htmlmod.dll
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by lynx5653 on Thu 29 Jul 2010, 12:02 pm

ComboFix 10-07-27.05 - brimstone 07/28/2010 20:47:20.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.630 [GMT -4:00]
Running from: d:\documents and settings\brimstone\Desktop\commy.exe
Command switches used :: d:\documents and settings\brimstone\Desktop\CFScript.txt

file zipped: d:\windows\system32\dhcpvga.dll
file zipped: d:\windows\system32\faxetsys\wowigbat\usbaxmat.dll
file zipped: d:\windows\system32\htmlmod.dll
file zipped: d:\windows\system32\logadans.dll
file zipped: d:\windows\system32\sqlepchm.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\dhcpvga.dll
d:\windows\system32\faxetsys\wowigbat\usbaxmat.dll
d:\windows\system32\htmlmod.dll
d:\windows\system32\logadans.dll
d:\windows\system32\sqlepchm.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-28 22:10 . 2010-07-28 22:10 27591840 ----a-w- d:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-07-27 11:21 . 2010-07-27 11:33 -------- d-----w- D:\commy13248c
2010-07-27 04:37 . 2010-07-27 04:37 -------- d-----w- d:\documents and settings\brimstone\Local Settings\Application Data\Mozilla
2010-07-26 11:14 . 2010-07-26 11:18 -------- d-----w- D:\commy
2010-07-25 18:00 . 2008-05-03 11:55 2560 ------w- d:\windows\system32\xpsp4res.dll
2010-07-25 18:00 . 2008-04-21 12:08 215552 -c----w- d:\windows\system32\dllcache\wordpad.exe
2010-07-25 15:11 . 2010-07-25 15:11 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcp71.dll
2010-07-25 15:11 . 2010-07-25 15:11 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\jmc.dll
2010-07-25 15:11 . 2010-07-25 15:11 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-72d5aadb-n\msvcr71.dll
2010-07-25 15:11 . 2010-07-25 15:11 -------- d-----w- d:\program files\Common Files\Java
2010-07-25 15:11 . 2010-07-25 15:11 61440 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-sse.dll
2010-07-25 15:11 . 2010-07-25 15:11 12800 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3312fdb5-n\decora-d3d.dll
2010-07-25 15:10 . 2010-07-25 15:10 423656 ----a-w- d:\windows\system32\deployJava1.dll
2010-07-25 01:02 . 2010-07-25 01:11 -------- d-----w- d:\documents and settings\brimstone\Application Data\MSNInstaller
2010-07-24 19:03 . 2010-07-24 19:03 862872 ------w- d:\documents and settings\brimstone\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-07-24 18:14 . 2010-07-24 18:14 -------- d-----w- d:\windows\system32\wbem\Repository
2010-07-24 16:26 . 2010-07-24 16:26 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-24 16:25 . 2010-04-29 19:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 16:25 . 2010-07-25 13:40 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-07-24 16:25 . 2010-04-29 19:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-07-24 16:22 . 2010-07-24 16:22 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2010-07-24 16:22 . 2010-07-24 16:22 -------- dc----w- d:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-15 00:10 . 2010-07-15 00:10 -------- d-----w- d:\program files\Ubisoft
2010-07-10 23:09 . 2001-08-17 17:53 6784 -c--a-w- d:\windows\system32\dllcache\serscan.sys
2010-07-10 23:09 . 2001-08-17 17:53 6784 ----a-w- d:\windows\system32\drivers\serscan.sys
2010-07-10 23:09 . 2001-08-18 02:36 37376 -c--a-w- d:\windows\system32\dllcache\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 37376 ----a-w- d:\windows\system32\kousd.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 -c--a-w- d:\windows\system32\dllcache\fnfilter.dll
2010-07-10 23:09 . 2001-08-18 02:36 71680 ----a-w- d:\windows\system32\fnfilter.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 00:27 . 2009-01-26 13:29 -------- d-----w- d:\program files\CA Yahoo! Anti-Spy
2010-07-24 19:03 . 2008-11-09 14:05 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo!
2010-07-24 19:03 . 2008-10-05 16:42 -------- d-----w- d:\program files\Yahoo!
2010-07-24 18:38 . 2009-01-23 12:13 -------- d-----w- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-24 15:02 . 2008-10-30 00:27 70928 -c--a-w- d:\documents and settings\brimstone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 23:41 . 2009-01-25 17:43 -------- d-----w- d:\program files\Microsoft Picture It! PhotoPub
2010-07-01 01:53 . 2008-11-05 03:23 -------- d-----w- d:\program files\Common Files\Adobe
2010-06-25 00:59 . 2010-06-25 00:59 503808 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcp71.dll
2010-06-25 00:59 . 2010-06-25 00:59 499712 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\jmc.dll
2010-06-25 00:59 . 2010-06-25 00:59 348160 ----a-w- d:\documents and settings\brimstone\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54f5b7ec-n\msvcr71.dll
2009-02-13 15:50 . 2009-02-03 15:41 2447 ----a-w- d:\program files\TurboTax 2008.lnk
2009-01-25 17:59 . 2009-01-25 17:59 1569 ----a-w- d:\program files\Microsoft Picture It! Publishing 2001.lnk
2009-01-13 00:47 . 2009-01-13 00:47 653 ----a-w- d:\program files\Destroy-It 2000.LNK
2008-12-28 20:34 . 2008-12-28 20:34 1794 ----a-w- d:\program files\Common Files\Photo Impression 6.lnk
2008-12-11 15:49 . 2008-12-11 15:48 70447405 ----a-w- d:\program files\sirius_studio_installer.zip
2008-02-09 18:47 . 2008-02-09 18:47 2680089 ----a-w- d:\program files\MySiriusStudioManual.pdf
2008-02-09 18:47 . 2008-02-09 18:47 68735086 ----a-w- d:\program files\SiriusStudioSetup.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-29 00:57 . 2010-07-29 00:57 16384 d:\windows\Temp\Perflib_Perfdata_fc.dat
+ 2010-07-29 00:56 . 2010-07-29 00:56 16384 d:\windows\Temp\Perflib_Perfdata_7d4.dat
- 2008-11-05 08:00 . 2007-11-30 12:39 17272 d:\windows\system32\spmsg.dll
+ 2008-11-05 08:00 . 2008-07-08 13:02 17272 d:\windows\system32\spmsg.dll
- 2004-08-04 12:00 . 2010-07-25 17:31 61970 d:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-07-28 22:44 61970 d:\windows\system32\perfc009.dat
+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 d:\windows\system32\dllcache\cabview.dll
+ 2004-08-04 12:00 . 2010-01-13 14:01 86016 d:\windows\system32\cabview.dll
+ 2004-08-04 12:00 . 2009-12-24 06:59 177664 d:\windows\system32\wintrust.dll
- 2004-08-04 12:00 . 2010-07-25 17:31 401514 d:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-07-28 22:44 401514 d:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2009-08-13 15:16 512000 d:\windows\system32\jscript.dll
- 2004-08-04 12:00 . 2008-05-09 10:53 512000 d:\windows\system32\jscript.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 985879 d:\windows\system32\faxetsys\rtfovdev.dll
+ 2004-08-04 12:00 . 2009-12-31 16:50 353792 d:\windows\system32\drivers\srv.sys
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 d:\windows\system32\dllcache\wintrust.dll
- 2008-10-29 04:40 . 2004-08-04 12:00 153088 d:\windows\system32\dllcache\triedit.dll
+ 2008-10-29 04:40 . 2009-06-21 21:44 153088 d:\windows\system32\dllcache\triedit.dll
+ 2008-11-05 08:59 . 2009-12-31 16:50 353792 d:\windows\system32\dllcache\srv.sys
- 2008-05-09 10:53 . 2008-05-09 10:53 512000 d:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53 . 2009-08-13 15:16 512000 d:\windows\system32\dllcache\jscript.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 155673 d:\windows\system32\dlgildev32.dll
+ 2010-07-25 17:56 . 2009-08-13 13:55 1748992 d:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2004-08-04 12:00 . 2010-02-05 18:27 1291776 d:\windows\system32\quartz.dll
+ 2004-08-04 12:00 . 2010-02-17 13:10 2189952 d:\windows\system32\ntoskrnl.exe
+ 2004-08-03 22:59 . 2010-02-16 13:25 2066816 d:\windows\system32\ntkrnlpa.exe
+ 2008-05-07 05:12 . 2010-02-05 18:27 1291776 d:\windows\system32\dllcache\quartz.dll
+ 2008-11-05 11:35 . 2010-02-17 13:10 2189952 d:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2024448 d:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2066816 d:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-11-05 11:35 . 2010-02-16 14:08 2146304 d:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-11-05 11:35 . 2010-02-17 13:10 2189952 d:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2024448 d:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-11-05 11:35 . 2010-02-16 13:25 2066816 d:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-11-05 11:35 . 2010-02-16 14:08 2146304 d:\windows\Driver Cache\i386\ntkrnlmp.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YMailAdvisor"="d:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"WorksFUD"="d:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Microsoft Works Update Detection"="d:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Microsoft Works Portfolio"="d:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb01.exe" [2000-08-07 192512]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HPHmon04"="d:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 HSFHWATI;HSFHWATI;d:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 3:06 PM 231424]
S3 PAC207;PC Camer@;d:\windows\system32\drivers\PFC027.SYS [6/12/2007 11:39 AM 508416]
S3 PortlUSB;PortlUSB;d:\windows\system32\drivers\SiriusUSB.sys [12/11/2008 11:50 AM 7552]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Block This Image (ABP) - d:\program files\Adblock Pro\blockimg.html
FF - ProfilePath - d:\documents and settings\brimstone\Application Data\Mozilla\Firefox\Profiles\srjhhpuh.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{2962D51A-0EC3-4EB3-8660-CA643E187C01} - d:\windows\system32\htmlmod.dll
SSODL-Txtitdde-{C06CBC2B-A080-4A36-92BE-5FA438C6D029} - d:\windows\system32\sqlepchm.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-28 20:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
d:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\Ati2evxx.exe
d:\program files\Lavasoft\Ad-Aware\aawservice.exe
d:\windows\system32\Ati2evxx.exe
d:\windows\SOUNDMAN.EXE
d:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\wdfmgr.exe
d:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
d:\windows\system32\wscntfy.exe
d:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-07-28 20:59:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-29 00:59
ComboFix2.txt 2010-07-28 22:21
ComboFix3.txt 2010-07-28 11:49
ComboFix4.txt 2010-07-28 01:36
ComboFix5.txt 2010-07-29 00:44

Pre-Run: 75,875,688,448 bytes free
Post-Run: 75,852,083,200 bytes free

- - End Of File - - B36A5B54C186F1DC0DA63B825D7709CA

lynx5653

Newbie Surfer
Newbie Surfer

Posts : 21
Joined : 2010-07-26
Operating System : xp home

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Crush on Thu 29 Jul 2010, 12:07 pm

All looks good on my end. How are things running now?

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: please help! anti virus suite hijacker

Post by Sponsored content Today at 6:10 am


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum