Probably infected on 1/14/2010 when I visited an unfamiliar web site.
The infection highjacked my browser, causing it to redirect to web sites with links to various advertisers.
Since 1/14/2010, Norton Anti-Virus has blocked or removed the following risks: backdoor.trojan, js.securitytoolfraud.b, Trojan.fakeAV!gen, backdoor.tidserv!inf
Once infected, I disabled the connection to the Internet, except to download various repair and diagnostic software. I also disconnected a 250gb external harddrive, and have not reconnected it since.
I am only a computer novice, but got direction from reading the Computer Hope forum.
I downloaded the following software on the following dates/times:
MBAM: January 15, 2010, 9:12:02 AM
OTL: January 15, 2010, 8:01:18 PM
GMER: January 15, 2010, 8:06:15 PM
ComboFix: January 15, 2010, 8:13:57 PM
HJT: January 15, 2010, 11:01:32 PM
SpyBot: January 15, 2010, 11:04:49 PM
SafeModeFixer: January 16, 2010, 3:11:30 PM
Radix: January 17, 2010, 10:12:18 AM
SAS: January 17, 2010, 10:14:08 AM
After I downloaded and ran MBAM, it quarantined and deleted two infections in the registry. I have the log but have posted a more recent log.
After I downloaded GMER and tried to run it, but it would freeze. I tried to boot into Safe Mode, but couldn’t. I downloaded SafeModeFixer and ran it, but still couldn’t boot into safe mode.
I then ran ComboFixer without the recovery console installed (so it wouldn’t automatically make any significant changes?). I was then able to boot into safe mode and I ran GMER.
The browser is no longer redirecting to highjacking web pages, but I don’t know how to ensure that no latent malware remains on my computer, and what anti-malware process I should follow to reconnect the external hard drive. Any help will be greatly appreciated.
Posted logs in chronological order generated, most recent log for each program:
ComboFixer
MBAM
HJT
ComboFix 10-01-15.01 - Dennis D 01/16/2010 16:41:42.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2331 [GMT -8:00]
Running from: c:\documents and settings\------\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\236.tmp
C:\23F.tmp
C:\248.tmp
C:\24F.tmp
C:\255.tmp
C:\25D.tmp
C:\263.tmp
C:\26B.tmp
C:\271.tmp
C:\2B4.tmp
C:\320.tmp
C:\328.tmp
C:\32C.tmp
C:\32D.tmp
C:\332.tmp
C:\33A.tmp
C:\342.tmp
C:\343.tmp
C:\345.tmp
C:\349.tmp
C:\34A.tmp
C:\351.tmp
C:\353.tmp
C:\356.tmp
C:\359.tmp
C:\35B.tmp
C:\361.tmp
C:\366.tmp
C:\36B.tmp
C:\370.tmp
C:\375.tmp
C:\378.tmp
C:\37A.tmp
C:\37F.tmp
C:\384.tmp
C:\389.tmp
C:\38C.tmp
C:\38E.tmp
C:\393.tmp
C:\395.tmp
C:\398.tmp
C:\39E.tmp
C:\3A1.tmp
C:\3A4.tmp
C:\3A6.tmp
C:\3A9.tmp
C:\3AC.tmp
C:\3AF.tmp
C:\3B2.tmp
C:\3B5.tmp
C:\3BC.tmp
C:\3BE.tmp
C:\3C3.tmp
C:\3C4.tmp
C:\3C6.tmp
C:\3C9.tmp
C:\3CB.tmp
C:\3D2.tmp
C:\3D3.tmp
C:\3D8.tmp
C:\3DA.tmp
C:\3DB.tmp
C:\3DC.tmp
C:\3DD.tmp
C:\3E3.tmp
C:\3E7.tmp
C:\3E8.tmp
C:\3E9.tmp
C:\3EC.tmp
C:\3EF.tmp
C:\3F0.tmp
C:\3F1.tmp
C:\3F2.tmp
C:\3F5.tmp
C:\3F6.tmp
C:\3F9.tmp
C:\3FA.tmp
C:\3FB.tmp
C:\401.tmp
C:\405.tmp
C:\406.tmp
C:\407.tmp
C:\40B.tmp
C:\40C.tmp
C:\40D.tmp
C:\411.tmp
C:\413.tmp
C:\416.tmp
C:\418.tmp
C:\41B.tmp
C:\41C.tmp
C:\41D.tmp
C:\41E.tmp
C:\421.tmp
C:\422.tmp
C:\423.tmp
C:\424.tmp
C:\427.tmp
C:\429.tmp
C:\42B.tmp
C:\42D.tmp
C:\42E.tmp
C:\430.tmp
C:\434.tmp
C:\435.tmp
C:\438.tmp
C:\439.tmp
C:\43A.tmp
C:\43C.tmp
C:\43F.tmp
C:\440.tmp
C:\445.tmp
C:\449.tmp
C:\44B.tmp
C:\450.tmp
C:\451.tmp
C:\456.tmp
C:\459.tmp
C:\45A.tmp
C:\45D.tmp
C:\45E.tmp
C:\464.tmp
C:\46C.tmp
C:\46D.tmp
C:\46E.tmp
C:\473.tmp
C:\474.tmp
C:\47A.tmp
C:\47E.tmp
C:\486.tmp
C:\4A7.tmp
C:\4AE.tmp
C:\4B5.tmp
C:\4BB.tmp
C:\4C6.tmp
C:\4CE.tmp
c:\progra~1\Webroot\SPYSWE~1\Backup\ntSVc.ocx
c:\windows\winhelp.ini
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SERVICE
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.
2010-01-16 23:37 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-01-16 23:37 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-01-16 23:37 . 2001-08-18 06:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-01-16 23:37 . 2001-08-18 06:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-01-16 23:37 . 2001-08-18 06:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-01-16 23:35 . 2001-08-17 21:28 397502 -c--a-w- c:\windows\system32\dllcache\vpctcom.sys
2010-01-16 23:34 . 2001-08-18 06:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2010-01-16 23:33 . 2001-08-17 20:13 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2010-01-16 23:32 . 2001-08-18 06:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2010-01-16 23:31 . 2001-08-17 22:56 157696 -c--a-w- c:\windows\system32\dllcache\sisv256.dll
2010-01-16 23:30 . 2001-08-17 20:50 75392 -c--a-w- c:\windows\system32\dllcache\s3savmxm.sys
2010-01-16 23:29 . 2001-08-18 06:36 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2010-01-16 23:28 . 2008-04-14 00:10 211584 -c--a-w- c:\windows\system32\dllcache\perm2dll.dll
2010-01-16 23:27 . 2001-08-17 20:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-01-16 23:26 . 2008-04-13 18:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-01-16 23:25 . 2004-08-04 05:41 606684 -c--a-w- c:\windows\system32\dllcache\ltmdmnt.sys
2010-01-16 23:24 . 2001-08-18 06:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-01-16 23:23 . 2001-08-17 21:28 115807 -c--a-w- c:\windows\system32\dllcache\hsf_fsks.sys
2010-01-16 23:22 . 2001-08-17 20:15 455296 -c--a-w- c:\windows\system32\dllcache\fusbbase.sys
2010-01-16 23:21 . 2001-08-17 20:11 455199 -c--a-w- c:\windows\system32\dllcache\el985n51.sys
2010-01-16 23:20 . 2001-08-17 21:50 49792 -c--a-w- c:\windows\system32\dllcache\cyzport.sys
2010-01-16 23:19 . 2001-08-17 21:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-01-16 23:18 . 2001-08-17 22:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-01-16 23:11 . 2010-01-16 23:11 -------- d-----w- c:\program files\Safe_Mode_Fixer
2010-01-16 05:48 . 2010-01-16 05:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-15 17:12 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 17:11 . 2010-01-15 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 17:11 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-15 00:56 . 2010-01-15 00:56 -------- d-sh--w- c:\documents and settings\Dennis ---\IECompatCache
2010-01-15 00:47 . 2010-01-15 00:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-14 16:31 . 2010-01-14 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-01-14 16:27 . 2010-01-14 16:40 77390 ----a-w- c:\windows\hpqins05.dat
2010-01-13 19:17 . 2010-01-13 19:17 -------- d-----w- c:\program files\WebGear
2010-01-11 18:00 . 2010-01-11 18:03 -------- d-----w- c:\documents and settings\Dennis ---\ZipForm
2010-01-11 17:59 . 2010-01-11 17:59 -------- d-----w- c:\program files\ZipLogix
2010-01-10 02:46 . 2010-01-10 02:46 159744 ----a-w- c:\windows\system32\libssl32.dll
2010-01-10 02:46 . 2010-01-10 02:46 -------- d-----w- C:\OpenSSL
2010-01-10 02:46 . 2010-01-10 02:46 -------- d-----w- c:\program files\SiLabs
2010-01-10 02:46 . 2006-09-07 19:00 89808 ----a-w- c:\windows\system32\drivers\slabser.sys
2010-01-10 02:46 . 2006-09-07 19:00 6144 ----a-w- c:\windows\system32\drivers\slabcmnt.sys
2010-01-10 02:46 . 2006-09-07 19:00 6144 ----a-w- c:\windows\system32\drivers\slabcm.sys
2010-01-10 02:46 . 2006-09-07 19:00 5776 ----a-w- c:\windows\system32\drivers\slabwhnt.sys
2010-01-10 02:46 . 2006-09-07 19:00 5776 ----a-w- c:\windows\system32\drivers\slabwh.sys
2010-01-10 02:46 . 2006-09-07 19:00 55312 ----a-w- c:\windows\system32\drivers\slabbus.sys
2010-01-10 02:46 . 2006-09-07 19:00 47616 ----a-w- c:\windows\system32\ducunin2k.exe
2010-01-10 02:46 . 2010-01-17 00:50 -------- d-----w- c:\program files\GE Security Supra
2010-01-10 02:46 . 2010-01-10 02:52 -------- d-----w- C:\SSL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 22:48 . 2009-09-06 05:30 -------- d-----w- c:\documents and settings\Dennis----\Application Data\HPAppData
2010-01-16 22:05 . 2008-05-23 23:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-16 06:05 . 2006-08-12 20:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-14 16:41 . 2008-04-02 00:48 -------- d--h--w- c:\documents and settings\All Users\Application Data\HP
2010-01-14 16:40 . 2006-08-11 20:53 109640 ----a-w- c:\documents and settings\Dennis ----\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-14 03:57 . 2006-09-13 17:15 -------- d-----w- c:\program files\Google
2010-01-13 18:14 . 2006-09-05 22:24 -------- d-----w- c:\program files\Handspring
2010-01-12 17:44 . 2006-08-12 20:12 -------- d--h--w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-11 18:57 . 2006-11-17 05:00 -------- d-----w- c:\program files\WINForms 2000
2010-01-05 03:51 . 2008-02-21 17:50 -------- d-----w- c:\documents and settings\Dennis ----\Application Data\ZoomBrowser EX
2010-01-05 03:51 . 2008-02-21 17:48 -------- d-----w- c:\documents and settings\Dennis ----\Application Data\CameraWindowDC
2009-12-22 12:41 . 2009-01-12 17:53 -------- d-----w- c:\program files\PCPitstop
2009-12-16 23:19 . 2009-12-16 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-11 04:29 . 2009-12-16 01:41 1782128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 07:00 . 2006-08-12 20:35 -------- d-----w- c:\documents and settings\Dennis -----\Application Data\Webroot
2009-11-07 01:17 . 2009-11-07 01:17 80528040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{NAV_Production_94_17.1.0.19_NUC}\NAV10UPEN.exe
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-25 20:53 . 2009-10-25 20:53 164 ----a-w- c:\windows\install.dat
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-23 68856]
"gStart"="c:\garmin\gStart.exe" [2008-08-13 1891416]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-21 131072]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-12 7626752]
"nwiz"="c:\windows\system32\nwiz.exe" [2006-07-12 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-12 86016]
"Auto Run Software for Photo Frame"="c:\program files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe" [2006-09-21 2247680]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-02-07 718704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-11 289576]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-02-20 53248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]
c:\documents and settings\Dennis ----\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/9/2008 1:42 PM 29808]
R2 EraserSvc10923;Symantec Eraser Service;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [1/25/2008 5:47 PM 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [1/25/2008 5:47 PM 149352]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [10/25/2009 12:56 PM 1205760]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [8/26/2009 5:34 PM 102448]
R3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [8/29/2006 7:39 AM 17408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/31/2009 9:35 AM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 6:32 PM 23888]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;c:\windows\system32\drivers\USB100TX.sys [3/7/2006 4:52 PM 26368]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ERASERSVC10923
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-01-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-28 03:55]
2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 17:35]
2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 17:35]
2010-01-12 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Dennis ----.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 14:05]
2010-01-17 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-08-12 22:40]
2010-01-17 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-08-12 22:40]
2010-01-15 c:\windows\Tasks\wrSpySweeper_L0A4BE1EED4ED4FF2A67C8778C2BE2686.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-08-12 22:40]
2010-01-15 c:\windows\Tasks\wrSpySweeper_L0A4BE1EED4ED4FF2A67C8778C2BE2686.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-08-12 22:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{b2475f4c-9372-46d3-a407-ff155aa1fb91} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-ANT Agent - c:\garmin\ANT Agent\ANT Agent.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe
HKLM-Run-HPPQVideo - c:\program files\HP\ScheduledLaunch\HP Color LaserJet CP2020 Series\bin\hppschlnch.exe -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\CLJ_CP2020_Series -f PQOptimizerVideo.xml
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-01-16 16:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2340)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ge security supra\syncservice.exe
c:\program files\GE Security Supra\ProxyDaemon.exe
c:\ssl\stunnel-4.10.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\GE Security Supra\SyncInfoApp.exe
c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\WinZip\WZQKPICK.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Webroot\Spy Sweeper\SSU.EXE
.
**************************************************************************
.
Completion time: 2010-01-16 17:00:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 01:00
Pre-Run: 18,089,627,648 bytes free
Post-Run: 18,812,088,320 bytes free
- - End Of File - - 6F1744A1E6FAACFAC32809E0FEA8F03F
Malwarebytes' Anti-Malware 1.44
Database version: 3569
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
1/16/2010 11:04:08 PM
mbam-log-2010-01-16 (23-04-08).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 282962
Time elapsed: 39 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{ABE09F7C-3E1C-4B16-854C-642C3F2EFCFB}\RP2467\A0136796.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0J8TQE88\load[1].php (Rootkit.TDSS) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:20 PM, on 1/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\ge security supra\syncservice.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Garmin\gStart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Auto Run Software for Photo Frame] "C:\Program Files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [gStart] "C:\Garmin\gStart.exe"
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: 20-20 Shortcut Bar.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) -
http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dllO16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) -
https://webdl.symantec.com/activex/symdlmgr.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155336439734O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
http://javadl.sun.com/webapps/download/AutoDL?BundleId=26688O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (
www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/DENNIS~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/DENNIS~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/DENNIS~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
--
End of file - 12266 bytes